Update, Dec. 13, 2024: This story, originally published Dec. 12, now includes further information from the Abnormal Security report regarding advanced email attack methodologies, including predictions for the threat surface in 2025 as well as real-world examples of each of the attack categories.
Cybercriminals, be they politically motivated hackers or financially motivated gangs, have many options when it comes to the attack surface they look to penetrate: crtiical software vulnerabilities such as those patched in Microsoft Windows and Google Chrome this week, firmware exploits that require access to the target device itself, session cookie two-factor authentication bypass and, by far the most common, route one through the front door by way of your email inbox. Here’s what you need to know about a new warning from security analysts about five advanced email attacks.
Understanding The Email Attack Surface Is Your Best Defense Against Criminal Threats
Every individual and every business, from sole proprietors to global conglomerates, faces the risk of cyberattack. As a newly published analysis from threat intelligence experts at Abnormal Security has warned, understanding that the most direct route to compromise is the preferred option for most all cybercriminals is email is the key to protecting yourself as best you can.
“The potency of these attacks lies in their ability to exploit trust,” the Dec. 11 report warned, “whether impersonating known contacts, abusing compromised accounts, or weaponizing trusted platforms, attackers manipulate trust to breach defenses at every stage of an attack.”
Beware These 5 Advanced Email Attacks
Abnormal Security analysts looked at real-world examples of email-based attacks that have targeted customers across 2024 and determined that the following five threat types warranted listing as the attack strategies that you need to be prepared for as we fast approach 2025.
Cryptocurrency, with what the report said is “a lack of centralized oversight and the speed of irreversible transactions,” facilitates fraud and offers considerable opportunity for exploitation. Less financially experienced individuals are attracted to the esoteric nature of crypto, along with the potential to make big profits, without fully understanding the risk. Combined, the security analysts warned, these characteristics have made cryptocurrency a popular theme for email phishing attacks and as such should be high on the awareness alert list.
File-sharing phishing attacks, are an email threat in which a cybercriminal legitimate file-hosting or e-signature solutions to deceive the victim. “Because popular solutions like Dropbox, ShareFile, and Docusign offer either free registration or no-charge trials, and are API-enabled, any individual (including cybercriminals) can create and send emails at scale via the platform,” Abnormal Security warned. As a result, these kind of email attacks, according to Abnormal’s own data, saw a 350% increase between June 2023 and June 2024. Threat actors will create malicious messages where the payload isn’t a link in the email but rather in a “separate document hosted on a genuine file-hosting service.”
Multichannel phishing, meanwhile, can be seen as an evolution of phishing tactics. How so? Well, this kind of attack leverages multiple communication platforms with the end result of manipulating victims more effectively than a single channel can do. “Unlike traditional phishing,” the report warned, “which relies exclusively on email, multichannel campaigns initiate contact through email but then steer the conversation to other channels, such as text messages, phone calls, or third-party messaging apps like WhatsApp or Telegram.”
Business email compromise attacks are a common, yet hugely costly, social engineering threat that serve to deceive recipients into divulging sensitive information or completing fraudulent financial requests. “Threat actors impersonate trusted partners or authority figures,” the Abnormal Security analysts said, “allowing them to capitalize on the implicit trust within the relationship.” The BEC threat, however, has evolved thanks largely to the evolution of another technology: AI. “By analyzing vast volumes of data from social media, online activity, and past interactions,” Abnormal warned, “AI-powered platforms can generate hyper-personalized messages that convincingly mimic the writing style of the impersonated individual.”
And finally, the Abnormal Security report warned about the threat of email account takeover which is sagely said could be the most dangerous email threat we face. “It can be initiated using various methods,” the researchers warned, “including phishing, social engineering, password stuffing, or session hijacking via authentication token theft or forgery. These attacks are especially insidious, the report said, because they enable bad actors to weaponize an account’s existing reputation, making malicious activities more difficult to detect.
Real-World Examples Of Advanced Email Attack Methodologies At Work
The Cryptocurrency Email Attack
Abnormal Security analyzed the case of an attacker posing as a digital asset security provider, Ledger, to undertake a phishing attempt claiming that cryptocurrency networks for a bunch of popular coins were undergoing maintenance. That was the bait. The hook being that the target would need to update their account in order to re-establish access to the networks in question or risk losing their assets altogether. Of course, if the bait is swallowed, then the victim is redirected toward a genuine-looking page complete with login prompt ready to accept their genuine login credentials.
“Receiving a request to provide your mother’s maiden name,” the report said, “would instantly raise red flags for the average individual. But a recovery phrase of 12-24 words is a much less common authentication mechanism, which means being asked to supply this information wouldn’t necessarily set off the same alarm bells.”
The icing on the phishing cake in this real-world example was that the victim, should they have entered their recovery phrase as directed, would then get redirected again: this time to a very real page on the Ledger website so as to make them feel like the request has been completed and all is well. “However, what they don’t know is that they have handed their recovery phrase directly to the attacker,” the report said, “using any compatible wallet software, the threat actor can input the recovery phrase to derive the wallet’s private keys and restore access to the wallet’s funds.”
The File-Sharing Email Attack
The most worrying thing about the file-sharing attack methodology, as this example demonstrated, is that a threat actor can launch one “exclusively using legitimate platforms and still accomplish their goal of stealing login credentials.” The example analyzed by Abnormal Security researchers used a Google Doc that was shared with faculty members at a public high school, the hook being that it was pertaining to be regarding a payroll update. In this case, the recipients were asked to review a document linked in the file so as to verify the payroll update in question. Of course, following these instructions just redirected to a login screen. However, to leverage trust in the process, that screen was “hosted on scripts.google.com, the domain for Google Apps Script, a cloud-based JavaScript platform that enables users to integrate with Google services and develop web applications,” the report stated. Trust also comes bolstered by stock photos of kids in a classroom so as to reinforce the notion of an educational portal.
