1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

Email security is one of the main topics of concern for any IT department, and for good reason. Security breaches often lead to loss of sensitive data, operation downtime, and lost revenue. So we conducted an email security survey of 420+ businesses, and found that 23% of them, or 1 in 4, reported an email-related security breach. Of these security breaches, 36% were caused by phishing attacks targeting arguably the weakest point of any security system, end users.

The survey also examined how companies operating on the Microsoft 365 platform handle email security, and whether or not they use the baked-in Microsoft 365 security tools, or resort to third-party solutions. It is important to keep in mind that the results reveal the number of security breaches that respondents were aware of, and that often potential security breaches are reported months after they occur, missed completely, or not reported at all.
Reported Email Security Breach

What’s the main cause of email security breaches?

Of the security breaches respondents reported knowing about, 36% were caused by phishing attacks specifically targeting end users. More surprising is that 62% of all reported email security breaches occurred due to user-compromised passwords and successful phishing attacks.
User Compromised PW and Phishing Attacks
This fact reconfirms what many already think to be true – that your email security functions are only as useful as the training provided to end users to use said functions correctly and responsibly.

Use of Microsoft 365 Security Features

Keeping this data in mind, we then wanted to quantify and understand what companies are doing to bolster their email security. We asked a series of questions around most of the security features currently built into Microsoft 365. More specifically, we asked whether companies are using them, and if not, why. Here’s what we found:

● 1/3 of companies do not enable Multi-Factor Authentication for all users
● More than half (55%) of those who use MFA do not use Conditional Access
● 69% of respondents do not digitally sign messages
● 58% of respondents do not use encrypted email

Do not enable MFA for users
These issues are also compounded by the fact that 57% of our respondents also mention that they do not leverage Microsoft 365 Data Loss Prevention policies and 23% of these point to a lack of knowledge about the implementation of such policies as the reason.
Leverage DataLoss Prevention Policies

68% of companies expect Microsoft 365 to keep them safe from email threats, yet 50% use third-party solutions

There seems to be a disconnect between the expectations that businesses have of Microsoft 365’s email security, and the reality: While 2 out of every 3 expect Microsoft to keep them safe from email threats, half of all respondents resort to third-party solutions to supplement email security.
MS Keeping Safe from Email Threats
MS Email Security Features Licensing

Third-Party Solutions most effective, with 82% reporting no breaches

Those that use third-party solutions reported the lowest rate of email security breaches in comparison to organizations using security packages offered by Microsoft 365. An impressive 82% of all our respondents who use third-party email security solutions reported no breaches.
82 Percent report no Security Breaches
Additionally, of those who reported paying extra for Microsoft’s Enterprise Mobility & Security E3 or E5, 48% also use third-party solutions. So while expectations of Microsoft 365’s email security are high, the reality is most companies believe it’s not enough; and the numbers back up that claim.

Which companies are the most vulnerable to email security threats?

For context, here is some geographical data about our respondents: the overwhelming majority (63.8%) hail from North America, with Europe trailing at 26.5%. The rest are split between Asia (3.5%), Africa (2.9%), Australia (1.3%), Latin America (1.3%), and the Middle East (0.5%).
74% of all security breaches reported in this survey were by companies that fell within two company size brackets. Those with 201-500 employees and 501-1000 employees. This is likely due to a combination of factors such as budget and recruitment priorities that do not recognize digital security as a major concern at the outset.
Reported Breaches based on Company Size
Once the employee count exceeds 1,000, the incidence of an email breach decreases to 17% – probably due to reactions to previous security concerns and the ability to invest in more robust security protocols and more advanced IT infrastructure. Illustrating this point is the fact that companies with 1,001+ employees are 11% more likely to have MFA enabled for all users than those with 201-500 employees.
Here’s another interesting tidbit: North American respondents reported 5% more email security breaches than their counterparts in Europe. Yet both regions use Multi-Factor Authentication at the same rate: 68%. This could be due to the fact that US breaches tend to yield much higher payouts, so US organizations might be targeted more aggressively.

