Email Threat Review March 2021
Summary
In this first installment of our monthly email threat review, we present an overview of the email-based threats observed in March 2021.
Unwanted emails by category
The following table shows the distribution of unwanted emails by categories.
| Email category | % |
| Rejected | 78.91 |
| Spam | 16.08 |
| Threat | 3.99 |
| AdvThreat | 0.98 |
| Content | 0.03 |
The following time histogram shows the email volume per category per hour.
The spike from 2021-03-20 to 2021-03-23 in rejected emails can be attributed to a large sextortion spam campaign. The emails used the German language.
As of 2021-03-28, the scammers have received three payments for a total of 0.10492057 BTC, equating to 5,267.36 € (around three times the asked extortion fee).
Methodology
The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:
| Category | Description |
| Spam | These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients. |
| Content | These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid. |
| Threat | These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing. |
| AdvThreat | Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures. |
| Rejected | Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further. |
File types used in attacks
The following table shows the distribution of file types used in attacks.
| File type (used in malicious emails) | % |
| Archive | 38.3 |
| HTML | 16.4 |
| Excel | 12.0 |
| 10.6 | |
| Executable | 7.6 |
| Other | 6.7 |
| Disk image files | 4.1 |
| Word | 3.6 |
| Script file | 0.4 |
| Powerpoint | 0.3 |
| 0.0 | |
| LNK file | 0.0 |
The following time histogram shows the email volume per file type used in attack per 7 days.
Archives (.zip, .rar, .gzip, .ace, .tar.gz, etc.) are more popular. The most prevalent use for archives in attacks is compressing the malware executable and attaching it directly to the attack email. This is done in hopes that the targeted email system is not able to scan compressed attachments. Low-quality criminal threat actors often use this technique as it does not require any technical expertise. Another use for archives is to compress malicious documents. This is also done to reduce detection.
HTML files (.htm, .html, etc.) are used either for phishing, having the phishing website attached directly to the email1 (thus circumventing URL filters), redirecting victims to websites for malware downloads2 (again to not directly include a clickable URL in the email), or social engineering.
Excel files (.xls, .xlsm, .xlsx, .xslb, etc.) with their XLM macros have gained popularity last year. Unlike VBA macros malware, XLM macro malware is less detected and thus favored by many threat actors.3,4 In fact, many threat actors use the same malicious document generator called “EtterSilent” to generate their XLM macro documents.
PDFs (.pdf) use embedded links or other social engineering lures.4
Attaching executables (.exe) directly to emails is the laziest approach. It is used mainly by low-quality criminal threat actors.
Disk image files (.iso, .img, etc.) are used similarly to archives.5 Windows can automatically mount disk image files similarly to ZIP files.
Industry Email Threat Index
The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.
| Industries | Share of threat in threat and clean emails |
| Research industry | 6.9 |
| Manufacturing industry | 6.5 |
| Healthcare industry | 6.1 |
| Education industry | 6.0 |
| Media industry | 5.9 |
| Mining industry | 5.7 |
| Entertainment industry | 5.4 |
| Hospitality industry | 5.2 |
| Automotive industry | 5.1 |
| Retail industry | 5.0 |
| Transport industry | 4.8 |
| Construction industry | 4.6 |
| Utilities | 4.6 |
| Agriculture industry | 4.4 |
| Information technology industry | 4.4 |
| Unknown | 4.4 |
| Professional service industry | 4.4 |
| Financial industry | 3.9 |
| Real estate industry | 3.7 |
| Logistics industry | 3.1 |
The following bar chart visualizes the email-based threat posed to each industry.
Methodology
Different (sized) organizations receive a different absolute number of emails. Thus, to compare organizations, we calculated the percent share of threat emails from each organization’s threat and clean emails. We then calculate the median of these percent values overall organizations within the same industry to form the industry’s final threat score.
