The state of ransomware

Email remains one of the most reliable channels for ransomware and other cyberattacks, primarily through phishing and malware distribution. Attackers exploit email to deliver highly targeted phishing campaigns, often tailoring messages based on specific job roles. For example, finance team members frequently receive emails labelled “Invoice,” a tactic attackers use to trick recipients into opening malicious attachments or links, capitalizing on routine activities.

Once attackers compromise an email account, they often gain access to additional cloud services, especially in environments where single sign-on (SSO) is enabled. This integration allows them to pivot from email to other platforms such as SharePoint, OneDrive, or Google Drive. Using trusted services like Microsoft 365 or DocuSign, attackers distribute malicious secure links that evade conventional security scans. This tactic leverages the credibility of these platforms, making detection by email filters and anti-malware tools more challenging, as attackers blend into regular operations.

SSO structures create another vulnerability, as a single compromised email account can act as a gateway to other corporate applications, including file storage, collaborative platforms, and shared calendars. Attackers use compromised accounts to search for stored passwords or sensitive data, allowing them to deepen their access without new entry points.

With the rise of “Malware-as-a-Service” (MaaS) and similar frameworks, even low-skilled attackers can launch sophisticated campaigns, while more advanced attackers utilize “living off the land” strategies. This approach involves using legitimate tools within a system to avoid detection, enabling attackers to blend into the environment without triggering security alarms.

Email dependence

Email remains vital for business, despite security risks. Even with protections like spam filters and protocols, email’s universal use means users are likely to continue interacting with phishing attempts, keeping this method effective. Although organizations are seeking secure alternatives, email’s accessibility and widespread adoption make it hard to replace. Alternative communication platforms like Slack offer potential security advantages, but they are not immune to phishing. For instance, compromised Slack tokens have been used to access corporate networks. User awareness training remains essential, but breaking ingrained habits, like clicking links, is difficult. Strategies such as network segmentation and monitoring help mitigate risks if phishing attempts are successful, ensuring systems are resilient beyond user actions alone.

Email remains a primary phishing tool, but attackers are increasingly diversifying. New tactics include "quishing" (QR code phishing) and "smishing" (phishing via SMS), which exploit user trust in seemingly familiar sources. Attackers use these methods to bypass traditional email security filters and deceive users through alternate channels, broadening their reach and effectiveness.

Phishers often exploit well-known third-party services, sending messages from reputable-looking domains or platforms users recognize. This low-cost, high-impact approach takes advantage of trusted brands to bypass security and deceive users, particularly as email remains a standard communication method across organizations.

QR codes 

QR codes, ubiquitous in places like restaurants and hotels, are prime targets for phishing. Attackers replace legitimate QR codes with malicious ones, leading users to fake login pages or harmful sites. Given mobile devices' generally lower security levels, QR code phishing is especially effective, as users often assume QR codes are safe in certain contexts.

Multi-stage phishing attacks 

Some attackers use layered phishing tactics, like sending an email with a QR code that directs users to a malicious site. Mobile devices, often lacking advanced security features, are particularly vulnerable to these attacks. This multi-layered approach combines several tactics to bypass defences and increase the chances of a successful breach.

Phishing predictions

Phishing attacks are expected to grow more sophisticated with AI, which will enable attackers to automate and personalize efforts. Techniques like “quishing” are likely to increase, especially on mobile devices where visibility is limited. Attackers will continue exploiting users’ trust in familiar communication formats, pushing phishing into new territory.

"AI is a catalyst, a tool multiplier... It enables attackers who already know what they're doing to profile targets faster." Tom Van de Wiele

Artificial Intelligence (AI) is amplifying the capabilities of both attackers and defenders. As both a tool and a catalyst, AI is a force multiplier, accelerating the speed and sophistication of cyber operations on both sides of the spectrum.

How AI benefits attackers

AI provides significant advantages for attackers, particularly in streamlining reconnaissance and attack execution. Attackers can leverage AI to analyse vast datasets and identify potential targets with unprecedented speed, often using open-source AI models to locate code vulnerabilities or misconfigurations that they can exploit. By utilizing AI-driven tools, attackers can quickly scan for system weaknesses and find ways to access sensitive data or critical systems. Moreover, AI-powered tools enable attackers to perform “mass profiling,” understanding not just individual targets but also the broader digital ecosystem around them, such as supply chains and interconnected networks. With this information, attackers can repurpose successful attack strategies across multiple similar environments.

"AI is going to lower the entry costs for a lot of attackers." Rob Anderson

AI also lowers the barrier of entry for less sophisticated attackers. For instance, “cybercrime-as-a-service” models, where people can purchase malicious software or scripts, are becoming more accessible due to AI. Additionally, advancements in AI-driven natural language processing mean phishing attacks are becoming harder to detect. AI can now craft highly convincing fake emails or messages that are almost indistinguishable from legitimate communications, making it easier to deceive even well-trained users. In the long term, this shift may overwhelm defenders by escalating both the volume and complexity of attacks.

How AI benefits defenders

On the defensive side, AI is a powerful ally for cybersecurity professionals, enabling rapid detection, analysis, and response to threats. Defenders are increasingly using AI to monitor network traffic for unusual patterns that may indicate a cyber attack. By analysing logs and detecting anomalies in real-time, AI can help identify intrusions that might otherwise go unnoticed until significant damage is done.

Defenders can also use AI to improve incident response times by automating initial assessments and writing custom code. For instance, generative AI tools like ChatGPT can assist in writing custom scripts that rapidly examine data logs or parse new malware samples, making defences more agile and adaptable.

Moreover, AI enables defenders to create realistic test environments and simulate production-like data for testing purposes, thereby improving security testing and detection capabilities. This strategy, often supplemented by “canary tokens” that can alert defenders if breached, offers a way to monitor systems without exposing real production data to risks. However, cybersecurity professionals must remain vigilant, as AI-generated defences are not foolproof; they may contain plausible yet incorrect data that could mislead or provide a false sense of security.