How do companies feel about storing sensitive data on Exchange Online & Microsoft 365?

MS365 and MS Exchange Security Concerns
The majority of respondents reported no concerns with storing sensitive data, but it results that nearly 4 of every 10 companies do not store sensitive data using the Microsoft 365 platform due to data security concerns. That percentage is not insignificant considering that platforms such as Microsoft 365 are critical to most company operations.

Cyber threats on the rise – additional security layers strongly recommended for Microsoft 365

Microsoft is considered the biggest driver of the cloud movement and Microsoft 365 has brought the world’s most-used office suite to the cloud. Both critical and sensitive files are uploaded and exchanged every day by millions of business customers in the Microsoft suite – and cybercriminals are aware of this. The risks of cyberattacks are increasing every day and more incidents are being reported by both private individuals and companies of all sizes. As the survey shows, it is not only large global operating companies that are affected but also small and medium-sized ones that are increasingly becoming the focus of hackers.

Protect Microsoft Office 365 with 365 Total Protection – a comprehensive Security & Compliance Suite for Microsoft 365, specifically designed for the cloud service and integrates seamlessly. 365 TP is available in two versions: 365 Total Protection Business includes multiple features, such as email and data security, and thus proves to be a reliable additional protection against spam and malware attacks. Advanced features and advanced protection mechanisms are included in 365 Total Protection Enterprise. With AI-based forensic analysis mechanisms, URL malware control, and ATP sandboxing, even the latest targeted cyberattacks, such as ransomware or business email compromise, are blocked.

Furthermore, the service is characterized by its fast, 30-second onboarding process, intuitive operation, and low maintenance requirements.

Click here for more information: https://www.hornetsecurity.com/en/services/365-total-protection/

Leakware-Ransomware-Hybrid Attacks

Leakware-Ransomware-Hybrid Attacks

Summary: Leakware-Ransomware Hybrids

Since December 2019, ransomware operators have been using leakware/ransomware hybrid attacks more and more often. These attacks combine the classic ransomware attack with a leakware attack. In a classic ransomware attack, the victim’s data is encrypted and is only decrypted back after the victim pays a ransom fee to the ransomware operators. In a leakware attack, the data is stolen, and the victim is blackmailed with the data being published publicly unless he pays a certain fee. In a leakware/ransomware hybrid attack, the data is first stolen, then encrypted. Then the victim is first asked to pay the ransom for decryption. If the victim declines to pay the ransom, the attackers threaten him to release the stolen data publicly. In some cases, business partners and/or customers of the victim are also contacted and informed of the impending data release to put even more pressure on the victim.

In this article we outline how these leakware/ransomware hybrid attacks work, how they differ from classic ransomware attacks, and how you can protect yourself against them.


Background: What is Ransomware?

With the rise of crypto currencies, ransomware has become popular for cybercriminals. While ransomware existed before crypto currencies, the logistics of the ransom transfer were greatly simplified by crypto currencies.

According to ID Ransomware, a free service to identify ransomware, there exist 928 different pieces of ransomware1.

Ransomware is often distributed and deployed by other malware. A popular attack vector is email. A typical infection chain of a ransomware attack is the following:

Infection chain of email-based ransomware attack

Actors behind ransomware are financially motivated. Their ransomware encrypts the victim’s data. The attackers will only decrypt the data if the victim pays a ransom.

Ransom demands can range from a few hundred Euro for decrypting a single computer, over several thousand for computers of a small business, up to millions for large corporations and/or government entities. The largest publicly known ransom to ever be paid amounted to $4.5M. It was paid by the U.S. travel management company CWT2.


Classic Ransomware

The interaction and information flow of a classical ransomware case is as follows:

Ransomware interaction flow



New Leakware/Ransomware Hybrid

Since December 2019, actors behind the Maze ransomware operation began combining a previous attack known as leakware with ransomware.

