Attackers Keep Evolving: Lessons from Expel’s Q2 2023 Quarterly Threat Report
Aaron WaltonAaron Walton

Attackers Keep Evolving: Lessons from Expel’s Q2 2023 Quarterly Threat Report

Cyberdefenders plug the holes, so attackers innovate to try to stay ahead.

By Aaron Walton, Threat Intel Analyst, Expel

Most cyberattackers don’t try to reinvent the wheel: as long as something works, they’ll keep doing it. Unfortunately for them, cybersecurity teams are very good at diagnosing issues, fixing them, and developing processes to preempt future attacks (or, at the least, to make them more hassle than they’re worth)—especially when the black hats give them lots of practice.

The good news, from a hacker perspective, is that some of their more industrious colleagues never stop looking for new tactics, techniques, and procedures (TTPs), nor do they stop looking for ways of monetizing their efforts. These innovators prep and roll out new attacks and all of a sudden, our security operations centers (SOCs) begin seeing the next set of trends.

Each quarter, Expel examines the threats observed within our SOC to identify which attack trends are on the rise—and which tactics organizations need to be prepared to face. This year’s Q2 2023 Quarterly Threat Report (QTR) found that challenges like adversary-in-the-middle (AiTM) attacks and cybercrime-as-a-service are among the threats that deserve the most attention from today’s businesses.

Exit legacy protocols, enter AiTM.

Microsoft kneecapped a standard compromise tactic when it disabled legacy protocols in October 2022. But phishing is just too lucrative, so attackers needed a new way in. (More than a half-billion phishing attacks were reported in 2022—over double the number from 2021—so it would be naïve to expect decreased interest anytime soon.)

The emerging hacker response: session cookie theft via adversary-in-the-middle (AiTM) attacks. Identity-related incidents employing frameworks such as Evilginx2 to steal login credentials and session cookies for initial access and subsequent bypassing of multi-factor authentication (MFA) increased threefold—growing to 15% of all phishing attacks in Q2.

This fresh approach to phishing (a long-time scourge of SOCs everywhere) is more sophisticated, but the good news is that there are effective defenses. Security teams should beware newly registered MFA devices, as well as those registered using a proxy, virtual private network (VPN) or originating from a suspicious location. (Automating these detections is a pretty straightforward process and can have a significant impact on the effectiveness of phishing defenses.)

Stronger authentication methods, such as Fast ID Online 2 (FIDO2) and certificate-based authentication, are also hugely helpful. It’s true that FIDO isn’t feasible for all organizations, and in these cases, we recommend deployment of phish-resistant MFA, instead. While not as comprehensive as FIDO, phish-resistant MFA still adds a valuable layer of defense that attackers will need to work around. SOCs may also opt for push notifications instead of performing MFA by email, SMS, voice, or time-based one-time passwords (TOTPs). Notification-based MFA has proven to be the most secure method of MFA and is quickly becoming preferred.

Another thing our SOC saw more of in Q2: more cybercrime-as-a-service

Eighty percent of organizations use one or more software-as-a-service (SaaS) offerings, and for good reason. They’re accessible, cost effective, scalable, and incorporate data reporting and intelligence tools. Criminals have been paying attention, and the result is an increased popularity of cybercrime-as-a-service (CaaS) offerings.

If you haven’t heard about this yet, think of CaaS as Amazon for cybercriminals (access-as-a-service, ransomware-as-a-service, bulletproof hosting, phishing-as-a-service, and so on). Commodity malware is maddeningly effective, and it dramatically increases the pool of potential attackers: with automated and ready-to-deploy toolkits available at bargain prices, even small-time, inexperienced threat actors can execute large-scale attacks.

In fact, some criminal organizations even offer subscription options (and professional services like training and—get this—some ransomware-as-a-service providers will even negotiate with victims on their customers’ behalf). Scary, right?

The Q2 QTR highlights a number of the most common social engineering toolkits used by multiple actors and remote access tools. The more organizations know about the tactics attackers are using, the better chance they have of successfully defending against them.

And there’s more.

These aren’t the only stories told by the new Quarterly Threat Report. Those interested in learning more about the tactics attackers are leveraging this year should check out the report for more insights and recommendations. Hopefully, these findings are useful for your organization, too. In the meantime, here’s hoping your SOC is peaceful and boring for the rest of the year.

About the Author

Attackers Keep Evolving: Lessons from Expel’s Q2 2023 Quarterly Threat ReportAaron Walton is a Threat Intel Analyst at Expel.  He monitors threat actor trends and behaviors to support Expel’s operations. He recommends following @ExpelSecurity on X for articles published by him or his team.

More Information can be found at

March 27, 2024

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!