Phishers’ Favorites: Microsoft #1 but Facebook Phishing Surges

Today, we published our Phishers’ Favorites report for Q2 2019. Now in its fifth edition, Phishers’ Favorites ranks the 25 most impersonated brands in phishing attacks, based on the number of unique phishing URLs detected by Vade Secure within the quarter.


Microsoft remains phishers’ #1 target for the fifth straight quarter

Microsoft topped the list of Phishers’ Favorites again in Q2—a dubious honor the company has held in each of our five reports. Over the course of the quarter, our AI engine detected a staggering 20,217 unique Microsoft phishing URLs, for an average of more than 222 per day! While the number of URLs actually declined 6.8% from Q1, it still represents a 15.5% increase over Q2 2018, our first Phishers’ Favorites report. Moreover, the delta between Microsoft and #2 PayPal was more than 4,300 phishing URLs in Q2.

Phishers' Favorite Q2 2019 Top 10 Brands

To understand why Microsoft phishing has achieved a level of sustained dominance, consider the size and growth of Office 365. In its latest quarterly earnings, Microsoft reported more than 180 million active monthly Office 365 business users. Moreover, IDC estimates that Office 365 constitutes almost half (47.6%) of enterprise cloud email implementations worldwide. The bigger Office 365 becomes, the more desirable it is for hackers to take aim.

But size is just half the story. Microsoft’s popularity with phishers also speaks to the lucrativeness of Office 365 credentials. These credentials provide a single entry point to the entire Office 365 platform, including the company’s Global Address List (GAL) as well as documents, information, and contacts stored in SharePoint, OneDrive, Skype, etc.. Compromised Office 365 accounts are also increasingly being used to send spear phishing emails targeting other employees or partners of the breached company.

We continue to see a variety of Office 365 phishing attacks, including suspended account claims and links to OneDrive/SharePoint documents, voicemail recordings, and even faxes. Recent examples were found using free online tools like Typeform (see screenshot below) to create and host fake forms for harvesting credentials. We’ve also seen emails using exotic character sets—such as Russian Cyrillic in the subject, “Closing Your Office ƷбƼ”—to bypass basic content filters looking for exactly “Office 365.”

Microsoft phishing page using Typeform
Microsoft phishing page created using Typeform

In addition, phishers continue to pull JavaScript, CSS, and other resources from the legitimate Microsoft website. In addition to recreating an identical user experience, this technique eliminates the need to update these resources and speeds up the loading of the webpage as they are stored on a fast CDN.

[White Paper]: Email Security for Office 365: It's Broken. Here's How to Fix It

PayPal retains the #2 spot, despite an 8.4% decrease in phishing URLs

PayPal retained the #2 spot in Q2, despite an 8.4% decrease in phishing URLs compared to Q1. Compared to Q2 2018, though, PayPal phishing was actually up 111.9% year over year (YoY). 

PayPal has historically been a favorite target for phishers because it’s the most widely used online payment service worldwide, with active users climbing to more than 277 million in Q1. Because of the nature of these accounts, harvesting PayPal credentials can offer an instant payback for phishers.

PayPal phishing emails typically claim that the recipient’s account has been blocked or suspended, prompting them to visit a fraudulent page to “confirm” or “restore” their account. For instance, Vade recently detected a PayPal phishing email with the subject “Your account has been disabled please verify.” The display name of the sender was “PayPal security” but the phisher used a long email address (, likely to obfuscate the domain. What’s also interesting about this attack is that the email contained 28 clean links to a random website (Vivid Seats) plus the single phishing URL. Phishers are attempting to confuse the recipient, who after seeing that the first few URLs in the email lead to a familiar website, let their guard down for the malicious one at the end.

A variation of this scam made the rounds in early April, but originated with a text message instead of an email. The text message stated that the customer’s account was under review and asked them to fill out a form to avoid being locked out. A link was used to obfuscate the fraudulent domain.

PayPal phishing page
PayPal phishing page

Surging for the second quarter, Facebook phishing climbs into the #3 spot

After three straight quarters of decline from Q2 to Q4 2018, Facebook phishing has been on a tear in 2019, with triple-digit phishing URL growth in Q1 (155.5%) and Q2 (175.8%) and YoY growth of 176.1%. This significant growth propelled the social media company up one spot to #3 on our list.

Facebook phishing trend

One plausible explanation could be the rise of social sign-on using Facebook accounts, a feature called Facebook Login. With a set of Facebook credentials, phishers can see what other apps the user has authorized via social sign-on—and then compromise those accounts!

Phishers are taking advantage of the pervasiveness of Facebook Login to launch creative phishing attacks. One widely reported attack reproduced a social login prompt inside an HTML block. The status bar, navigation bar, shadows, and content were perfectly reproduced to look exactly like a legitimate login prompt.

A similar Facebook phishing campaign in March targeted Apple iOS users, leading them to a malicious page where they were asked to authenticate using Facebook Login. Upon clicking the 'Login with Facebook' button, the user saw what looked like an iOS prompt, but what was actually an image in the HTML document. Another clever trick was the use of a video recording to trick users into thinking their browser was switching tabs once they confirmed their intent to log in.

