A new report released today by phishing detection and response solutions company Cofense Inc. details a staggering rise in credential phishing volume in the first quarter and an overall increase in active threats.

In the first quarter, Cofense detected a 527% increase in credential phishing volume from the previous quarter, a shift described as “volatile.” The volume increase year-over-year was more moderate, though still a significant 40% increase from the first quarter of 2022. Notably, the main spike in credential phishing volume occurred in March, significantly exceeding January and February.

Emotet, long a favorite among cybercriminals and once described as “the world’s most dangerous malware,” was the most popular malware type detected in the quarter. The report notes that this is directly linked to the high volume of emails that Emotet disseminates.

Behind Emotot, the Agent Telsa keylogger was the second most-used form of malware, followed by the FormBook information stealer. The quarter saw a 38% increase in the use of keyloggers, the highest increase in any malware type.

One standout in the report was a surge in malicious campaigns that abuse bots in the messaging service Telegram Messenger Inc. The use of Telegram bots increased almost fivefold in the first quarter from the previous quarter and outstripped the total volume of all of 2022 by more than fourfold.

Although slightly down the list in terms of popularity, Qakbot was identified as the most successful malware family reaching inboxes. Qakbot managed to get into inboxes at a rate 185% higher than Emotet, despite Emotet’s being the most common form of malware distributed in phishing campaigns.

The first quarter also stood out regarding how potential victims are being targeted, with a massive switch in the top malware delivery mechanism. The use of OneNote files as a delivery mechanism, with the addition of OLE packages and WSF downloaders bundled with the file, was the most popular form of delivery method in the quarter after barely being detected at all in the fourth quarter of 2022.

The rise of OneNote files as a popular delivery mechanism replaced the longstanding popular distribution method of Office macros. CVE-2017-11882, a vulnerability detected in Microsoft Equation Editor in 2017, also surged in popularity in the quarter since Emotet extensively uses it in its attack campaigns.

Image: Pixabay