{"id":90286,"date":"2019-12-11T09:00:56","date_gmt":"2019-12-11T17:00:56","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90286"},"modified":"2023-05-26T14:47:52","modified_gmt":"2023-05-26T21:47:52","slug":"the-quiet-evolution-of-phishing","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/","title":{"rendered":"The quiet evolution of phishing"},"content":{"rendered":"<p>The battle against phishing is a silent one: every day, <a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/office-365-atp\">Office 365 Advanced Threat Protection<\/a> detects millions of distinct malicious URLs and email attachments. Every year, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/10\/17\/how-office-365-learned-to-reel-in-phish\/\">billions of phishing emails<\/a> don\u2019t ever reach mailboxes\u2014real-world attacks foiled in real-time. Heuristics, detonation, and machine learning, enriched by signals from Microsoft Threat Protection services, provide dynamic, robust protection against email threats.<\/p>\n<p>Phishers have been quietly retaliating, evolving their techniques to try and evade these protections. In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Notably, these techniques involve the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. At Microsoft, we have aggressive processes to identify and take down nefarious uses of our services without affecting legitimate applications.<\/p>\n<p>In this blog we\u2019ll share three of the most notable attack techniques we spotted this year. We uncovered these attacks while studying Office 365 ATP signals, which we use to track and deeply understand attacker activity and build durable defenses against evolving and increasingly sophisticated email threats.<\/p>\n<h2>Hijacked search results lead to phishing<\/h2>\n<p>Over the years, phishers have become better at evading detection by hiding malicious artifacts behind benign ones. This tactic manifests in, among many others, the use of URLs that point to legitimate but compromised websites or multiple harmless-looking redirectors that eventually lead to phishing.<\/p>\n<p>One clever phishing campaign we saw in 2019 used links to Google search results that were poisoned so that they pointed to an attacker-controlled page, which eventually redirected to a phishing page. A traffic generator ensured that the redirector page was the top result for certain keywords.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90287\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig1-phishing-poisoned-search-results.png\" alt=\"\" width=\"900\" height=\"361\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig1-phishing-poisoned-search-results.png 900w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig1-phishing-poisoned-search-results-300x120.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig1-phishing-poisoned-search-results-768x308.png 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 1. Phishing attack that used poisoned search results<\/em><\/p>\n<p>Using this technique, phishers were able to send phishing emails that contained only legitimate URLs (i.e., link to search results), and a trusted domain at that, for example:<\/p>\n<ul>\n<li><em>hxxps:\/\/www[.]google[.]ru\/<strong>#btnI&amp;q<\/strong>=%3Ca%3EhOJoXatrCPy%3C\/a%3E <\/em><\/li>\n<li><em>hxxps:\/\/www[.]google[.]ru\/<strong>#btnI&amp;q<\/strong>=%3Ca%3EyEg5xg1736iIgQVF%3C\/a%3E<\/em><\/li>\n<\/ul>\n<p>The campaign was made even stealthier by its use of location-specific search results. When accessed by users in Europe, the phishing URL led to the redirector website <em>c77684gq[.]beget[.]tech<\/em>, and eventually to the phishing page. Outside Europe, the same URL returned no search results.<\/p>\n<p>For this to work, attackers had to make sure that their website, <em>c77684gq[.]beget[.]tech<\/em>, was the top search result for the keyword &#8220;<em>hOJoXatrCPy<\/em>&#8221; when queried from certain regions. The website\u2019s HTML code is composed of a redirector script and a series of anchor elements:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90288\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig2-redirector-code.png\" alt=\"\" width=\"975\" height=\"458\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig2-redirector-code.png 975w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig2-redirector-code-300x141.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig2-redirector-code-768x361.png 768w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 2. Redirector code<\/em><\/p>\n<p>These anchor elements were designed to be crawled by search engines so that the page is indexed and returned as result for the search keywords that attackers wanted to use for their campaign.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90289\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig3-achor-tags.png\" alt=\"\" width=\"975\" height=\"62\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig3-achor-tags.png 975w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig3-achor-tags-300x19.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig3-achor-tags-768x49.png 768w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 3. Anchor tags containing search keywords<\/em><\/p>\n<p>The attackers then set up a traffic generator to poison search results. Because the phishing URL used the open redirector functionality, it redirected to the top search result, hence the redirector page.<\/p>\n<h2>404 Not Found pages customized to be phishing sites<\/h2>\n<p>The other way that phishers evade detection is to use multiple URLs and sometimes even multiple domains for their campaigns. They use techniques like subdomain generation algorithms to try and always get ahead of solutions, which, without the right dynamic technologies, will be forced continually catch up as phishers generate more and more domains and URLs.<\/p>\n<p>This year, attackers have found another shrewd way to serve phishing: custom 404 pages. We uncovered a phishing campaign targeting Microsoft that used 404 pages crafted as phishing pages, which gave phishers virtually unlimited phishing URLs.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90290\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig4-phishing-404-Not-Found-error-page.png\" alt=\"\" width=\"900\" height=\"362\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig4-phishing-404-Not-Found-error-page.png 900w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig4-phishing-404-Not-Found-error-page-300x121.