Key findings in the report include:

1. Changes to the Microsoft Office macro abuse landscape: After almost three decades of service as a popular malware distribution method, Office macros finally began to decline in use after Microsoft updated how its software handles files downloaded from the web. The changes set off an ongoing flurry of experimentation by threat actors in 2022 to seek alternative techniques to compromise targets.
2. Conversational scams: Smishing and pig butchering threats surged in the 2022 data analyzed. In the mobile space, it increased twelvefold in volume. Telephone-oriented attack delivery (TOAD) peaked at 13m messages per month. Several state-sponsored APT actors invested significant time in these conversational threats.
3. More off-the-shelf MFA bypass phish kits: EvilProxy, Evilginx2, and NakedPages and similar kits have enabled even non-technical criminals to spin up a phishing campaign, accounting for more than a million phishing messages per month in the data set analyzed.
4. Many cloud-based attacks occurred in legitimate infrastructure: Most organizations faced threats originating from cloud giants Microsoft and Amazon, whose infrastructure host countless legitimate services that organizations relied upon.
5. Novel distribution methods: With a novel distribution method involving drive-by downloads and fake browser updates, threat actors behind SocGholish (TA569) had increasingly been able to infect websites to deliver malware exclusively through drive-by downloads, tricking victims into downloading it through fake browser updates. Many sites hosting the SocGholish malware were unaware they were hosting it, further proliferating its delivery.
6. More cloud threats detected: 94% of cloud tenants were targeted every month in the 2022 data, by either a precision or brute-force cloud attack, a frequency on a par with email and mobile vectors. The number of brute-force attacks — notably password spraying — had increased from a monthly average of 40m in 2022 to nearly 200m in early 2023.
7. Top two abused brands: Microsoft products and services occupied four of the top five positions for abused brands, with Amazon being the most abused brand in the data analyzed.
8. Breaking-in through shadow admin privileges: As many as 40% of misconfigured, or “shadow” admin identities can be exploited in a single step, such as resetting a domain password to elevate privileges. And 13% of shadow admins in the data analyzed were found to already have domain admin privileges, allowing attackers to harvest credentials and access corporate systems. Around 10% of endpoints had an unprotected privileged account password, with 26% of those exposed accounts being domain admins.
9. Emotet roared back as the world’s most prominent threat actor: One year after law enforcement took the botnet offline in January 2021, the threat group sent over 25m messages in the 2022 data set analyzed: more than double the volume of the second most prominent threat actor.
10. Financially driven crime largely dominated the 2022 threat landscape: However, a single outlier attack by an Advanced Persistent Threat (APT) actor can have a massive impact: One large campaign by TA471, a Russia-linked APT group that engages in both corporate and government espionage, propelled that actor to the top of the APT message volume charts. TA416, an APT actor aligned with China, was one of the most active. Significant new campaigns by TA416 coincided with the start of the Russia-Ukraine war, targeting European diplomatic entities involved in refugee and migrant services.