In the continuing war with hackers, defenders have scored at least one small victory: Thanks to widespread awareness education on phishing, attackers largely abandoned the use of social media as an attack vector, according to a security vendor.

However, in its report issued this week ProofPoint Inc. said attackers last year shifted their tactics and are instead increasingly targeting middle management with email that includes malicious URLs, documents, e-faxes and links to voicemail.

It worked, the report concluded. “Every company still clicks; every department and industry is still at risk (though financial industries and sales and marketing continue to be the top target areas); and attackers continue to shift tactics to play on human weaknesses as they siphon money and data from organizations.

Report authors believe users clicked on phishing emails in 2014 because they had been trained to be wary of social media invites and other popular templates. When attackers changed their strategy to targeting corporate users with attachments these weren’t recognized as a threat.

For example, there was a high volume of Microsoft Outlook Web Access (OWA) credential phish, as it is very easy to spoof these pages, and they produce high-value results.

“The central lesson of 2014 for CISOs is that while user education may have an impact, attackers can always adapt and adjust their techniques more rapidly than end-users can be educated,” the report said.

The report is based on an analysis of anonymous customer data from ProofPoint’s  cloud-based threat document classification and protection solutions.

It comes as a speaker at RSA Conference 2015 in San Francisco says he found evidence that last year’s Sony Pictures breach may have been aided by phishing emails

Stuart McClure, CEO of Cylance, combed through the database of Sony email released by Wikileaks and found indications that many company executives received fake Apple ID verification email. However, this account of his presentation doesn’t offer proof this was the way the attackers breached Sony’s network.

Also this week Kaspersky Lab reported on malware dubbed CozyDuke, which it said has been spread by spearphishing attacks against a number of governments around the world, including the White House last fall.

Emails may contain a link to a hacked legitimate website such as “”, hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy. Or they may include phony flash videos directly as email attachments such as “Office Monkeys LOL”. The executable plays a flash video as well as drops and runs another CozyDuke executable.

Among the ProofPoint report findings is that on average last year one of every twenty-five malicious messages delivered are clicked by users. No organization observed was able to eliminate clicking on malicious links.

The report says CSOs should continue to emphasize the importance of email security and social media security; deploy defences that use multiple, contextual big data and threat intelligence-based detection techniques including static, predictive, and browser path analysis as well as dynamic behavioral analysis ; and ensure layered security that incorporates automated threat response systems.