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig4-phishing-404-Not-Found-error-page-768x309.png 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 4. Phishing attack that uses specially crafted 404 Not Found error page<\/em><\/p>\n<p>The custom 404 page was designed to look like the legitimate Microsoft account sign-in page.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90291\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig5-404-phishing.png\" alt=\"\" width=\"600\" height=\"450\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig5-404-phishing.png 600w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig5-404-phishing-300x225.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 5. 404 page designed as phishing page<\/em><\/p>\n<p>Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers could use random URLs for their campaigns. For example, we saw these two URLs used in phishing campaigns; the attackers added a single character to the second one to generate a new URL but serve the same phishing page:<\/p>\n<ul>\n<li><em>hxxps:\/\/skype-online8024[.]web[.]app\/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQ<\/em><\/li>\n<li><em>hxxps:\/\/skype-online8024[.]web[.]app\/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQs<\/em><\/li>\n<\/ul>\n<p>We also found that the attackers randomized domains, exponentially increasing the number of phishing URLs:<\/p>\n<ul>\n<li><em>outlookloffice365usertcph4l3q[.]web[.]app<\/em><\/li>\n<li><em>outlookloffice365userdqz75j6h[.]web[.]app<\/em><\/li>\n<li><em>outlookloffice365usery6ykxo07[.]web[.]app<\/em><\/li>\n<\/ul>\n<p>All of these non-existent URLs returned the 404 error page, i.e., the phishing page:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90292\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig6-URL-http-404-page-server-response.png\" alt=\"\" width=\"750\" height=\"278\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig6-URL-http-404-page-server-response.png 750w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig6-URL-http-404-page-server-response-300x111.png 300w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 6. When phishing URL is accessed, server responds with HTTP 404 error message, which is a phishing page<\/em><\/p>\n<h2>Man-in-the-middle component for dynamic phishing attack<\/h2>\n<p>Phishers have also been getting better at impersonation: the more legitimate the phishing emails looked, the better their chances at tricking recipients. Countless brands both big and small have been targets of spoofing by phishers.<\/p>\n<p>One particular phishing campaign in 2019 took impersonation to the next level. Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft\u2019s rendering site.<\/p>\n<p>Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages. The server identified certain specific information based on the recipient\u2019s email address, including the target company, and then gathered the information specific to that company. The result was the exact same experience as the legitimate sign-page, which could significantly reduce suspicion.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90293\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig7-phishing-microsoft-rendering-site.png\" alt=\"\" width=\"900\" height=\"361\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig7-phishing-microsoft-rendering-site.png 900w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig7-phishing-microsoft-rendering-site-300x120.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig7-phishing-microsoft-rendering-site-768x308.png 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 7. Phishing attack that abuses Microsoft\u2019s rendering site<\/em><\/p>\n<p>Using the same URL, the phishing site was rendered differently for different targeted users. To generate legitimate-looking phishing sites, the server used the following code to retrieve the banner used by the target\u2019s victim company as identified by the domain information in the email address; the response is the URL for the company banner:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90297\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig8-code-snippet-banner.png\" alt=\"\" width=\"738\" height=\"283\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig8-code-snippet-banner.png 738w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig8-code-snippet-banner-300x115.png 300w\" sizes=\"(max-width: 738px) 100vw, 738px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 8. Code snippet for requesting the banner<\/em><\/p>\n<p>The server also retrieved the text used in the company\u2019s sign-in page; the response is the actual text specific to the target victim\u2019s company:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90298\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig9-code-snippet-company-specific-text.png\" alt=\"\" width=\"738\" height=\"212\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig9-code-snippet-company-specific-text.png 738w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig9-code-snippet-company-specific-text-300x86.png 300w\" sizes=\"(max-width: 738px) 100vw, 738px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 9. Code snippet for requesting the company-specific text<\/em><\/p>\n<p>To complete the legitimate-looking phishing page, the server requested the background image using the code below; the response is the URL to the image:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-90299\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/12\/fig10-code-snippets-backround-image.png\" alt=\"\" width=\"738\" height=\"280\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig10-code-snippets-backround-image.png 738w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/fig10-code-snippets-backround-image-300x114.png 300w\" sizes=\"(max-width: 738px) 100vw, 738px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 10. Codes snippets for requesting background image<\/em><\/p>\n<h2>Office 365 ATP: Durable and dynamic defense for evolving email threats<\/h2>\n<p>The phishing techniques that we discussed in this blog are vastly different from each, but they are all clever attempts to achieve something that\u2019s very important for phishers and other cybercrooks: stealth. The longer phishers can quietly hide from security solutions, the more chances they have to invade inboxes and trick people into divulging sensitive information.