Attack techniques
The following table shows the attack technique used in attacks.
| Attack technique | % |
| Phishing | 28.0 |
| Other | 25.7 |
| URL | 23.2 |
| Extortion | 12.1 |
| Executable in archive/disk-image | 4.9 |
| Advance-fee scam | 3.1 |
| Impersonation | 2.6 |
| Maldoc | 0.4 |
| LNK | 0.0 |
The following time histogram shows the email volume per attack technique used per hour.
From 2021-03-20 to 2021-03-23 we can see an increase in extortion emails. These are the emails of the sextortion campaign discussed previously that were not already caught by our RBL. This illustrates how Hornetsecurity’s multi-layered filtering system works. Spammers will always acquire IPs that are not blacklisted by RBLs. But these emails will simply be caught by one of our later filter stages. The data of filtered emails is analyzed and the new clean IPs of the spammers are added to the RBL. This way, our systems can also handle large-scale attacks with ease.
Impersonated company brands
The following table shows which company brands our systems detected most in impersonation attacks.
| Impersonated brand | % |
| Deutsche Post / DHL | 19.7 |
| Amazon | 16.4 |
| 8.8 | |
| PayPal | 4.6 |
| 1&1 | 3.9 |
| Microsoft | 3.7 |
| DocuSign | 3.2 |
| O2 | 2.7 |
| HSBC | 1.7 |
| Other | Rest |
The following time histogram shows the email volume for company brands detected in impersonation attacks per hour.
It’s a constant stream of phishing and other attacks impersonating big brands to entice recipients to open the emails.
Highlighted threat email campaigns
In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.
The following table shows a list of highlighted threat email campaigns with their email volume share among the highlighted threat email campaigns.
| Highlighted threat email campaign | % |
| Dridex (via Cutwail) | 47.7 |
| Hancitor (Fake DocuSign email with Google Doc link) | 16.1 |
| TrickBot (XLS,XLSB) | 14.5 |
| QakBot (XLS in ZIP) | 14.1 |
| LemonDuck (XLSM in ZIP) | 4.8 |
| IcedID (XLSM in ZIP) | 1.4 |
| Ursnif (via Cutwail) | 1.1 |
| Lokibot (EXE in RAR) | 0.2 |
| Gozi (DOC) | 0.0 |
Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking. We strive to expand this section of our reporting in the future.
The following time histogram shows the email volume for highlighted threat email campaigns per hour.
We can see that the malspam waves of the selected campaigns have well defined start and end points, unlike less sophisticated mass-spam email campaigns, which will send email in a constant stream.
From the data, we can see that volume-wise the Cutwail botnet dominates. It mainly distributed Dridex malware (via various malicious document attachments) and Ursnif. Another large volume campaign was Hancitor malware spread via emails pretending to be from DocuSign using links to malware hosted on Google Docs.
Methodology
Hornetsecurity observes hundreds and thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only major sophisticated threat email campaigns.
Ransomleaks
Threat actors continue to leak data stolen from ransomware victims in an attempt to pressure them into paying not only for decrypting the files encrypted by the ransomware but also for not make the data stolen before encryption public. We observed the following number of leaks on ransomware leaksites:
| Leaksite | Number of victim data leaks |
| Darkside | 57 |
| Pysa | 38 |
| Conti | 36 |
| Avaddon | 27 |
| Cl0p | 23 |
| REvil | 19 |
| Babuk | 17 |
| MountLocker | 7 |
| Nephilim | 7 |
| Doppelpaymer | 6 |
| Astro Team | 5 |
| Ragnarok | 2 |
| RansomEXX | 2 |
The following bar chart visualizes the number of victim data leaks per leaksite.
A new entry to the list is the Astro Team ransomware leaksite.
Conclusion
We hope you found the first installment of our monthly email threat review informative. Get back next month for more and updated email threat landscape insights.
References
- 1 https://www.hornetsecurity.com/en/security-informationen-en/html-phishing-asking-for-the-password-twice/
- 2 https://www.hornetsecurity.com/de/security-information-2/clop-clop-ta505-html-malspam-analyse/
- 3 https://www.hornetsecurity.com/en/threat-research/qakbot-distributed-by-xlsb-files/
- 4 https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/
- 5 https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/
