Cybercriminals use a variety of tricks and tools to target organizations with malware for financial gain and other motives. But one of the most pervasive tools is the email attack. Through phishing emails, scams, and malicious links and file attachments, bad actors hope to convince unsuspecting users to take the bait.

Because mass spam emails are now both less frequent than in the past and largely blocked from reaching users, attackers have found greater success deploying more targeted types of campaigns. Released on Wednesday, the 2020 Trustwave Global Security Report looks at the latest types of email attacks and offers advice on how organizations can defend against them.

SEE: Cybersecurity: Let’s get tactical (free PDF)

On the plus side, the volume of spam seen by the security firm Trustwave dropped to 28% of all inbound mail in 2019, a healthy decline from the 45% seen in 2018 and a peak of 87% from 2014. Several major spam operations and botnets have disappeared or cut back on their activities in recent years, leading to this dramatic reduction in spam. The largest category of spam analyzed by Trustwave promoted fake drug and health cures, accounting for 39% of all junk mail.

However, spam involving extortion scams rose toward the end of 2018 and on into last year. These types of campaigns typically claim that the victims have been hacked or infected with malware, thus allowing the hacker to gain access to private information such as passwords or videos of the user performing sexual acts or watching pornography. In exchange for not releasing this information publicly, the hacker demands that the person pay a ransom in the form of bitcoins. These types of scams are lucrative as they can bring in thousands of dollars, according to Trustwave.


Image: Trustwave

Email messages with malicious attachments have declined since Microsoft and others put an end to the Necors botnet. But such emails still invade inboxes. More than half of the malicious file attachments found by Trustwave were for Microsoft Office, with almost half of them Word .doc and .docx files. The Emotet and Cutwail botnets accounted for most of this activity, stuffing documents with malicious macros. Other common malicious file attachments included Windows executable files, HTML files, rich-text-format files, and JavaScript files.

But cybercriminals have amped up their email game by using more targeted phishing attacks. In 2019, phishing messages comprised 9% of all spam, up from just 3% in 2018. Directed toward specific types of users, these messages often spoof well-known organizations and brands, including Microsoft, Google, DHL, PayPal, and Dropbox.

Phishing attacks also use a few different strategies. Many target users of Outlook and Office 365 with requests to verify their accounts, change their passwords, upgrade their mailbox quota, or listen to a voicemail. For their malicious landing pages, phishers often use free hosting sites such as Wix Site and Weebly. For their phishing pages and malware, they’ll turn to popular cloud services such as Microsoft OneDrive, Google Drive, Box, and Dropbox.

The Business Email Compromise (BEC) is a more targeted type of phishing email. Usually aimed at a specific type of employee, either a midlevel executive or a financial officer, these emails often claim to be from a CEO or other important party in an attempt to convince the recipient to send money or share sensitive financial information. For 2019, Trustwave said it blocked an average of 60 BEC messages each day.


Image: Trustwave

“Our 2019 findings depict organizations under tremendous pressure contending with adversaries who are methodical in selecting their targets and masterful at finding new pathways into environments as the attack surface widens,” Arthur Wong, chief executive at Trustwave, said in a press release.

“We continue to see the global threat landscape evolve through novel malware delivery, inventive social engineering and the ways malicious behaviors are concealed,” Wong said. “How fast threats are detected and eliminated is the top cybersecurity priority in every industry.”

To help organizations protect themselves and their users against email-based cyberthreats, Trustwave offers the following advice:

  1. Deploy an email security gateway. This gateway can be on-premises or in the cloud but should include multiple levels of technology, including anti-spam and anti-malware tools and flexible policy-based content filtering abilities.
  2. Lock down inbound email traffic content as much as possible. Carefully consider employing a strict inbound email policy with the following measures: 1) Quarantine or flag all executable files, including Java scripts such as .js and .vbs as well as all unusual file attachments, such as .cpl, .chm, .hta, and .lnk files. Create exceptions or alternative ways for handling legitimate inbound sources of these files. 2) Block or flag macros in Office documents. 3) Block or flag password-protected archive files, and block odd or unusual archive types such as .ace, .img, and .iso.
  3. Keep client software such as Microsoft Office and Adobe Reader fully patched and up-to-date. Many email attacks succeed because of unpatched client software.
  4. Check potentially malicious or phishing links in emails with an email gateway, a web gateway, or both.
  5. Deploy anti-spoofing technologies on domains at the email gateway. Deploy techniques to detect domain misspellings for possible phishing and BEC attacks. Also ensure there are robust processes in place for approving financial payments by email.
  6. Educate users from the rank and file all the way up to the C-Suite on the nature of today’s types of email attacks. Conduct mock phishing exercises with your staff to show employees that phishing attacks are a real threat.


Image: Vladimir Obradovic, Getty Images/iStockphoto