As LotL Attacks Evolve, So Must Defenses

Because living-off-the-land (LotL) attacks masquerade as frequently used, legitimate companies, they are very difficult to block and detect.

What began as malware utilizing native applications and processes to hide malicious activity, living-off-the-land (LotL) attacks have evolved over the years. LotL phishing has become an increasingly popular method for attackers to infiltrate a legitimate third-party service (to exploit trust) and use their tools to mask and conduct malicious activities. Since the services targeted are frequently used for legitimate purposes, in most cases, they cannot be blocked outright and are hard for end users to detect.

This year alone, ubiquitous brands including QuickBooks and Adobe were leveraged once again in clever LotL phishing attacks. Qakbot distributors were on the attack with new campaigns leveraging conversation hijacking attacks (CHAs) and the implied trust of previous email threads. An alternative variant of GuLoader, a malware downloader primarily used for distributing shellcode and malware (for example, ransomware and Trojans), was also observed used in the wild.

How LotL Phishing Attacks Work

An LotL phishing attack's initial goal is a credential harvesting page where threat actors will steal a user's email address and password. Once logged in, they do reconnaissance within the organization (including looking through that person's inbox for opportunities to commit a business email compromise attack). For example, if the target is in finance, the threat actor may initiate a wire transfer or reroute invoicing traffic. If the target is not high value, threat actors will pivot and attack that user's contacts to conduct a CHA or distribute malware by replying to legitimate conversations in the inbox.

LotL phishing attacks have become increasingly sophisticated. One example originated from a compromised nhs[.]net Microsoft account, the email system for National Health Service (NHS) employees in England and Scotland. The theme was a Microsoft "secure fax pdf" originating from the "ShareFile Team 2023." Because it was sent from a hacked (or compromised) Microsoft account, it was authentically Microsoft themed (it included the Microsoft logo and URL in the email, and it came from a Microsoft domain). This is a great example of keeping everything cohesive, something that is becoming more common in LotL phishing attacks.

Upping the Game

Typical LotL phishing attacks might have a company's logo or name in the body of the email but are not authentically themed, as in the NHS "Microsoft" case. With this full brand impersonation, threat actors have upped their game. They're taking advantage of the reputation of a legitimate business service and people's trust in its domain to make it extremely hard to identify and even harder to block. 

From an end-user perspective, it is easy to be fooled by a legitimate Microsoft graphic and link. Not to mention, employees have some inherent trust that systems and processes are in place to filter out bad URLs. However, in instances like the Microsoft-themed attack, where an enormous amount of traffic utilizes this legitimate domain for valid use, security and threat teams face a difficult challenge, as the legitimate site typically does not pose a threat.

While blocking legitimate high-use domains is not logical, limiting access to sensitive information to only those who need it minimizes the attack surface if a threat actor successfully gains access. This action, however, doesn't stop threat actors from putting malware on a system or gaining network access. End-user training can help to an extent, but with a cohesive attack such as this, simply looking at an email and whether a URL goes to a legitimate service isn't enough. 

A Layered Defense

Because users can't always trust what they see, they must be taught to also look at the context of an email. This means thinking about why and if there is a legitimate reason they are getting an email. If there is any hesitancy or question, encourage them to reach out to the sender by phone. There must also be awareness among security teams that it is not realistic to expect everyone to take the time to analyze every email received. Adding additional security layers is key to achieving cyber resilience. This includes supplementing employee education with security solutions that are continually updated with threat intelligence. 

A layered security approach should include detecting, blocking, and filtering out malicious emails and attachments. Email filters can recognize and quarantine suspicious messages. Security solutions that are continually updated with artificial intelligence and machine learning allow them to distinguish phishing from genuine emails and prevent any malicious content from reaching an employee's inbox. 

A multilayered approach to protection that includes real-time threat intelligence hardens an organization's security posture. For even greater protection, add endpoint protection and DNS protection. The more layers, the less likely a threat actor will be successful. And if all else fails, backup and recovery solutions are essential to getting businesses up and running quickly, with minimal disruption.