Blog | Vade

Q4 2022 Malware and Phishing Report: Phishing Volumes Increase 36% QoQ

Written by Todd Stansfield | February 09, 2023

Vade’s Q4 2022 Malware and Phishing Report reveals a sharp increase in cyberthreats, with phishing volumes rising 36% quarter-over-quarter (QoQ) and malware increasing 12% QoQ. Let’s dive into the latest report to examine the findings.

Phishing and malware trends: Q4 phishing volumes surpass Q3

In Q4 2022, Vade detected 278.3 million unique phishing emails, surpassing the previous quarter’s total by 74.4 million. Month-to-month, phishing volumes were relatively stable through the first half of Q4. October saw the second highest volumes (62.3 million), followed by November (47 million). In December, phishing emails jumped significantly, totaling more than 169 million, a 260% month-over-month increase.

December’s leap followed a similar pattern observed in Q4 2021, when November accounted for a dramatic increase in phishing emails compared to other months in the quarter. Overall, total phishing emails increased by 61% in H2 2022 over the first half of the year.

Phishing volumes, Q4 2022

Phishing and malware trends: malware volumes remain high

Malware volumes finished the year strong, increasing 12% QoQ in Q4 to account for 58.9 million emails, a 55% increase compared to the same period in 2021. Throughout the quarter, malware volumes saw a modest decline month-to-month. October accounted for the highest share of emails with more than 21 million, followed by November (20.8 million) and December (17 million). While malware volumes declined slightly in H2 compared to H1 (11%), the annual total equaled more than 236.4 million emails, a 48% increase over 2021.

Malware volumes, Q4 2022

Phishing report and malware trends: global brands are still a top target

For the second consecutive quarter, Facebook was the most impersonated brand with more than 6,700 unique phishing URLs in Q4, followed by Microsoft, PayPal, Google, and Netflix. A unique phishing URL is a single instance of a phishing URL, which may appear in dozens or even thousands of phishing emails.

Top 10 most impersonated brands, Q4 2022

Facebook phishing page

Microsoft phishing page

Financial services was once again the most impersonated industry, representing 29% of phishing pages, followed by social media (24%), cloud (19%), internet/telco (15%), e-commerce/logistics (11%), and government (1%).

Top 25 most impersonated brands, Q4 2022

Financial services also accounted for the most brands in the top 25 with 10. Cloud, e-commerce/logistics, and internet/telco tied for the second most brands with four each, followed by social media with three and government with zero

.

Phishing kits enable contextual automation

Phishing-as-a-service (PaaS) platforms continue to empower hackers to launch sophisticated attacks without the technical skills. By purchasing a phishing kit, novice hackers can deploy highly convincing and effective schemes against their targets.

While phishing kits continue to become more sophisticated, Vade analysts identified a recent enhancement that enables phishing kits to automatically localize phishing pages based on a victim’s native language. The feature identifies the language settings of the targeted user’s browser and uses it to update and display the phishing page accordingly. While improving the contextual accuracy of each phishing attack, the new feature also enables hackers to target users across multiple languages using a single kit, thus increasing the reach of their campaigns.

Malicious code that enables language localization

Phishing pages by language

Hackers are weaponizing AI for phishing content creation

In November 2022, Artificial Intelligence company OpenAI launched ChatGPT, a sophisticated chatbot that can assist anyone in producing high-quality content almost instantaneously. From academic papers to creative works and much more, the tool has illustrated the benefits and opportunity of AI.

Despite its potential value, the technology can also enhance nefarious activity. Vade analysts have uncovered the ability for hackers to weaponize ChatGPT to produce sophisticated phishing kits efficiently. Using commands, hackers can empower the AI tool to write phishing emails and malicious code in seconds.

Phishing email templates produced by ChatGPT

The weaponization of AI lays the groundwork for more hackers to launch sophisticated attacks, create PaaS offerings, and work more efficiently.

Phishing campaigns target productivity suites

Microsoft 365 boasts more than 345 million users, while Google Workspace is the second most popular suite. With the growing popularity of productivity suites, users are increasingly using email to access and use productivity apps such as file sharing and instant messaging.

In Q4 2022 Phishing Report, Vade continues to detect an increasing number of phishing attacks targeting productivity applications and the modern way they are used. In Q4, Vade analysts uncovered a scheme that exploits productivity software and disguises phishing pages. The tactic begins with a phishing email containing a malicious link that points to an intermediary webpage.

Intermediary page with phishing link to destination page

The intermediary page doesn’t contain any fields for harvesting user credentials. Instead, it only displays a link that points to a destination phishing page.

Destination phishing page

Here, hackers harvest the user’s credentials to gain access to their Microsoft 365 account. The attack is designed to trick email filters into scanning the intermediary page and marking it as safe, while never reaching the final malicious page.

Q4 2022 Phishing Report: Email is the top vector for phishing and malware threats

Email is the #1 channel for distributing phishing and malware attacks, giving hackers a convenient, scalable, and efficient vehicle for exploiting users and compromising accounts. As this quarter’s Phishing and Malware Report reveals, email threat activity continues to increase, creating the need for organizations of all sizes to fortify their cybersecurity.

In the past year, nearly seven out of 10 businesses experienced a serious data breach that bypassed their email security. To protect against all types of email-borne threats, including those used in advanced zero-day attacks, organizations must look beyond traditional email security solutions.

Collaborative cybersecurity solutions such as Vade for M365 enable organizations to defend against today’s most sophisticated threats. Powered by AI and enhanced by people, our integrated solution provides predictive defense against known and unknown threats using the latest threat intelligence and a core set of AI technologies.