Ziv Mador at Trustwave explores the changing nature of email threats and outlines some of the best ways of combating them
Email has long been the main form of communication for businesses. However, the fact that it’s inexpensive and easy to use has also made it popular amongst those of an illegitimate nature.
Cyber criminals have too recognised the value in email communications, but for very different reasons. The trust that everyday workers place in emails they receive from friends and colleagues is an opportunity all too convenient to miss. Hackers will manipulate email mechanics to impersonate others, or simply just conceal their own identity, to trick victims into clicking on phishing links or opening malicious files.
The tactics used by criminals in their exploitation of email has evolved over the past couple of years, especially in the midst of the COVID pandemic. Our latest email threat report reveals the latest trends in email attacks, including which techniques are gaining traction and which are being left behind.
From mass to targeted
Years ago, when email was first developed, the primary threat being faced by users was spam. This technique involving mass emails being sent to a large number of victims, has remained a popular way for distributing malicious emails and initiating low-value scams.
However, we’ve found that the use of spam has declined by 43 percent since 2019. This is likely due to some of the largest spamming botnets, including Emotet and Necurs, halting activity over the past couple of years. Among the scam attempts that remain, health and pharmaceutical promotions are consistently the most common forms of content.
There has also been a shift away from mass distributions and blindly targeting victims. Now, phishing and other spam campaigns are far more targeted, resulting in the overall number of phishing messages dropping to around 1.4 percent of all spam.
Hackers are opportunistic and so will take advantage of any weakness, regardless of morality. The disruption of the pandemic revealed organisations’ biggest weaknesses in 2020, and it took criminals no time at all to manipulate them for their own gain.
A large proportion of phishing campaigns revolved around COVID, targeting Microsoft Outlook and Microsoft 365 logins. While the world was on its knees, criminals took every opportunity to uncover and exploit any vulnerability they could find. This is highlighted further by extortion scams now being one of the most prominent attack types, making up 10 percent of all the spam in 2020.
The use of malicious documents
Despite detecting an increase in spam containing malicious attachments, these forms of emails make up a mere 0.44 percent of all spam. Ever since large botnets, like Necurs, ceased activity, the volume of spam emails has declined. Necurs would send billions of malicious emails a day, which at times made up more than one-quarter of all spam.
Whilst the numbers seem low, spam with malicious attachments are still a significant threat to business operations. Microsoft documents, primarily Excel, are by far the most common method for attackers to deliver malware through email. In 2020, emails with Microsoft Excel made up 39 percent of malicious attachments – an increase from seven percent in 2019. Criminals have shifted away from using Word documents – in fact, this method now only represents a mere 4 percent of Microsoft file attacks.
The techniques used by criminals
As email security defences advance, attackers are having to evolve their methods to avoid detection. There are a number of ways that hackers attempt to bypass email scanners, including exploiting cloud services and taking advantage of unobservant workers.
File sharing systems, such as Microsoft OneNote and SharePoint, allow criminals to distribute emails with embedded links to malicious files. As the message will appear to come from reputable cloud services, users are more likely to trust the content. Signature-based threat detection will not necessarily recognise the email as suspicious as the malicious file is not actually included in the message.
Another approach used involves the attacker forging the sender’s address on the ‘From:’ line and then direct replies to a separate ‘Reply-To:’ address. While this method relies on the unobservance of the victim, it can still be identified by solutions that look for identity irregularities.
Business Email Compromise (BEC) is an increasingly popular technique for threat actors. By impersonating a senior individual within a company, such as a C-level executive, criminals are far more likely to fool employees into responding and completing actions. Their motivations could range from direct financial gain – by requesting large payments – or collecting account details which can be used for further exploitation down the line. Gmail is a common platform used for BEC. In fact, nearly 60 percent of BEC emails were sent from Gmail addresses last year.
Advancements made in email threats means a need for effective security solutions to match them. First and foremost, businesses should look to deploy an email security gateway, whether in the cloud or on-premises, with multiple layers of technology. These different layers could include anti-malware, anti-spam, and flexible policy-based content filtering capabilities. With this gateway, businesses are ensuring that potential malicious or phishing links in emails will be checked ahead of being opened.
It is essential that companies keep client software, including Microsoft 365 and Adobe Reader, fully patched and up to date. In fact, unpatched client software is one of the biggest reasons for why email attacks get through.
Additionally, deploying anti-spoofing technologies on company domains and policies to detect domain misspellings is an effective way of defending against phishing and BEC attacks.
It’s also important to remember the last line of defence – human workers. Malicious emails will sometimes make it through, as no solution is perfect. Educating all employees on the nature of today’s email attacks and carrying out mock phishing exercises will strengthen an organisation’s stance against the attackers.
Email threats are constantly evolving, as we’ve seen through the decline of old-style mass spam emails. Businesses must keep on top of their email security, as well as employee training, in order to keep their inboxes safe.
Ziv Mador is VP of Security Research at SpiderLabs at Trustwave
Main image courtesy of iStockPhoto.com