In a leakware attack, data of the victim is stolen, and the attackers threaten to publish the data if the victim does not pay a ransom. Leakware is therefore the opposite to ransomware. Instead of denying the victim access to the data, access to the data is granted to everyone in case the victim does not pay.

This new leakware/ransomware hybrid scheme combines both leakware and ransomware. To this end, before encrypting the victim’s data via ransomware, the data is exfiltrated to the ransomware operators, who then threaten to publish the data if the victim refuses to pay the ransom.

In addition, some ransomware operators will contact the victim’s business partners or customers, whose data is often among the data to be published. The operators behind the Clop ransomware are notorious for doing this. This is used to further increase pressure on the victim to pay the ransom.

The interaction and information flow of the new leakware/ransomware hybrid is as follows:

Ranshameware interaction flow

The problem for the victims is that, even if they pay the ransom, there is no guarantee the leaked data will be deleted – only the promise of criminals. The leaked data could be sold in the underground economy, used in future attacks, and even used to extort the same victim again with the same data at a later point in time.


Clop Ransomware as Example

Using the Clop ransomware as an example, we outline how a leakware/ransomware hybrid attack unfolds.

The Clop ransomware is operated by a threat actor commonly referred to as TA505. Hornetsecurity has reported on these activities previously3. Initial access takes place via a malicious email. TA505 does big-game hunting, i.e., they specifically target large corporations with high revenues. If a recipient opens the email and follows the instructions, which in most cases involve downloading a malicious document and allowing the document to execute macros, the recipient becomes a victim. The macro code in the document then downloads a remote administration trojan (RAT). This RAT gives the attackers remote access to the victim’s computer. The RAT is then used to move laterally within the victim’s company network and gather additional information. In addition, other tools (such as those from the Cobalt Strike framework) are often deployed to obtain domain admin rights. Valuable data is then exfiltrated. From victim data which was published in the past, we know that this data usually contains the complete shared drives of the infected company. Eventually, the Clop ransomware is deployed company-wide to encrypt and incapacitate as many systems as possible so the disruption to the company is maximized.

Then, the operators of the Clop ransomware send the victim to a ransom note website hosted via a Tor hidden service. This ransom note website includes details on the ransom and how to pay it.

Clop Decryptor website

Depending on the company size and estimated revenue, the demanded ransom is often in the millions. Again, TA505 does big-game hunting, i.e., they will only target large corporations with high revenues. The ransom note website also features a timer and a threat that if the ransom is not paid in time, the price will be doubled.

To proof to the victim that files can be decrypted, the ransom note site also offers a “Trial Decryption”.

Clop Decryptor Website's Trial Decryption

The ransom note site also features a support chat. Those chats are often used to negotiate the ransom, payment rates or deadline extensions.

Clop Decryptor website's Chat support

If a victim refuses to pay or does not enter negotiations, the ransomware operators start sending out mass-email notifications to the victim’s business partners and/or customers. Here is one example of such a notification email sent out by the Clop ransomware operators:

Clop notification email

The attached list.txt file contains a list of the Windows domains and their corresponding network shares from which the Clop ransomware operators have exfiltrated data. The links in the notification email point to the subpage on the Clop’s leak site where the stolen data is shared.

The Clop ransomware leak site is titled “CL0P^_- LEAKS”. It currently lists 13 victims. Here is an example of a leaked data view:

Clop leak site



List of Leak Sites

Currently, there exist leak sites for 13 different ransomware operations. The distribution of victims among each leak site can be seen in the following plot:

Victim distribution on ransomware leak sites




With 220 victims, the leak site of the Maze ransomware is the one with highest number of victims. Apparently, the operators behind the Maze ransomware have so many potential victims that they have formed the so-called Maze Cartel, in which the help other ransomware operations for a share of the profits.

Maze leak site

Interestingly, the Maze leak site is among the leak sites that are also acessible via the clear web and not just via a hidden service.


REvil / Sodinokibi

The second most dominant ransomware with a leak site is REvil. Their site, called “Happy Blog”, contains data from 67 victims.

