New report reveals a 121% surge in cybercriminals using legitimate websites to obfuscate malicious payloads


  • 71% of malicious payloads sent from compromised accounts were HTML smuggling attacks
  • 51% increase in attacks sent from compromised accounts
  • Advanced phishing attacks commoditized by crime-as-a-service gangs
  • CFOs are the most likely to be targeted by whaling attacks

London, UK. – 25th May 2023 - Egress, a cybersecurity company that provides intelligent email security, today released its inaugural Email Threats Pulse Report. The report’s findings demonstrate the evolving attack methodologies currently used by cybercriminals that are designed to get through traditional perimeter security.

All phishing threat data and examples contained within this report were taken from Egress Defend, an Integrated Cloud Email Security solution that uses intelligent technology to detect and neutralize phishing attacks.

“The evolution of phishing emails continues to pose a major threat to organizations, emphasizing the need to enhance defenses to prevent attacks,” said Jack Chapman, VP of Threat Intelligence, Egress.

“Although traditional signature-based detection can filter out phishing emails with known malicious payloads (attachments and links), cybercriminals are constantly refining their attack methods to bypass existing detection systems and appear more credible to their victims. Our report reveals that attacks are increasingly leveraging social engineering, advanced technical measures, and compromised email addresses to deliver sophisticated payloads or defraud organizations. Every attack we analyzed had bypassed other forms of anti-phishing detection, including secure email gateways (SEGs). By producing this report, we intend to equip cybersecurity professionals with insights into advanced attacks, highlight the necessity of evolving defenses in their cloud email platform, and provide strategic recommendations to help them do so.”

Email Threats Pulse Report (May 2023): Key trends
Cybersecurity experts are grappling with new strategies that surpass conventional domain-based inspection methods, with a growing focus on exploiting legitimate business tools like SharePoint and other trusted sources to deliver attacks. To shed light on these evolving attack techniques, the Egress Email Threats Pulse Report offers an in-depth look into email threat vectors. The key phishing trends include: 

  • Malicious payloads hidden by legitimate websites:

Using legitimate hyperlinks for reputable brands as carriers for malicious payloads enables attacks to bypass standard link checks. Amongst the sites leveraged by hackers and detected by Egress Defend, YouTube, Amazon AWS, Google Docs, Firebase Storage, and DocuSign emerged as the top 10 most frequently used, with a 121% rise in this method observed between January 1 and April 30, 2023, compared to September to December 2022. 

  • Phishing commoditized:

Phishing remains part of the Anything-as-a-Service (XaaS) model, with crime-as-a-service gangs continuing to sell phishing kits. In a campaign analyzed by the Egress Threat Intelligence team, cybercriminal gang Caffeine leveraged the Ticketmaster brand to obfuscate a malicious payload. With bad actors no longer needing to be highly skilled or particularly motivated, the commoditization of phishing is increasing the development, deployment, and impact of these threats.

  • Increase in compromised accounts used to launch phishing attacks

Egress Defend detected a 51% increase in phishing emails sent from compromised legitimate email accounts in the first four months of 2023. When analyzing these attacks, researchers found that 71% of the attachment-based payloads were HTML smuggling attacks. This allows the attacker to build malware behind an organization’s firewall and is a highly evasive attack technique that is increasing in prevalence as it enables phishing emails to bypass traditional email security controls, particularly SEGs.

  • Phishing the C-Suite:

The C-suite has significant authority over access to funds, systems, and data, making them highly lucrative individuals to phish. Egress Defend detected the top three targets as CFOs (31% of attempts), CEOs (25%), and CMOs (13%). Overall, those leading functions related to security, risk, and compliance were the least targeted, likely due to a lower success rate owing to their increased security awareness.

How to defend against phishing threats

Organizations must adapt their defenses as cybercriminals continue to evolve their attacks. The report calls for the prioritization of behavior-based email security that uses AI to mitigate the increase in threats evading signature-based and reputation-based perimeter security. Integrated cloud email security (ICES) is a new category of anti-phishing technology that uses advanced detection capabilities, such as natural language processing and natural language understanding, to protect organizations from sophisticated attacks. ICES solutions protect organizations from advanced email attacks by analyzing email content for signs of BEC. With phishing attempts being a constant business threat, these solutions integrate directly into the mailbox to engage users at the point of risk and augment security awareness and training programs. 

To read Egress Email Threats Pulse Report: Insight into key phishing threat trends including all its analysis and findings please visit https://egress.co/pulse-report.



About Egress
Egress makes digital communication safer for everyone. As advanced and persistent cybersecurity threats continue to evolve, we recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss, resulting in the reduction of human activated risk. 
Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York, and Boston.

PR Contact 
Rachel Preston  
C8 Consulting Ltd 
rachel@c8consulting.co.uk