Cybersecurity researchers have uncovered phishing actors adopting a new trend where non-executive level employees who enjoy access privileges to valuable infrastructure areas are targeted, rather than the enterprise’s upper echelons.

In recent months, around 50% of phishing messages analysed by the team at Avanan were attempting to spoof non-executives. Additionally, around 77% of these malicious emails targeted victim employees of the same station.

A change in tactics

Previous phishing strategies involved the impersonation of chief financial officers (CFOs) and chief executive officers (CEOs) to fool enterprise staff in targeted attacks such as spear phishing. This was a practical approach as issuing urgent requests and instructions reportedly from a high-ranking personnel member typically increased the possibility of a recipient complying and taking the desired course of action. Non-executives are, as a rule, less likely to question such requests from their superiors.

However, as CFOs and CEOs became more vigilant and IT security staff at larger firms added additional safeguards to “critical” email accounts, threat actors using phishing techniques turned their attention to lower ranking staff members. Many non-executive employees require access to sensitive data storage areas to perform their roles. This means that for threat operators looking for a foothold in firms, they make for exceptional entry points to enterprise networks.

Researchers at Avanan commented:

“Security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. At the same time, non-executives still hold sensitive information and have access to financial data. Hackers realized, there is no need to go all the way up the food chain.”

An attack using DocuSign

Avanan detailed a common trick used in phishing campaigns in the report it recently released. The tactic involves DocuSign, a well-known and cloud-based document signing solution.

During the phishing attack, threat operators offer DocuSign to recipients as an alternate signing option in the emails they are sending and ask users to enter their company credentials to view a specified document and sign it.

These emails are cleverly crafted to look like authentic messages from DocuSign but are not sent from the legitimate platform. However, regular users of the digital signing solution may recognise that DocuSign emails never ask users to enter their passwords. A dedicated authentication code is emailed to a recipient instead for added security.

However, when busy balancing their daily workload, it is likely that many employees may be tricked by such messages and react as if messages are real DocuSign requests. This can lead them to enter their private credentials and gift them to the phishing operators.

It is vital that employees know to examine inbox emails before interacting with them to keep companies safe from cyberattacks. Grammatical errors and unsolicited attachments are well-known hallmarks of phishing messages.

Attacks using DocuSign are not new and have long been a tool of threat operators keen to steal passwords and usernames and to spread malware. In 2019 a more complex campaign using a DocuSign theme attempted to fool users into parting with their complete credentials for an extensive array of email providers.