<\/p>\n<p>To hunt down phishing and other threats that don\u2019t want to be found, <a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/office-365-atp\">Office 365 ATP<\/a> uses advanced security technologies that expose sophisticated techniques. Our URL detonation technology can follow the attack chain so it can detect threats even if they hide behind legitimate services and multiple layers of redirectors.<\/p>\n<p>This rich visibility into email threats allows Office 365 ATP to continuously inform and improve its heuristic and machine learning protections so that new and emerging campaigns are blocked in real-time\u2014silently protecting customers from attacks even when they don\u2019t know it. The insights from Office 365 ATP also allow our security experts to track emerging techniques and other attacker activities like the ones we discussed in this blog, allowing us to ensure that our protections are effective not just for the campaigns that we see today but those that might emerge in the future.<\/p>\n<p>In addition, with the new <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Security-Privacy-and-Compliance\/Introducing-campaign-views-in-Office-365-Advanced-Threat\/ba-p\/1054954\">campaign views in Office 365 ATP<\/a> currently in preview, enterprises can get a broad picture of email campaigns observed in their network, with details like when the campaign started, the sending pattern and timeline, the list of IP addresses and senders used in the attack, which messages were blocked or otherwise, and other important information.<\/p>\n<p>As an important component of <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/the-evolution-of-microsoft-threat-protection\/\">Microsoft Threat Protection<\/a>, Office 365 ATP provides critical security signals about threats that arrive via email\u2014a common entry point for cyberattacks\u2014to the rest of Microsoft\u2019s security technologies, helping provide crucial protection at the early stages of attacks. Through signal-sharing and remediation orchestration across security solutions, Microsoft Threat Protection provides comprehensive and integrated protection for identities, endpoints, user data, apps, and infrastructure.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>Patrick Estavillo<\/em><\/strong><br \/>\n<em>Office 365 ATP Research Team<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>Read all <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/microsoft-security-intelligence\/\">Microsoft security intelligence blog posts<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noopener\"><strong>@MsftSecIntel<\/strong><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Read about the most notable phishing techniques we spotted in the past year. <\/p>\n","protected":false},"author":68,"featured_media":90301,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3736],"tags":[],"coauthors":[3380],"class_list":["post-90286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-social-engineering-phishing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The quiet evolution of phishing | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The quiet evolution of phishing | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Read about the most notable phishing techniques we spotted in the past year.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-12-11T17:00:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-26T21:47:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-trends-2019-social.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"450\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-trends-2019-social.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"The quiet evolution of phishing\",\"datePublished\":\"2019-12-11T17:00:56+00:00\",\"dateModified\":\"2023-05-26T21:47:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/\"},\"wordCount\":1439,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/\",\"name\":\"The quiet evolution of phishing | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg\",\"datePublished\":\"2019-12-11T17:00:56+00:00\",\"dateModified\":\"2023-05-26T21:47:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg\",\"width\":440,\"height\":268},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The quiet evolution of phishing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The quiet evolution of phishing | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/","og_locale":"en_US","og_type":"article","og_title":"The quiet evolution of phishing | Microsoft Security Blog","og_description":"In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Read about the most notable phishing techniques we spotted in the past year.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/","og_site_name":"Microsoft Security Blog","article_published_time":"2019-12-11T17:00:56+00:00","article_modified_time":"2023-05-26T21:47:52+00:00","og_image":[{"width":800,"height":450,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-trends-2019-social.png","type":"image\/png"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-trends-2019-social.png","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"The quiet evolution of phishing","datePublished":"2019-12-11T17:00:56+00:00","dateModified":"2023-05-26T21:47:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/"},"wordCount":1439,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/","name":"The quiet evolution of phishing | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg","datePublished":"2019-12-11T17:00:56+00:00","dateModified":"2023-05-26T21:47:52+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/12\/phishing-blog.jpg","width":440,"height":268},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/12\/11\/the-quiet-evolution-of-phishing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"The quiet evolution of phishing"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/90286"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=90286"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/90286\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/90301"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=90286"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=90286"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=90286"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=90286"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=90286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=90286"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=90286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}