REvil leak site

In June 2020, the actors behind the REvil ransomware also started to “auction” stolen data:

REvil auction

However, the auction site doesn’t contain any information on how to bid. It is likely just another mechanism to gain media attention and scare companies into paying the attackers.



With data from 59 victims, the “Doppel leaks” leak site of the DoppelPaymer ransomware comes in on third place.

DoppelPaymer leak site

The site is also accessible via a clear web domain.



The “Conti News” leak site of the new Conti ransomware already has data from 43 victims. From all current available information, the Conti ransomware seems to be the successor to the notorious Ryuk ransomware.

Conti leak site

Conti leak site

The site is also accessible via a clear web domain.

After Maze, Conti is currently the ransomware with the fastest growing victim count, sometimes increasing in up to 10 new victims per day. Here, it is worth noticing that only victims who refuse to pay the ransom are published on the leak sites.



Data from 37 victims of the NetWalker ransomware has been published on their leak site titled “NetWalker Blog”.

NetWalker leak site



Mespinoza / Pysa

The Mespinoza ransomware, also known as Pysa, has titled their leak site “Pysa’s Partners”. It features data from 28 victims.

Mespinoza leak site




The leak site of the Nephilim ransomware, called “Corporate Leaks”, contains data from 16 victims.

Nephilim leak site




The leak site of the RagnarLocker ransomware is titled “RAGNAR LEAKS NEWS”. It features data from 14 victims.

RagnarLocker leak site



The leak site of the SunCrypt ransomware is simply titled “News”. However, researchers were able to contact the operators of the site and confirm that the leak site is associated with the SunCrypt ransomware. The leak site features data from 9 victims.

SunCrypt leak site




The Sekhmet ransomware leak site, titled “Sekhmet Leaks.” is only available via a clear web address. It currently features data from 8 victims.

Sekhmet leak site




In the first Avaddon campaign observed by Hornetsecurity4, no data was exfiltrated. The campaign distributed Avaddon via the Phorpiex botnet, and the encryption of the victims was fully automated. The campaign was hence not targeted at high-value victims for which a leak would be worthwhile. However, Avaddon has since been used in different campaigns and their leak site, titled “Avaddon Info”, has currently data from 4 victims.

Avaddon leak site



A very recent leak site is the “Darkside” leak site of the Darkside ransomware. It has data from 2 victims.


MedusaLocker / AKO

The MedusaLocker ransomware also had a leak site, which at one point featured data from 7 victims.

MedusaLocker leak site

However, currently the site only contains a “coming soon” message without any published contents of victims. It seems the site is currently being restructured.



The Nemty ransomware also used to have a leak site. The site was also reachable via a clear web domain. However, the site is currently not reachable anymore.



Hornetsecurity previously has analyzed the ProLock ransomware, which also claims to “have gathered […] sensitive data” and “would share it in case [the victims] refuse to pay”5. However, no ProLock leak site has appeared yet.


Conclusion and Remediation

The new leakware/ransomware hybrid attacks make malware infections more dangerous to businesses than ever before. While good backups helped against classic ransomware attacks, they do not provide any protection against private and/or confidential data being forcefully leaked to the public. The broad announcement of the data leak to business partners and customers will cause further damages and loss of reputation to victims as business partners and customers, but also competitors get unlimited access to internal documents, such as contracts, pricing, research and development findings, etc.

In general, the only protection against these leakware/ransomware hybrid attacks is to invest in effective IT security. With regards to email, Hornetsecurity’s Spam Protection Service and Hornetsecurity’s Advanced Threat Protection protect against leakware/ransomware hybrid attacks using email as their initial infection vector in the same way they protect against classic ransomware attacks using this access vector: by fending off these attacks at the very beginning of the attack chain before the attackers can even obtain initial access to your systems.




