Cyber criminals have found new ways to make a living by honing their social engineering skills and creatively searching for new opportunities in unexpected places to exploit Australians, a new report has found.

From scaling brute-force and targeted attacks on cloud tenants, smishing attacks and a proliferation of multi-factor authentication (MFA) bypasses, the cyber attack landscape has witnessed several developmental changes over the last year.

The Human Factor 2023 report by cyber security firm Proofpoint reveals that attackers have been finding new ways to make a living online. More and more often, threat actors are relying on conversational threats that rely solely on the attacker’s charm.

The report draws from one of the industry’s largest and most diverse global cyber security data sets across email, the cloud and mobile computing sourced from more than 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion suspicious messages.

Microsoft 365 forms a large percentage of the typical organisation’s attack surface, and broad abuse of that platform, from Office macros to OneNote documents, continues to shape the threat landscape, Proofpoint’s executive vice president, cyber security strategy, Ryan Kalember said.

“As security controls have slowly improved, threat actors have innovated and scaled their bypasses, once the domain of red teams, techniques like MFA bypass and telephone attack delivery are now commonplace,” Kalember said.

“While many threat actors are still experimenting, what remains the same is that attackers exploit people, and they are most critical in today’s attack chain.”

Abusing the familiarity and trust in major brands in one of the simplest forms of social engineering, with Amazon being the most abused brand.

Microsoft products and services occupied four of the top five positions for abused brands, with Amazon being the most abused brand.

As many as 40 per cent of misconfigured or shadow admin identities can be exploited in a single step, such as resetting a domain password to elevate privileges. And 13 per cent of shadow admins were found to already have domain admin privileges, allowing attackers to harvest credentials and access corporate systems.

Despite substantial investments in cyber security and work to keep up with changing regulations, financially-driven crimes dominate the threat landscape, added Proofpoint’s senior director, systems engineering, Adrian Covich.

“This proves just how critical the human factor is, as cyber criminals look for relationships that can be leveraged, trust can be abused and access that can be exploited,” he says.

The report comes as recent research shows that nearly two-thirds of Australian workers (63 per cent) report that they received scam calls, texts or emails at least two to three times a week.

Conversational smishing and pig butchering threats – which start with attackers sending seemingly harmless messages – surged last year.

In the mobile space, it was the year’s fastest growing threat, the report says.

The report also highlighted the fact basic cyber threats are still not well understood by Australian workers, who still don’t feel well-armed to deal with the constant barrage of cyber threats.

Nearly a quarter (23 per cent) of Australian workers feel they haven’t received adequate training to enable them to spot scam emails, texts or threats.

Most employees suffer security awareness gaps, with more than a third surveyed reporting that they aren’t able to define common terms such as malware, phishing and ransomware.

Twenty per cent of working Australians surveyed either don’t know how to verify links from cloud service providers, or are unaware that they are able to.

Microsoft OneDrive and Google Drive are the most common legitimate cloud infrastructure platforms used by threat actors.