Facebook phishing page
Facebook phishing page

Rounding out the top 10: Amazon shoots up 15 spots to #8

Netflix fell one spot to #4 in our Q2 report, despite a modest 8.2% increase in phishing URLs. Bank of America retained the #5 spot, Apple moved up two spots to #6, and CIBC rose three spots to #7. Amazon was the biggest mover in the top 10, shooting up 15 spots to #8. DHL dropped two spots to #9 and DocuSign rose one spot to crack the top 10.

Deep diving on Amazon, the number of Amazon phishing URLs grew 182.6% over Q1 and a staggering 411.5% YoY. In particular, there was a spike in Amazon phishing on May 5th, with 84 unique URLs. This coincides with reports of a new Amazon phishing kit, which bore several similarities to the 16shop phishing kit targeting Apple users in late 2018.

Amazon saw a smaller but still meaningful spike in phishing URLs on June 19th, just after Amazon announced the date for Prime Day 2019. This is not surprising as phishers often inject their attacks amidst the stream of marketing messages accompanying such big events, hoping that their targets have let their guard down.

In general, in contrast to other brands, there is much more variety regarding Amazon phishing emails. Here are just a few of the subjects we’ve seen recently:

  • Congrats on your Amazon Loyalty Voucher #96-651
  • A new surprirse from amazon
  • A special surprise for amazon
  • Don't forget to claim your exclusive product
  • Redeem your amazon card by tonight #25-139
  • Prime Member: Amazon Order# C580148 collect your amazon reward before it expires in 12 hours
  • Prime Member: Confirm your Amazon reward for prime day
  • Your Rewards #AM719XB is on Hold - CIaim lmmediateIy!
  • Congrats on your Amazon Loyalty Voucher!

Cloud continues to represent the most phishing URLs, but social media saw the largest growth

In terms of industry makeup, the Phishers’ Favorites list changed slightly in Q2. Stripe and Alibaba cracked the top 25, bringing the total of Financial Services and E-Commerce/Logistics companies to eight and four respectively. Meanwhile, Instagram and Impots dropped out of the list, leaving two Social Media companies and no Government. The addition of OVH was offset by NBC dropping off the list, leaving Internet/Telco at five companies, while Cloud (6) remained unchanged altogether.

Phishing trends by industry

In terms of share of overall phishing URLs, cloud took the top spot for the fifth straight quarter with 37.6%, followed by financial services (33.1%), social media (15.6%), e-commerce/logistics (7.7%), and internet/telco (5.2%). The overall share of cloud phishing continued a trend of decline, though, falling from 49.6% in Q4 2018, to 42% in Q1 2019, to 37.6% this quarter.

In terms of quarter-over-quarter (QoQ) growth, social media was once again the biggest mover. In fact, the growth in social media phishing has accelerated, from 74.7% in Q1 to a whopping 130.7% in Q2. This was singlehandedly driven by the surge in Facebook phishing, as the only other social brand (#19 LinkedIn) saw a 12.5% decline in phishing URLs.

E-Commerce/Logistics also saw strong QoQ growth of 28.4%, while financial services and cloud saw a meager 4.1% and 0.1% growth respectively. Government phishing declined by 12.1% and internet/telco phishing dropped 16.8% in Q2.

Nearly 80% of phishing sent on weekdays; Tuesdays and Wednesdays are the top days

Overall, 79.8% of phishing was sent on weekdays in Q2. The most popular days for phishing attacks shifted slightly from Monday and Tuesday in Q1 to Tuesday and Wednesday in Q2. The middle three days were Monday, Thursday, and Friday. The bottom two days, not surprisingly, were Saturday and Sunday.

Phishing by day of week

Looking at individual brands, Microsoft phishing was most common on Tuesday and Thursday, and like past quarters, virtually nonexistent on weekends. Further illustrating the prevalence of Microsoft phishing on weekdays, Microsoft was the #1 phished brand on 71% of the 91 weekdays in Q2, followed by Facebook (18%) and PayPal (11%). Given the focus on Office 365 phishing, hackers try to take advantage of professionals being in the office and active on email during the week to increase their odds of success.

PayPal phishing was most common on Monday and Friday, though, interestingly, PayPal was the #1 phished brand on 54% of weekend days. Facebook phishing was most prevalent on Wednesday and Friday, Netflix on Monday and Wednesday, and Bank of America on Tuesday and Thursday. The main outlier in the top 10 was CIBC phishing, which peaked on Saturday and Sunday in Q2. As we’ve reported in the past, phishers often target bank customers on weekends, when branches and customer service lines are closed. This makes it harder to verify whether the request is legitimate.

Phishing: weekday vs. weekend

MSPs: use Phishers’ Favorites to educate and protect your clients

For MSPs, Phishers’ Favorites presents a wealth of data to educate your clients on the dynamic threat landscape and how it’s continuously evolving. You can highlight which brand impersonations are on the rise and show recent examples of attacks. Ultimately, this could facilitate an opportunity to reassess the client’s existing email security controls and position a solution like Vade Secure for Office 365 to augment Office 365’s native protection with AI-based threat detection and auto-remediation.

Visit our Anti-Phishing Solution page to learn how our machine-learning based phishing detection blocks even the most sophisticated Office 365 phishing attacks.