Business email compromise (BEC) attacks are on the rise from global phishing-as-a-service groups that offer novel phishing kits for sale on the Dark Web. Malicious actors can easily purchase open source GenAI tools in online marketplaces to create and launch targeted BEC attacks at scale with minimal costs. The rise of BEC phishing poses a serious threat for organizations of all kinds and sizes. The FBI’s Internet Crime Complaint Center (IC3) received nearly 21,500 BEC complaints in 2023, with reported losses totaling $2.9 billion, making BEC the top business cybercrime.Â
A report published in December analyzed billions of threats across email and mobile channels and identified a clear upward trend in advanced phishing attacks. For example, credential phishing increased by 703% in the second half of 2024, overall email-based threats increased by 202%, and of all embedded malicious links observed, 80% of them were previously unknown zero-day threats.Â
The bad guys are becoming more effective by continually adopting shrewd new tactics to stay one step ahead of security protections. Over time, scammers have gotten better at spoofing realistic business emails of executives, IT and HR departments, co-workers, third-party vendors, and partners to trick employees into making fraudulent wire transfers or invoice payments. Some hackers take it a step further by obscuring email rules to cover up their actions and evade detection by most security controls.
In this increasingly risky AI climate, SlashNext researchers have uncovered six recent threats that represent the scope of exotic new phishing exploits emerging in the wild. Each type of threat either involves a class of tools that can be accessed by relatively unskilled hackers on the Dark Web or is highly sophisticated and evades most detection tools—or, in the worst scenarios, both of those elements are true.
GoIssue
The GoIssue tool is marketed on a cybercrime forum that allows attackers to extract email addresses from GitHub profiles and send bulk emails directly to user inboxes. GoIssue allows users to conduct precise email scraping from GitHub profiles to mask their fraudulent messages. This development signals an alarming shift in targeted phishing that extends beyond individual developers to threaten entire organizations. Â
This cutting-edge tool is potentially linked to the GitLoker extortion campaign, which specializes in phishing and repository hijacking. GoIssue represents more than just another phishing threat – it’s a gateway to source code theft, supply chain attacks, and corporate network breaches through compromised developer credentials.
Also Read: CIO Influence Interview with Tyler Healy, CISO, DigitalOcean
Blov HTML Crypter
This tool is designed to encrypt HTML files to evade virus detection and prevent takedowns when hosting phishing pages on cloud platforms. HTML Encryption/Obfuscation isn’t a brand-new concept, but the topic is more relevant than ever for security teams today. By employing techniques such as minification, encryption, and encoding, this tool transforms malicious HTML content into a form that’s harder for security systems to recognize. Blov HTML Crypter evades virus scans, which allows phishing attacks to go undetected by security scanners.
The altered HTML files can be delivered in various ways as email attachments, links sent through chat services or social media messages, or hosted on cloud platforms where they can linger undetected for extended periods. Blov HTML Crypter doesn’t automate the entire attack, but it empowers attackers to make their phishing schemes more elusive by obfuscating the malicious code within HTML file payloads.
DocuSign Attack Campaigns Exploiting Government-Vendor Trust
DocuSign attacks are becoming increasingly common across the board, but one particularly troubling campaign specifically targets businesses that regularly interact with state, municipal and licensing authorities. Within just one week in November 2024, researchers observed a 98% increase in the use of DocuSign phishing URLs compared to all of September and October in the same year. Many of these involve government impersonations, with specific tactics changing on a daily basis to stay ahead of security defenders.Â
In an example of this attack type, a general contractor receives what appears to be an official DocuSign request from their state licensing board – the request appears especially convincing because the attacker uses legitimate DocuSign accounts and APIs to create the templates. The fraudulent document appears to be a change order requiring immediate signature for additional materials and labor costs, which the contractor recognizes as a common document to encounter in such projects and signs quickly to avoid project delays. These attacks are highly successful because the threat actors are using legitimate DocuSign infrastructure, making them appear authentic; they include accurate pricing and terminology familiar to the industry; they target businesses during predictable licensing cycles, and they can bypass traditional email security filters by sending from actual DocuSign accounts.Â
FishXProxy Phishing Kits
In July 2024, researchers uncovered FishXProxy, a new phishing kit that overcomes many technical barriers traditionally associated with phishing campaigns. These kits provide clever tools that make it easier for cybercriminals to slip through security defenses undetected. The campaigns are usually launched through unique web links or dynamic attachments to avoid detection. FishXProxy then further eludes security protections with advanced features such as antibot configurations, Cloudflare Turnstile integrations, page expiration settings, and more.
These kits are scary because they require minimal technical skills by simplifying all the steps for users to spin up successful phishing campaigns. FishXProxy includes an automated installation process, a straightforward interface, and a comprehensive documentation system that enables inexperienced hackers who lack coding experience to conduct sophisticated phishing attacks.
PhishWP WordPress Plugin
In early January 2025, our researchers discovered a new WordPress plugin on a Russian cybercrime forum, called PhishWP. Threat actors leverage PhishWP to set phishing traps on legitimate websites by creating fake payment pages that appear just like trusted payment services like Stripe. However, these pages steal credit card numbers, expiration dates, CVVs, billing addresses, and more in real-time instead of processing payments. PhishWP uses advanced techniques like stealing the special one-time password (OTP) sent during a 3D secure check during checkout, thus successfully evading future security checks and enabling further fake transactions.
Also Read: From Trojans to Ransomware: Top Cyber Threats Every Executive Should Know
Black Basta Attack Techniques
Most recently, SlashNext detected and prevented a slew of suspicious emails in a unique campaign designed to overwhelm targets and create immense chaos and confusion. Within just 90 minutes, attackers blasted 1,165 emails at 22 target mailboxes, intending to confuse victims and incite panic-clicking. This is inline with a surge in Black Basta-style tactics, in which attackers flood victims’ inboxes with emails like newsletter subscription confirmations or payment notifications. Next, the attackers swoop in posing as tech support, contacting victims via phone or Microsoft Teams messages, offering a quick fix by having the victim install software like TeamViewer or AnyDesk, thus granting the threat actor full remote access to their device.
The best defense against all these latest types of cyberattacks involves adopting AI-based prevention tools directly into email and messaging channels to intercept and prevent phishing attacks from ever reaching end users. Only AI-powered messaging security platforms are able to detect and block multi-stage BEC and phishing attacks across all communication channels, allowing security teams to prevent financial fraud, data and credential thefts, and ransomware.
