Microsoft Impersonated Most in Phishing Attacks Among Nearly 350 Brands

In today's interconnected digital world, where our online accounts hold significant importance in both our professional and personal lives, it's crucial to be aware of the growing dangers we face. Among these threats, credential phishing stands out as a formidable and constantly changing enemy—with the FBI reporting more than 300,000 successful attacks last year alone.

But how are these attacks still so successful, despite better security tools and an increase in security awareness training? This is partially a result of cybercriminals knowing what may prompt employees to click on their emails and exploiting it: familiarity and urgency.

Credential phishing attacks are particularly harmful because they are typically the first step in a much more malicious campaign. For example, when attackers gain access to Microsoft credentials, they can use that information to enter the M365 environment, exfiltrate data from Outlook or SharePoint, and run more malicious business email compromise or vendor fraud attacks. Alternatively, when attackers gain access to banking credentials, they can access the bank account and move funds from their victim’s account to one they own. And, when they phish for social media account credentials, they can use the personal information contained in the account to extort their victims and force them into paying money to keep their data private.

But how do cybercrooks get these credentials in the first place? In many cases, attackers leverage the popularity of legitimate brands. Sending urgent emails from a trusted brand is enough to trick a user into sharing their sign-in credentials. This might include persuasive warnings about the potential of losing account access, fake alerts about fraudulent activity, or even seemingly innocuous demands to sign in via the provided link.

It helps to understand which brands are most commonly impersonated by bad actors so organizations (and employees themselves) can know what to expect. Perhaps unsurprisingly, Microsoft is by far the most commonly spoofed company—with nearly 650,000 attacks stopped by Abnormal in the last year. That’s 4.31% of all phishing attacks among 350 brands! And the reason why is that attackers really want to infiltrate and compromise the M365 cloud environment—as this access allows them access to nearly every other system used by the organization.

But while Microsoft is a standout example, there are so many other brands cybercrooks choose to impersonate. Here are the top 10 most popular brand impersonations of 2023 so far:

As you can see, hundreds of thousands of phishing emails are targeting businesses every year. If a spoofed Microsoft email doesn’t fool your employees, a fake PayPal, Google, or McAfee email might instead. And if they’re using the same password across multiple accounts, this could provide access to the email account anyway.

Unfortunately, while these brands are the most popular for impersonation, Abnormal has detected over 350 brand impersonation attacks over the past year. Other popular companies include Best Buy, American Express, Netflix, Adobe, and Walmart.

The bad news is that brand impersonation is likely to get even worse with the increase in reliance on ChatGPT and other generative AI tools. Making matters more complicated, organizations can no longer rely only on security awareness training, as threat actors can now use these tools to produce higher-quality phishing scams—without the typos and grammatical errors that have been indicative of a threat in the past.

Abnormal recently stopped this attack that impersonates DHL, which you can see looks fairly legitimate. It asks the target to click the link to pay a delivery fee, which is required due to unpaid customs duties. Upon doing so, the recipient would have their credit card information stolen by the phishing site.

Unlike phishing attacks of the past, this email looks pretty legitimate. This is because it was likely created by a generative AI tool, as shown here, where the words in green are those most likely to be chosen by a generative AI model as the next possible word.

Unfortunately, the use of generative AI goes beyond emails. Cybercriminals can produce whole websites—complete with logos, brand copy, and images—then link those to their phishing messages. This deepens the impression that these emails really are from the impersonated brand and makes it more likely that the victim will enter their credentials.

While the negative effects of these attacks might be felt immediately, some go undetected for long periods. In the case of a cloud email environment, compromised credentials allow attackers to read sensitive information stored in mailboxes, access integrated third-party apps, and send emails to contacts under the guise of the genuine account holder. The fallout of these attacks can be devastating—especially when attackers have access for weeks or even months before detection.

Attackers are ruthless. And if phishing emails are landing in employee mailboxes, eventually someone will slip up and share their sign-in credentials. After all, we’re all only human. Luckily, sophisticated email solutions ensure that humans are not the first (or the last) line of defense against advanced attacks.

Abnormal Security protects organizations from the full spectrum of email-based threats—including the phishing attacks that account for 66% of all advanced threats. By precisely baselining known and good behaviors, Abnormal blocks malicious emails before they reach employees. And should attackers gain access to accounts through another method, like brute force attacks or credential stuffing, Abnormal can immediately detect and remediate compromised email accounts.

By stopping new attacks and rooting out bad actors, Abnormal establishes unparalleled defenses for your organization. Whether you’re targeted by impersonated Microsoft attacks, business email compromise, or invoice fraud, Abnormal helps you proactively protect your sensitive information and prevent financial losses.

Want to learn more? Download our latest Email Threat Report to see how attackers are continuously changing their tactics to see success.