"Credential phishing rising", says Agari

Latest research from Agari by HelpSystems (www.agari.com) into the growing trend known as credential phishing reveals 92% of compromised email accounts are being accessed manually by a threat actor, with almost one in five accounts accessed within the first hour post compromise, and a further 91% being accessed within a week after compromise.

To better understand the lifecycle of the compromised account, investigators at the Agari Cyber Intelligence Division (ACID) (https://acid.agari.com/) recreated more than 8,000 login screens for sites including Microsoft Account, Office 365 and Adobe Document Cloud.

Results showed that nearly a quarter of compromised accounts were being automatically accessed at the time of compromise to validate the authenticity of the credentials.  Based on the unique characteristics of the phishing sites and the behaviour attributed to account access, ACID was able to cluster 85% of this auto-validation activity into just three families of attacks, indicating this activity is driven by a very small number of threat actors and/or phishing kits.

In the ACID report, ‘Anatomy of a Compromised Account – How BEC Actors Use Credential Phishing and Exploit Compromised Accounts’, ACID saw scammers create forwarding rules; pivot to other applications, including Microsoft OneDrive and Microsoft Teams; attempt to send
outgoing phishing emails, sometimes by the thousands; and use the accounts to set up additional BEC infrastructure.

The full report can be downloaded at acid.agari.com