Trusted business platforms are the new attack surface
Cybercrime is getting smarter. Attackers are no longer only sending fake emails from strange domains. Instead, they’re using platforms your business already trusts—Dropbox, SharePoint, QuickBooks, and Zoom Docs—to get through your defenses. It’s a brilliant move, if you think about it. These services are designed to be secure, but attackers exploit their legitimacy to distribute malicious links, bypassing traditional security systems.
This is a shift in strategy. Instead of creating suspicious new websites that can be flagged, attackers embed malicious content into services you and your employees use daily. That means phishing emails are coming from real, verified domains rather than some random, unregistered web address. Even worse, cybercriminals are hijacking real corporate email accounts—sometimes from your business partners or vendors—so the email looks completely authentic. It’s a serious challenge for security teams.
According to Darktrace’s 2024 Annual Threat Report, more than 30.4 million phishing emails were detected last year. 96% of them leveraged existing, trusted domains. If your security strategy still relies on spotting fake URLs, you’re already behind.
The rise of smarter, harder-to-detect attacks
We’re entering a new phase of cybercrime—one where artificial intelligence is doing the heavy lifting for attackers. Forget poorly written scam emails full of spelling mistakes. AI-generated phishing attacks are now so sophisticated that even seasoned professionals struggle to tell the difference. The message structure, tone, and word choice feel human because, well, they are—just machine-generated.
That’s why 38% of phishing attacks now involve spear phishing—highly personalized messages aimed at a specific individual or company. Attackers are using AI to craft messages tailored to you and your business. They can mimic writing styles, use insider terms, and reference real business details scraped from the internet.
On top of that, there’s the growing use of multistage payloads—emails that deliver multiple steps of infection, designed to avoid detection. Some of the most creative attacks now include malicious QR codes—940,000 phishing emails used them last year alone. Why? Because most businesses focus on scanning email links, not QR codes. It’s a simple but highly effective workaround.
The takeaway? Attackers are automating deception at scale, and traditional security methods can’t keep up.
Cybercriminals use your own tools against you
Here’s a harsh truth: cybercriminals don’t always need new malware to break into your business. Often, they use the tools you already have. This is called Living-off-the-Land (LOTL)—an attack method where hackers repurpose built-in enterprise software to carry out malicious activities while flying under the radar.
Think about it—if an attacker can gain access to a system and use existing admin tools, there’s no need to introduce custom malware that might trigger alerts. Instead, they use trusted enterprise applications to move laterally within your network, extract data, or escalate privileges. These attacks are incredibly difficult to detect because, technically, nothing is behaving abnormally—except the intent.
Darktrace found that 40% of early 2024 cyberattacks targeted vulnerabilities in widely used business tools, including Ivanti Connect Secure, Palo Alto Networks, and Fortinet devices. Attackers are also using stolen credentials to gain remote access through VPNs, allowing them to exploit enterprise systems with ease.
The big picture? Security threats require more than defending against external malware. The real challenge is identifying when normal business activity is being weaponized against you.
Ransomware and the next evolution of enterprise attacks
Ransomware is a business model. And like any competitive market, cybercriminals are evolving their strategies to maximize efficiency and profit. The latest trend? Using legitimate enterprise tools for stealth attacks.
Instead of developing new, detectable attack methods, ransomware groups now rely on common IT software—things like AnyDesk and Atera—to establish remote access and control over infected systems. They also use trusted cloud services to store stolen data before launching extortion attempts. The reason is obvious: security teams are far less likely to flag activity that looks like normal business operations.
This shift has led to a surge in Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS) operations, where professional cybercriminals create attack tools and lease them to other criminals. The market for these tools is growing fast—MaaS usage increased 17% from the first to the second half of 2024, while deployments of Remote Access Trojans (RATs) jumped 34% over the same period. In simple terms, more criminals now have access to advanced tools, making sophisticated attacks more common.
If your business still thinks of ransomware as a “future risk,” you’re already behind. The question isn’t if your company will be targeted, but when. And when it happens, the attack will look like normal business activity—until it’s too late.
Key executive takeaways
- Exploiting trusted platforms: Cyber attackers are leveraging established services like SharePoint, Zoom Docs, and Dropbox to launch phishing attacks, with 96% of phishing emails using trusted domains. Leaders should reassess security measures around these platforms to prevent breaches.
- AI-enhanced phishing tactics: Advanced spear phishing, powered by AI, is increasing in sophistication, making traditional detection methods less effective. Decision-makers should invest in adaptive, AI-driven security solutions to counter these evolving threats.
- Living-off-the-land techniques: Cybercriminals are repurposing legitimate enterprise tools to bypass security systems without introducing new malware. Organizations must monitor internal tool usage and enforce strict access controls to mitigate this stealthy risk.
- Ransomware’s stealth evolution: Ransomware groups are adopting enterprise tools and Remote Access Trojans for covert operations, with MaaS usage up by 17% and RAT deployments rising 34%. It is critical to update cybersecurity strategies with enhanced detection and rapid response capabilities.