Further information:

  • More about Ransomware on the Hornetsecurity Knowledgebase.
The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

Around 300 billion e-mails are sent every day – the number of e-mails sent and received for private and business purposes is forecast to rise to 361.6 billion by 2024. However, not all e-mails that end up in users’ inboxes are wanted, and unwanted e-mails not only contain questionable advertising, but often also harmful attachments and links.

The experts of the Hornetsecurity Security Labs have analyzed how many e-mails are actually wanted by users and what dangers can lurk in their inboxes based on the e-mails received in the system for the year 2020 and have come to interesting results: Only 28% of the e-mails could be classified as “clean”, i.e. harmless by the Hornetsecurity filters – thus more than 70% of all addressed e-mails were unwanted by the recipient.

Which emails are already blocked in advance?

A total of 67% of incoming e-mails are blocked in advance by Hornetsecurity’s filter mechanisms: this means that these e-mails have not even been classified as harmful or unwanted due to various factors. In June 2020, the Security Lab analyzed the reasons for blocking incoming emails. Below we take a look at the most important ones. 

In first place with almost 58%, are e-mails that could be classified as spam in advance using a real-time blackhole list.

In second place with 12%, are emails that try to use Hornetsecurity’s mail servers as open relay. Open relay is the process by which an email server delivers emails for which it is not responsible. For example, if example.com has an email server, it should only accept email for mustermann@example.com. An open relay server would also accept mail for other domains, such as @test.com. These open relays are often misused to send spam with fake sender addresses.

In 5.9% of the e-mails blocked by Hornetsecurity, no correct sender address could be found. This is important because cyber criminals try to hide their identity or pretend to be someone else. For example: In the case of mustermann@example.com, if the domain example.com does not exist, the email is blocked.

In 5.3% of blocked e-mails, harmful content was found. Malicious content includes attachments such as *.xls, *.doc, *.pdf that contain malware, but also links that lead to malicious or compromised web pages.

What threats are found in the emails that were not blocked in advance?

The proportion of spam, malware and other threats in the non-blocked emails is also interesting. For this evaluation, the security experts checked the total number of incoming emails minus the blocked emails.

About 10% of these analyzed e-mails were spam and about 3% were info mails. The Security Lab experts were also able to find malware in about 1% of all incoming e-mails, and just under 0.1% were even detected by Hornetsecury’s Advanced Threat Protection. These are attacks such as CEO fraud, spearphishing, or attacks that use new types of malware, which were only detected by the Hornetsecurity ATP Sandbox and not by classic filters. Conversely, this means that more than 10% of the e-mails that are not blocked in advance contain spam or attachments and content that are harmful to the user.

Although the majority of harmful e-mails can be blocked, companies should not yet sit back and relax. Cybercriminals are constantly finding new ways to send malicious emails to users and their attacks are still often successful.

Privacy Shield: The end of transatlantic data exchange?

Privacy Shield: The end of transatlantic data exchange?


Currently, it is recommended that affected data flows be identified and switched to alternatives that meet the required level of protection under GDPR. We would therefore like to assure you that Hornetsecurity’s cloud email security services are not affected by the invalidation of Privacy Shield and can continue to be used as usual.


On 16.07.20 the European Court of Justice (ECJ) overturned the data protection framework between the USA and Europe. Although this does not immediately mean the end of data transfer between the two continents, it does have far-reaching consequences. Let’s take a quick look at it.

Privacy Shield – What does it contain?

The Data Agreement came into force at the beginning of 2016 as the successor to the Safe Harbour Agreement. The aim of the Privacy Shield, according to its creators, was to provide legal certainty not only for a higher level of protection for citizens, but also for European companies that exchange data with the USA. US companies would thus be obliged to store the data of EU citizens for only as long as it was used for the original purpose. Data protection experts criticised this agreement from the very beginning, as they suspected that it would not offer any significant changes compared to the previous safe harbour agreement.
For example, the Privacy Shield offered approaches for better data protection, but this was still far from reaching the European standard. In particular, US secret services were able to access data of EU citizens without any restrictions. This fact prompted the ECJ to declare the Privacy Shield invalid.

