Email Threat Review August 2021
Executive Summary
We observed an increase in HTML attachment-based phishing.
Summary
In this installment of our monthly email threat review, we present an overview of the email-based threats observed in August 2021 and compare them to the previous month’s threats.
The report provides insights into:
- Unwanted emails by category
- File types used in attacks
- Industry Email Threat Index
- Attack techniques
- Impersonated company brands and organizations
- Ransomleaks
Unwanted emails by category
The following table shows the distribution of unwanted emails per category.
| Email category | % |
| Rejected | 83.19 |
| Spam | 12.92 |
| Threat | 3.02 |
| AdvThreat | 0.83 |
| Content | 0.03 |
The following time histogram shows the email volume per category per day.
The spike in rejected emails around 2021-07-31 can be attributed to the monthly reoccurring sextortion scam email campaign written in the German language that regularly causes spikes in rejected emails.
Methodology
The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:
| Category | Description |
| Spam | These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients. |
| Content | These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid. |
| Threat | These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing. |
| AdvThreat | Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures. |
| Rejected | Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further. |
File types used in attacks
The following table shows the distribution of file types used in attacks.
| File type (used in malicious emails) | % |
| Archive | 33.7 |
| HTML | 25.1 |
| 14.9 | |
| Excel | 8.7 |
| Word | 5.1 |
| Other | 4.3 |
| Executable | 4.0 |
| Disk image files | 3.8 |
| Script file | 0.3 |
| Powerpoint | 0.1 |
| 0.0 | |
| LNK file | 0.0 |
The following time histogram shows the email volume per file type used in attacks per 7 days.
We can detect an increase of HTML file attachments (.htm, .html, etc.) used in attacks. On closer analysis, the increase can be attributed to multiple campaigns using HTML files for phishing by having the phishing website attached directly to the email1 (thus circumventing URL filters). We already report on this technique in our blog.
Industry Email Threat Index
The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).
| Industries | Share of threat in threat and clean emails |
| Manufacturing industry | 4.3 |
| Entertainment industry | 3.7 |
| Research industry | 3.5 |
| Media industry | 3.4 |
| Healthcare industry | 3.4 |
| Mining industry | 3.3 |
| Transport industry | 3.3 |
| Education industry | 3.0 |
| Hospitality industry | 2.9 |
| Automotive industry | 2.8 |
The following bar chart visualizes the email-based threat posed to each industry.
Methodology
Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.
Attack techniques
The following table shows the attack techniques used in attacks.
| Attack technique | % |
| Other | 40.2 |
| Phishing | 27.8 |
| URL | 11.2 |
| Impersonation | 5.8 |
| Advance-fee scam | 4.8 |
| Executable in archive/disk-image | 4.0 |
| Extortion | 3.7 |
| Maldoc | 2.4 |
| LNK | 0.0 |
The following time histogram shows the email volume per attack technique used per hour.
The increase in malicious documents at the end of the month can be attributed to backscatter from a Formbook malspam campaign spoofing the email address of one of our customers. Many of the bounce messages contained the malicious documents of the campaign and were detected by our filters.
Impersonated company brands and organizations
The following table shows which company brands and organizations our systems detected most in impersonation attacks.
| Impersonated brand or organization | % |
| DocuSign | 18.2 |
| Deutsche Post / DHL | 17.9 |
| Other | 16.8 |
| Amazon | 12.6 |
| PayPal | 10.0 |
| Microsoft | 2.8 |
| Volks- und Raiffeisenbank | 2.6 |
| HSBC | 2.0 |
| 1.8 | |
| O2 | 1.4 |
| Santander | 1.1 |
| Tesco | 1.1 |
The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.
It’s a constant stream of phishing and other attacks impersonating big brands and organizations to entice recipients to open the emails.
Ransomleaks
Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. We observed the following number of leaks on ransomware leak sites:
| Leak site | Number of victim data leaks |
| LockBit 2.0 | 87 |
| Conti | 46 |
| Hive | 27 |
| Pysa | 16 |
| Everest | 5 |
| Cuba | 4 |
| RansomEXX | 4 |
| LV | 3 |
| Vice Society | 3 |
| Lorenz | 2 |
| Cl0p | 1 |
| RagnarLocker | 1 |
| Suncrypt | 1 |
| Xing Team | 1 |
The following bar chart visualizes the number of victim data leaks per leak site.
On 2021-08-12, the SynAck ransomware operation renamed itself to El_Cometa. Additionally, the decryption keys for the SynAck ransomware were released. 2 Our monitoring registered a total of 15 victims on SynAck’s leak site in June and Juli. The operation under the SynAck name was, therefore, rather short-lived.
According to reports3 the Ragnarok ransomware shut down its operation on 2021-08-27. Our monitoring saw the Ragnarok leak site last online on 2021-05-17. In total, the groups leak site published data of 22 victims. The operators behind the Ragnarok ransomware have also released a universal decryption key.
This practice of releasing decryption keys after shutting a ransomware operation down is widespread. It is likely an attempt by the threat actors behind the ransomware to cut all ties to the operation and allow victims to recover and remove reasons for victims and law enforcement to pursue the threat actors any longer. It also provides plausible deniability in case the threat actors are caught with the once-secret but now public and for everyone accessible decryption keys.
References
- 1 https://www.hornetsecurity.com/en/security-informationen-en/html-phishing-asking-for-the-password-twice/
- 2 https://www.bleepingcomputer.com/news/security/synack-ransomware-releases-decryption-keys-after-el-cometa-rebrand/
- 3 https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/
