Borrowed Trust: Redefining the Email Threat Landscape

The email threat ecosystem is evolving in unexpected ways. Instead of replacing older tactics, threat actors are expanding their ability to operate within established and trusted environments.

 

Recent research highlights a significant intersection of malware distribution, business email compromise, URL manipulation, and phishing. Unlike in the past, when these threats often appeared as separate, more easily identifiable attack types, they are now increasingly combined into coordinated campaigns. Attackers are blending multiple techniques within a single attack, using trusted platforms and convincing social engineering to bypass traditional detection and make threats more difficult to recognise.

 

Email threat landscape defined by scale and trust

Attackers aren’t simply unleashing a large volume of threats, but they are delivering them increasingly through trusted systems.

 

The exploitation of trust is the most significant shift. Phishing emails are no longer defined by obvious red flags, but by how convincingly they replicate legitimate trust signals – features that make messages appear safe and credible to recipients.

 

Borrowed infrastructure replaces attacker-owned systems

Another obvious shift in attacker tactics is the abuse of trust in infrastructure. 33% of the total spam volume originates from compromised accounts, and 32% from free email services. In both scenarios, bad actors are leveraging existing trust instead of building new trust from scratch. Add in the 25% that comes from third-party senders, and you can see the size of the problem.

 

Phishing attacks are following the same trend, with nearly 90% of phishing URLs employing open redirects to cover their tracks by using legitimate domains and trusted sites.

 

Even authentication mechanisms are being exploited. Many callback phishing attacks are employing authorised Microsoft infrastructure, clearing SPF, DKIM, and DMARC tests. In fact, the research shows that the Microsoft brand accounted for 41% of all spoofed brands, followed by PayPal at 17%.

 

The human layer is the primary target

As attackers expand their use of trusted infrastructure, the human layer remains a consistent target.

BEC accounted for 44.44% of all phishing emails, remaining the predominant attack method. While executive impersonation is still the most common tactic at 54.39%, it has declined from 73% last year, indicating that attackers are diversifying their targets. This shift suggests increased focus on mid-level roles, such as managers and HR practitioners, which may receive less immediate scrutiny than executive accounts.

 

The subject lines of these scam messages are usually direct, seeking to engage the recipient, with something as simple as: “Are you there?” It’s at this point that social engineering begins.

 

Callback phishing extends this further by initiating contact via email or messaging, then moving the attack to voice interaction, where urgency and perceived authority are used to manipulate victims instead of exploiting technical vulnerabilities.

 

Detection models under strain

There’s a growing chasm between conventional detection methods and current malicious behaviour. Cyber-criminals continue to exploit the existing gap by leveraging infrastructure and behavioural deception techniques.

 

Recent patterns in email attachments highlight other trends in attacker strategies. Malicious actors are increasingly relying on commonly used file formats, such as PDFs and EML files, to disguise their intentions and exploit familiarity. Additionally, the emergence of previously unseen malicious attachments detected through advanced techniques like sandboxing underscores the evolving nature of threats. At the same time, the distribution of malware via links is becoming more prevalent, as this method allows for greater flexibility in modifying the payload after the initial delivery.

 

Malware delivery and abuse of legitimacy

Methods for delivering malware increasingly leverage legitimate services. Threat actors are using trusted environments for payload delivery, repurposing RMM software for persistence, and incorporating legitimate tools into multi-stage attacks.

 

The use of remote monitoring and management (RMM) software is particularly concerning. Following initial access – often via credential theft – it can be used to establish persistent, high-privilege access that blends into routine IT activity, making it difficult to distinguish malicious behaviour from legitimate administrative tasks.

 

Key takeaways for email security teams

The impact of these findings is structural, not incremental.

 

Foremost, reputation-based detection can no longer suffice on its own, as 33% of all spam comes from compromised accounts, while 32% use free email services. Secondly, URL protection requires a shift towards real-time analysis. A whopping 89.89% of phishing URLs use legitimate domains, making static detection not sufficient on its own. Behavioural analysis at click time is a must.

 

Furthermore, social engineering must be recognised as a primary threat vector, not a secondary one. Business email compromise (BEC) and callback phishing contain no malicious code, and yet they remain among the most damaging attacks organisations face.

 

Finally, user education remains paramount – not as a substitute for technical measures but as a non-negotiable way to help users make better, more informed decisions.

 

Operating inside the system

One thing is clear: threat actors are no longer working around the system; they are manipulating it from within. Adversaries will come knocking on the door. If something is already trusted, then they will steal it, replicate it, tamper with it, and exploit it to their benefit.

 

This means security professionals need to double down on the question of “How can we establish the legitimacy of the message?”

 

To protect against email attacks in 2026, it’s imperative to understand exactly how bad actors are weaponising trust in the organisation. 

 

---

 

Farrel Moje is Senior Malware Research Engineer at VIPRE Security Group

 

Main image courtesy of iStockPhoto.com and amgun