A retrospective look at the phishing trends from the first quarter of 2019 shows a steep jump in the use of Microsoft's OneDrive file sharing service to host malicious files.

While cybercriminals have abused the service in the past to host their phishing attacks, researchers from FireEye noticed a dramatic increase lately, compared to the last quarter of 2018.

OneDrive's popularity rose from almost complete disregard to a share above 60%. This preference is topped only by Dropbox, which has also seen an increased number of detections, albeit the comparative gap between the last two quarters is much smaller, around 10%

A similar picture is available for Google Drive, where the quarter on quarter difference is less than 20%. For both Dropbox and Google Drive, the difference could be accounted for by a surge in activity at the beginning of this year.

"Attackers find these well-known and trusted sites useful because they bypass initial domain reputation checks performed by security engines," FireEye researchers explain in the company's email threat report for the three months of the year.

This tactic has the advantage that the malicious content no longer needs to be attached to a message and subjected to verification by email security mechanisms.

The potential victim simply gets a notification that there is a file available for them via the sharing service. In the case of documents, some services offer a preview of the content and a URL that gives access to the data without having to download the file. These features make such attacks more difficult to detect.

HTTPS more common in phishing attacks

FireEye's report observes an increase in using domains with digital certificates for phishing attacks. They note a significant rise of 26% for employing HTTPS URLs compared to the previous quarter.

This trend was confirmed earlier this month in a report from PhishLabs email security company. Their statistics reveal that 58% of the phishing websites detected this year were using the secure HTTP protocol; this is 12% less than what the company saw in the previous quarter.

BEC scams are more common

Business email compromise (BEC) scams are still the cash cow for cybercriminals as this type of attack appears as normal traffic and can bypass regular email protections. Below are the steps of a BEC attack.

"Threat actors are doing their homework. We’re seeing new variants of impersonation attacks that target new contacts and departments within organizations,” said Ken Bagnall, Vice President of Email Security at FireEye.

A new trend observed this year is a change in the target. Usually, the spoofed email from the CEO or CFO of a company was directed at someone in the Accounts Payable department but new variants target the Payroll department asking to change bank details that send their executive salary to a different account, under the attacker's control.

Phishing attacks are a constant threat and malicious actors will continue to explore new methods to take advantage of the human component. Companies should consider training and set up protocols for situations where sensitive information needs to be altered. Overall, FireEye saw 17% more phishing attacks in Q1 2019 compared to the previous interval.