The Multichannel Phishing Email Attack
As the name suggests, a multichannel attack relies upon leveraging different platforms to complete the phishing sting. In the example given by the Abnormal Security analysts, the threat actor had impersonated the popular cryptocurrency exchange, Blcokchain.com, and used the bait that access to the victim’s account was suspended. The reason given was “transactions with an unregulated entity,” and the target was informed that they would need to withdraw their balance by using an embedded link to contact the support team directly.
That support team contact redirected the user from the email itself to another platform, WhatsApp, where they were greeted with Blockchain.com branding galore. Clicking on “Continue to Chat” even opened the impersonated business’ profile on the WhatsApp app to enhance the trust in the process. “If the target begins a conversation with who they believe is the support team for Blockchain.com,” the Abnormal Security researchers said, “they will initiate the next stage of the attack, which most likely involves convincing the target to provide sensitive information or grant access to their digital wallet.”
The Business Email Compromise Attack
Honestly, there are so many business email compromise attack case studies to choose from we are spoiled for choice. However, Abnormal Security looked to an example whereby the account of a director of business development at a renewable energy manufacturer was initially compromised. This gave the attackers the means by which to execute the BEC attack itself that involved hijacking an existing email thread discussing a purchase order and accompanying invoice for battery parts. “Likely utilizing generative AI,” the report said, “the cybercriminal drafts an email requesting confirmation that an attached invoice with updated banking information has been received and that future payments will be sent to the new account.” Because generative AI was used to create the phishing message itself, the email had no misspellings, the grammar was perfectly acceptable and, coming from the director’s genuine email account, left no obvious reason why the recipient would be wary of authenticity.
“Should the targeted accounts payable team transfer funds to the account listed on the doctored invoice,” the report warned, “they would wire more than $230,000 directly to the attacker.”
The Email Account Takeover Attack
You likely don’t need too many reminders of what an email account takeover attack looks like as I’ve been using real-world examples, like this AI-driven one against a security consultant’s Gmail account, which you really should read as it’s both fascinating and frightening, in articles published at Forbes.com for the longest time. However, it doesn’t hurt to have new case studies thrown into the mix. Abnormal Security warned of an attacker exploiting Microsoft 365 to share a OneNote file that contained a link to a phishing site designed to steal login credentials. As the report said, it’s what the attacker does after fraudulently acquiring the target’s login information that makes account takeover potentially so devastating. “Once an account has been compromised,” the report said, “attackers can perform a variety of malicious acts, such as exfiltrating sensitive data, infiltrating connected applications, or using the account to send additional email attacks to coworkers, partners, and customers.”
AI And API Are The Keywords For Email Attacks In 2025 According To Abnormal Security Predictions
The threat analysts at Abnormal Security didn’t stop at just looking back at the 2024 year in terms of the threatscape when it comes to advanced email attack methodologies. They also looked forward to 2025 and predicted what they would consider the attack surface to look like in the coming year. The advanced email attack surface will see two areas of particular concern across 2025, the analysts said: a surge in attacks leveraging AI and a rise in the exploitation of legitimate API-enabled services.
A Surge In Email Attacks Leveraging AI Tools
“In 2025,” the Abnormal Security analysis predicted, “financially motivated email attacks are expected to escalate significantly, driven by the adoption of AI technologies that enhance both the scale and sophistication of these campaigns.” This is an area I have covered before, and rightly so, because by leveraging such AI-powered tools, especially when it comes to the phishing crime sector, attackers are already able to create incredibly personalized and highly-believable malicious emails, “maximizing their return on investment while simultaneously reducing the likelihood of detection.” An AI-generated email attack isn’t just a case of asking a generative chat tool to create a phishing email using x, y or z as a hook, but rather involve the incorporation of real-time data from a diverse range of sources including the likes of social media, business websites and previous breaches for the maximum personalization possible. By doing so, this allows the attacker to “deliver highly targeted and contextually relevant messages with a level of precision previously unattainable,” the report said, predicting that “as these techniques grow more advanced, even vigilant recipients may struggle to distinguish between legitimate and malicious communications, posing significant challenges for organizations that continue to rely on legacy email security systems.”
The Rise Of Legitimate API-Enabled Service Exploitation Within Advanced Email Attack Infrastructures
The misuse of application programming interfaces will, the Abnormal Security analysts predicted, “facilitate the automation of a wide range of malicious activities, including the bulk creation of phishing sites and rapid scaling of attack campaigns.” This is because, by so doing, threat actors are able to unwittingly “co-opt” cloud services, communication APIs and online collaboration tool platforms into their own criminal infrastructures. The reasoning is as obvious as it is concerning: attackers can blend seamlessly into legitimate traffic and evade detection. “As the boundary between legitimate and malicious usage becomes increasingly blurred,” the analysts warned, “security teams must adopt more advanced behavioral analysis tools that leverage AI and machine learning to mitigate these evolving threats.”
Mitigating Advanced Email Attacks
And talking of mitigations, although there are many methodologies to protect against email-based attacks, from awareness campaigns to technology product defenses, most have been known about for years, decades in fact. Yet, here we are, still talking about the threats being posed by the very methods these protections are meant to stop. So, what’s the answer? Good questions, and the closest I’ve come to one, can be found in this fascinating discussion about what needs to change if we are ever to stop the email phishing threat. I suggest you go read it. Now.