WatchGuard Technologies' latest Threat Lab Report reveals new browser-based social engineering trends, revealing China and Russia behind 75% of new threats. 

The Internet Security Report, analysed by WatchGuard Threat Lab researchers, details the top malware trends and endpoints security threats in Q1 2023.  

Key findings from the data show phishers leveraging browser-based social engineering strategies, new malware with ties to nation-states, high amounts of zero-day malware, living-off-the-land attacks on the rise, and more. 

This report edition also features a new, dedicated section for the Threat Lab team's quarterly ransomware tracking and analysis.

Corey Nachreiner, Chief Security Officer at WatchGuard, says: "Organisations need to pay more active, ongoing attention to the existing security solutions and strategies their businesses rely on to stay protected against increasingly sophisticated threats."

"The top themes and corresponding best practices our Threat Lab have outlined for this report strongly emphasise layered malware defences to combat living-off-the-land attacks, which can be done simply and effectively with a platform for unified security run by dedicated managed service providers."

Among its most notable findings, the Q1 2023 Internet Security Report reveals:

• New browser-based social engineering trends – Now that web browsers have more protections preventing pop-up abuse, attackers have used browser notifications to force similar interactions. Also of note from this quarter's top malicious domains list is a new destination involving SEO-poisoning activity.
• Threat actors from China and Russia behind 75% of new threats in the Q1 Top 10 list – One example from WatchGuard's latest report is the Zuzy malware family, which shows up for the first time in the top 10 malware list this quarter. 
• Persistence of attacks against Office products, End-of-Life (EOL) Microsoft ISA Firewall – Threat Lab analysts continue to see document-based threats targeting Office products in the most widespread malware list this quarter. On the network side, the team also noticed exploits against Microsoft's now-discontinued firewall, the Internet Security and Acceleration (ISA) Server, getting relatively high hits. 
• Living-off-the-land attacks on the rise – The ViperSoftX malware reviewed in the Q1 DNS analysis is the latest example of malware leveraging the built-in tools that come with operating systems to complete their objectives. 
• Malware droppers targeting Linux-based systems – One of the new top malware detections by volume was a malware dropper aimed at Linux-based systems. 
• Zero-day malware accounting for most detections – This quarter saw 70% of detections from zero-day malware over unencrypted web traffic and 93% from zero-day malware from encrypted web traffic. 
• New insights based on ransomware tracking data – The Threat Lab tallied 852 victims published to extortion sites and discovered 51 new ransomware variants. 

Consistent with WatchGuard's Unified Security Platform approach and the WatchGuard Threat Lab's previous quarterly research updates, the data analysed in this quarterly report is based on anonymised, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard's research efforts.

New for this Q1 2023 analysis, the Threat Lab team has updated the methods used to normalise, analyse, and present the report findings. 

While previous quarterly research results have primarily been presented in the aggregate (as total global volumes), the network security results are presented as "per device" averages for all reporting network appliances this quarter and in the future.