VIPRE Security Group, a global pioneer and award-winning cybersecurity, privacy, and data protection company, released its Q1 2024 Email Threat Trends report, based on an analysis of 1.8 billion emails. The findings reveal the evolving landscape of email-based threats and emerging tactics malicious actors are employing.
The US, UK, Ireland, and Japan top the spam sources list. The report identifies the US as the top source of spam emails globally, followed by the U.K., Ireland, and Japan. The US, UK, and Canada are the top three countries most subjected to email-based attacks.
Attackers aim at the manufacturing sector
The manufacturing, government, and IT sectors are the most victimised by malicious actors.
In Q1 2024, the manufacturing sector suffered 43% of email-based attacks, with the government (15%) and IT (11%) trailing well behind. This is a change from Q1 2023, when attackers targeted the financial (25%), healthcare (22%), and education (15%) sectors most often.
Scams surpassing phishing
These emails contain malicious attachments in .html or .pdf formats, featuring phishing QR codes
This research warns that ‘scams’ within the spam category are growing in popularity among cybercriminals, overtaking phishing emails in the first quarter of 2024.
There’s been a notable increase in phishing emails masquerading as communications from Human Resources, falsely claiming to relate to employee benefits, compensation, or insurance within a company. These emails contain malicious attachments in .html or .pdf formats, featuring phishing QR codes that redirect recipients to phishing sites upon scanning.
New phishing trends and techniques
In email phishing campaigns, 75% of emails leverage links, 24% favour attachments, and 1% use QR codes. Attackers are employing links in phishing emails for URL redirection (54%), compromised websites (22%), and newly created domains (15%).
Emerging tactics employed by cybercriminals to execute phishing attacks include the use of .ics calendar invite and .rtf attachment file formats to trick recipients into opening malicious content.
Malspam links and top malware family
Malware is increasingly being hidden in cloud storage platforms such as Google Drive
Encouraged by the success of password-oriented phishing emails that use links, cybercriminals are opting for malicious links in malspam emails instead of attachments. Malware is increasingly being hidden in cloud storage platforms such as Google Drive. The use of malware-based emails employing attachments has increased to 22% in Q1 2024, from only 3% in Q1 2023.
Due to the void left by the dismantled Qakbot malware, Pikabot has emerged as the top malware family, with IceID a distant second.
Exploiting software vulnerabilities
Criminals are exploiting a web application vulnerability, most notably Reflected Cross-Site Scripting (XSS), focusing on the tag attribute “href”, to circumvent detection by using a variety of tactics such as images as the entire email content, encoding URLs, and directing the victim through multiple URLs.
Malicious actors are also finding success with thread hijacking of NTLM
Malicious actors are also finding success with thread hijacking of NTLM (NT LAN Manager), a security protocol used by Microsoft Windows operating systems for authentication. By hijacking the authentication thread, attackers extract NTLM challenge-response hashes from legitimate SMB (Server Message Block) sessions, to enable them to impersonate authenticated users and gain unauthorised access.
Exploiting human vulnerabilities
"Criminals are using email with success to scam, infiltrate networks, and unleash malicious payloads," warns Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group. "We're witnessing bad actors relentlessly exploiting human vulnerabilities and software flaws, circumventing email gateways and security measures with alarming precision. Robust email and endpoint defences, coupled with a vigilant human frontline, remain our strongest defence against these unyielding attacks."
VIPRE leverages its unique understanding of email security to equip organisations with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock vigilance of the cybersecurity landscape.
