When Spear Phishing met Mass Phishing: Attackers Starting to use Spear Phishing Tactics in Bulk Phishing Campaigns

Analysts typically distinguish between large scale, low effort generic social engineering attacks, bulk phishing, and highly calibrated, high effort social engineering targeting a much smaller individual or class of individuals, spear phishing. However, newer phishing campaigns blur the line between the two.

‍

Normally, the high level of targeting used by a spear phishing attack is time-consuming to develop and not necessarily rewarding, but some campaigns have begun to employ elements of spear phishing in mass phishing campaigns in surprisingly effective ways. Some of these campaigns, like one observed in late 2023, targeted employees of particular companies with high quality spoofed details that imitated HR notifications.

‍

This is normally seen in spear phishing, but in this case it was employed on a much larger scale than typical spear phishing. When accessed, the highly targeted message led to a fake Outlook sign-in page that was not targeted at all, a usual sign of bulk phishing. Attacks of this nature have become increasingly common since then, with over one hundred thousand different mixed-phishing emails having been detected between March and May of 2024 alone.

‍

This may signify a major sea change in how phishing campaigns are run.