Out with the Privacy Shield – and now what?

Can data still flow between the USA and Europe? It is clear that the removal of the Privacy Shield agreement creates confusion. First of all, it is important to realize that a distinction must be made between private individuals and companies. Private individuals can still send private emails to the US or make a booking on a US website. The situation is different for companies.
Around 5,000 companies are directly affected by the ECJ’s decision, as they invoke the Privacy Shield when transferring data to the USA. These include companies such as Facebook, Microsoft and Amazon. In order to initially continue to ensure legal data exchange to the USA, companies can alternatively invoke the standard contract clauses that have been practicable to date. But here, too, the question is: Can these still be valid, even if they cannot exclude access by secret services?
German data protection experts, in particular, are beginning to talk about Europe’s digital independence. The Berlin data protection expert Maja Smoltczyk, for example, calls on those responsible for transferring personal data to the USA to switch to service providers in the EU in order to ensure an adequate level of data protection.
It can therefore be assumed that there will be no ‘go ahead’ in the data protection debate to overcome legal uncertainty.

What does this mean for Hornetsecurity customers?

In principle, Hornetsecurity provides its core service in Germany within secure data centers there. There is no data exchange with the USA and Hornetsecurity is therefore not directly affected by this decision.
All subcontractors in a third country commissioned by Hornetsecurity, who have named the Privacy Shield as the basis for data transmission, also have alternative legal bases, so that if one legal basis is no longer applicable, one of the other possibilities will take over. The two other variants for the transfer of data from the European Economic Area to other countries, especially the USA, are Binding Corporate Rules / binding internal data protection regulations and EU standard contractual clauses/EU standard contractual clauses. Our customers will find the exact information about our subcontractors in the Order Processing Agreement in Annex 3.

Perhaps also of interest to you

Energy Sector: Number One Cyber-Attack Target

Energy Sector: Number One Cyber-Attack Target

Digitization is finding its way into more and more areas of the economy: from large energy companies to small travel agencies. The production plants are constantly linked, machines can be controlled remotely via the Internet, and data can be exchanged within seconds. Thus processes can be optimized and resources saved. But the advantages also have some downsides, for example when outdated servers, unpatched systems, or the lack of technical competence among employees lead to unexpected vulnerabilities. This is exactly what cyber-criminals are looking for: They use various techniques to get into a company’s system. Espionage, shutdown of production, power outages, data theft and financial losses running into billions are the result.

Hornetsecurity identifies the top 10 most attacked industries

Company-wide email communication is one of the most frequently used gateways for hacker attacks, because cyber criminals expect to have a particularly high chance of success with phishing, ransomware and other techniques … but which industries are actually most commonly affected by cyber-attacks and what attack techniques are they exposed to? By analyzing around 1,000 domains with the largest email volume, the security experts at Hornetsecurity were able to identify the top 10 industries that were particularly hard hit by cyber attacks via email in 2019.

Energy suppliers in the focus of hacker attacks

The energy sector was found to be extremely threatened, as it is the number one target – and as part of a country’s critical infrastructure, it is subject to the highest security measures. Nevertheless, a number of past incidents have shown that even the smallest vulnerability can have unexpected consequences. So who is presumably behind the attacks on the energy industry? What are the motives and what do the cybercriminals aim to achieve?

In the “Cybersecurity Special – Energy Industry: Cyber Attack Target Number One” the security experts from Hornetsecurity provide answers to these questions. They also explain the tactics behind the various types of attacks on the energy industry and analyse in detail the approach of a current phishing campaign on a utility company to find out what possible target lies behind the attack.

Due to increasing cybercrime, the relevance of IT security in companies is reaching a completely new level and will be even more important in the future. The risks of a cyber attack are usually far greater than is generally assumed – the results and conclusions of the research, summarized in the Cybersecurity Special, give an alarming picture.

