- Report finds reverse proxy attacks bypass 2FA, exploiting trust in fake logins
- Phishing remains dominant, accounting for a third of all attacks
- Malicious URLs surge, comprising 22.7% of cyberattack strategies
Cybercriminals are continually evolving their tactics, and email remains a primary vector for attacks, with new research from Hornetsecurity highlighting several alarming trends, including the rise of malicious emails and sophisticated credential theft tactics.
In 2024, businesses worldwide received 20.5 billion emails, of which a staggering 36.9% were unwanted. Alarmingly, 2.3% of these - 427.8 million - contained malicious content.
Phishing attacks accounted for a third of all cyber-attacks, highlighting the ongoing challenge of safeguarding organizations from deceptive social engineering tactics.
The rise of reverse-proxy credential theft
Malicious attachments have seen a decline, though a new threat, reverse proxy credential theft, is emerging,
These sophisticated attacks leverage social engineering and malicious links rather than attachments to deceive users. Victims are redirected to fake login pages that mimic trusted sites, capturing their credentials in real time.
Remarkably, these methods can bypass two-factor authenticator apps (2FA). Tools like Evilginx enable attackers to create convincing fake login portals, making it easier to steal sensitive information. Malicious URLs now account for 22.7% of attacks, reflecting a significant surge since 2023.
The report shows a decline in the overall threat index for most industries compared to 2023. However, targeted attacks persist across all sectors, with mining, entertainment, and manufacturing identified as high-risk industries.
Ransomware attacks and double-extortion scams are particularly prevalent in these areas. Brand impersonation also remains a popular tactic among cybercriminals. Shipping companies like DHL and FedEx were the most impersonated brands, while DocuSign, Facebook, Mastercard, and Netflix saw attempts more than double compared to 2023.
To counter these attacks, organizations must implement advanced email filtering systems, adopt multi-layered authentication mechanisms resistant to 2FA bypassing, and prioritize employee cybersecurity training courses to recognize phishing tactics.
"These findings highlight both progress and new challenges in the fight against cyber threats," said Daniel Hofmann, Hornetsecurity CEO.
"While it’s encouraging to see some consistency in attack methods, for defensive purposes, the shift toward more targeted social engineering tactics means businesses must stay vigilant. With over 427 million malicious emails still reaching inboxes, it’s clear that cybersecurity strategies must evolve to stay ahead of increasingly sophisticated threats."
"In 2025, organizations must prioritize basic security practices and embrace a zero-trust mindset to tackle vulnerabilities head-on and foster a strong security culture."
"Building a well-defended business isn’t possible without engaging everyone—helping them understand how cybersecurity impacts them personally and why their role is essential to keeping threats at bay. By working with trusted vendors, companies can not only protect themselves but also tap into expert knowledge that elevates their overall cybersecurity strategy.”
You might also like
- More reports claim 2024 was the worst year for ransomware attacks yet
- We've listed the best temporary email services
- We've also listed the best proxies for enterprises
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
