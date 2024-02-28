The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and HTML smuggling.

Of course, with these security improvements, attackers are forced to find successful entry points into organizations, and in 2023, X-Force observed attackers—in particular, initial access brokers—increasingly shift to placing malicious links within emails to download subsequent payloads or attach PDF files containing malicious links. Other key observations for 2023 include:

An increase in the use of Nullsoft Scriptable Install System (NSIS) executables and .NET-based obfuscators and packers in executable files used to deliver commodity malware.

The continued prominence of ZIP files as the most observed archive. More advanced threat actors introduced new file types within archives such as Internet shortcut (.URL) files, whose overall use increased significantly in 2023.

An increase in the exploitation of older vulnerabilities such as CVE-2017-11882, the most prolific exploit in email campaigns.

The adoption of increasingly complex execution chains likely designed to reduce detection rates and filter out security researchers and automated sandboxes.

This article describes high-level shifts X-Force observed in threat actors’ email campaigns in 2023 and leverages the tradition of United States High School “Senior Superlatives” to highlight noteworthy campaigns and trends that X-Force observed last year along with examples. The article concludes with a look at what to expect in 2024 and what organizations can do to detect and improve their defenses.