Skip to main content

Keeping up with the evolving threat from malicious emails

email
(Image credit: Image source: Shutterstock/Bloomicon)

Cybercriminals love email for most of the same reasons legitimate sales and marketing professionals do. An email campaign requires little technical expertise and can be conducted at a low cost through an abundance of online services. Any individual or business in the world with a public email address can immediately be sent an unsolicited message regardless of prior contact. 

The mechanics of email also make it easy for criminals to obscure their identity or impersonate another with a few simple tricks, as well as leading victims directly to malicious files or sites.

All this means email is likely to stay as one of the threat actor’s weapons of choice for the foreseeable future. However, the way email is weaponized has changed a great deal over the years, and the events of 2020 in particular shifted and accelerated several trends. 

Businesses need to be aware of the ways malicious emails are evolving to ensure their defenses remain effective. To this end, we analyzed the malicious messages captured over the last year to identify some of the leading trends in email threats. 

The steady decline of spam – but the scams are still coming  

Malicious email is often strongly associated with spam – mass emails sent indiscriminately to a large volume of recipients. While spam is not necessarily malicious, it was previously a popular vehicle for often low-quality scamming attempts such as the now-notorious “Nigerian Prince” scam. 

The amount of spam has however declined sharply in recent years, and in 2020 we recorded just 15 percent of the volume seen in 2014. The last year alone saw a 43 percent drop in volume, and Nigerian Prince-style ploys such as fake investment and inheritance scams now make up just 1.36 percent of total spam numbers. 

The drop can likely be attributed to the fact that some of the biggest spamming botnets, such as Necurs and Emotet, ceased activity in recent years. 

Notably, we also saw a decline in the volume of phishing emails, which now make up around 1.4 percent of all spam. However, those we did encounter tended to be more targeted, often angling for the login credentials of Microsoft Outlook and Microsoft Office 365. Further, extortion scams are now one of the most prominent attack types, making up 10 percent of all the spam in 2020.

It’ll come as no surprise that Covid-19 had a strong influence on phishing tactics, with a large number of campaigns seeking to exploit the pandemic with subject lines such as “Covid-19 employee relief fund” or “WHO Coronavirus Safety and Prevention Guideline”. These emails usually sought to lead the target to a phishing site aiming to harvest credentials or install malware. 

While spam overall is in decline, it does still represent a credible threat and businesses should ensure they have adequate defenses in place to catch and block incoming messages, including more subtle targeted attacks.

A shifting approach to malicious documents 

Malicious attachments are another former mainstay that has seen a steady decline in recent years. We actually saw an increase across 2020, but attachments still only account for 0.44 percent of all spam. Again, this drop is likely thanks to the end of several prominent botnets that were distributing large numbers of emails. 

Microsoft Excel files were the most common file type used by attackers in 2020, making up 39 percent of all attachments we analyzed. Word documents made up the bulk of other Microsoft files accounting for four percent of malicious attachments. There was a notable spike in cases last year due to activity from the Emotet botnet before it was disrupted at the end of the year. Overall, though, malicious Word files saw a sharp decline as they previously made up 49 percent of all malicious files. As with phishing emails, those criminals still using this tactic have tended to use improved methods that are more likely to bypass defenses.

We saw an increase in password-protected documents over the last year, usually Microsoft files with the password contained in the body of the email. These files are encrypted, which makes it more difficult for email scanners to detect embedded malware. Similarly, attackers often made use of archived formats such as .rar and .zip files, with the password likewise included in the email body. 

Most of the email malware we encountered tended to be simple trojans combined with social engineering, but many sought to exploit specific vulnerabilities. More than 90 percent of these involved one of two vulnerabilities involving a Microsoft Office memory corruption vulnerability in Equation Editor. 

The rise of targeted phishing and BEC

Many threat actors are moving towards subtle phishing techniques that are less likely to be detected by common security solutions. These emails are also designed to deceive human readers once they arrive in the inbox. One of the most common tactics is to forge the sender’s address on the ‘From:’ line and direct replies to a separate ‘Reply-To:’ address. This approach is particularly effective as most users are unlikely to check the actual sender ID and will trust whatever ‘From:’ line is displayed. However, tactics like this can be detected with policies and software focused on spotting identity mismatches. 

Another tactic for evading email scanners is to exploit legitimate cloud services like Microsoft SharePoint and OneNote by using file-sharing systems. This enables them to send messages with embedded Microsoft links to malicious files. As the file itself is not present and the link goes to a valid service, there is nothing to raise a flag for signature-based threat detection. This approach also exploits the trust in the good reputation of major cloud services.

These tactics are widely used in Business Email Compromise (BEC) attacks that impersonate the company’s CEO or other senior leadership. The aim is often to trick a financial employee into authorizing a large payment on the CEO’s behalf. 

Attacks may also seek to harvest Microsoft account credentials, which can be used to gain access to the system as part of a multi-stage attack. Gaining control of an account allows further abuse of email and file sharing, this time coming from a legitimate user. 

Outside of those exploiting Microsoft systems, Gmail was by far the most popular platform for BEC, and nearly 60 percent of all the BEC attacks we analyzed were sent from Google email addresses. Free, easy to set up email services like Gmail have been a boon for criminals, enabling them to quickly jump to new addresses when one is discovered and blocked.

Attackers also exploited other cloud services such as Weebly and Blogspot to set up phishing sites, as well as using legitimate email services like SendGrid to distribute campaigns.

Defending against the latest threats  

As email attack tactics continue to evolve, enterprises must ensure they have the ability to defend against new threats. 

An email security gateway, either on-premises or in the cloud, is an effective way of implementing multiple layers of technology from a single point of control, including anti-spam, anti-malware, and policy-based content filtering. Potentially malicious links in emails need to be checked either via the email gateway, web gateway, or both. This should be combined with strict inbound email policies to reduce traffic content as much as possible. 

Anti-spoofing solutions can be used to spot domain misspellings and sender identity mismatches, identifying likely phishing and BEC attacks at the gateway. Email links should also be checked at the email or web gateway to ensure they are not being used for phishing.

With the prominence of attacks abusing Microsoft capabilities, all software should be kept fully patched and updated. Macros in Microsoft documents can be flagged or blocked, as can password-protected files. Other forms of executable files should also be handled through strict quarantine policies, along with encrypted and archived files.

Finally, the human factor is equally important here. All users should be kept up-to-date on the latest attack tactics and trained to recognize the most common signs. Businesses can also run mock phishing exercises to help reveal staff readiness against actual attacks. When training employees, extra attention should be paid to those with the ability to approve payments, and robust authorization systems should be put in place. 

Cybercriminal tactics will always shift and evolve, but the right combination of security software, policies and training will greatly help businesses to mitigate the threats posed by email-based attacks, everything from common mass spam to more advanced targeted BEC.

Ziv Mador, VP of Security Research at SpiderLabs, Trustwave

Ziv Mador, VP of Security Research at SpiderLabs, Trustwave.