HTML Phishing Asking for the Password Twice

HTML Phishing Asking for the Password Twice

Nothing but the same old threat? Phishing campaigns always seem to proceed by the same principle: A link or attachment placed in an email redirects to a phishing website to retrieve specific data about the recipient. However, for some users, a certain process has now become established that is designed to expose the traditional phishing tactics. Now the Hornetsecurity Security Lab has discovered a phishing scheme that is designed to circumvent this method.


The Procedure

In case of the detected phishing scheme, the entire phishing website is sent to the victim as an HTML attachment and then executed locally in the browser.
While investigating such phishing activity, the Security Lab discovered an interesting tactic in one of the phishing web forms used. In one form, the first password entered by the user is always rejected as incorrect and only the second password is accepted.

This is likely to workaround a methode that some users came up with to protect against phishing. Some users believe that phishing websites will always accept any password. Hence, you can spot a phishing website by entering a wrong password. A phishing website will accept the wrong password, while the legitimate site will reject it as incorrect. This assumption is, however, wrong and the Security Lab will outline why in this article.



Phishing via sending victims the entire HTML source of the phishing webpage as an email attachment is nothing new [1]. The general outline is that the victim receives an email with an attached HTML document.
Here we can see a recent example of such a phishing attempt against a bank:



In the email the user is told that the user profile must be updated otherwise the services of the bank can not be used anymore.

When the user opens the attachment, a form asks for the users credentials or in this case a whole array of private and confidential information:



The document is even so helpful and checks (locally via HTML5 features) whether the information the user has entered has a valid format, e.g., the email contains an @ symbol, etc.:



Once the user’s input was locally validated, a HTTP POST request is issued sending the entered information to a remote server:



This scheme is a great way to prevent your phishing website from being blacklisted, as there is no visible phishing webpage online that a hosting provider could take down. Getting a website banned because it receives HTTP POST requests is a hard one to convey to a hosting provider or owner of a compromised website.

Recently the Security Lab found an interesting new twist to this scheme in a long running scheme of such HTML phishing attachments pretending to be from one the major integrated container logistics and supply chain companies.



The phishing activity the interesting scheme is part of is going on uninterrupted for month – and in a different form likely for years:




The fact that more emails are send during business days would indicate that this activity is targeting businesses:



Even though the langauge of the phishing emails is exclusively English, the emails are send predominantly to German, US and UK companies:



Granted the country distribution is slightly biased by Hornetsecurity’s client base since Hornetsecurity is a market leader in the DACH region.

As an interesting note, the networks from which these emails are send from are as follows:



With the owners of the 7 AS with the highest volume of send emails being:

Volume ASN ASN owner
5450 199653 ARUBAFR-AS, FR
3300 266772 TRIMOTION S.R.L., AR
1450 8374 PLUSNET Plus network operator in Poland, PL
1375 15704 XTRA TELECOM S.A., ES
1275 54290 HOSTWINDS, US
1225 1221 ASN-TELSTRA Telstra Corporation Ltd, AU


Asking the user twice

While most of the observed phishing documents follow the scheme previously outlined – except for asking the user only for a password and having the user’s email address already pre-filled in the document – a few other phishing documents in this series, however, come with a twist.

When opening the phishing document the user is asked to input the password to preview some shipping documents:



Irregardless of what password is entered, the user is immediately presented with another password popup form claiming that the password that was entered is incorrect:



This is probably done in an attempt to prevent clever users from first trying with a made up password – in case it is phishing – and only entering their
real password when a fake password won’t get them in.

But only that last entered password is send to the remote server:



Last but not least, the user is redirected to the image hosting service Imgur and presented with an image of shipping documents:



Obviously, those pictured documents are as fake as the phishing email itself.


Conclusion and Remediation

This example shows that the trick proposed by some users to protect against phishing by always entering a false password first and only after that password was rejected enter the correct password, does not work. The logic behind this trick seems to be that most phishing forms will accept any password. So if a system rejects a wrong password it must be legit, how else would it know that the password is wrong. But as this case has shown a phishing form can simply reject your password, too. In fact it could reject all passwords and send all attempts to the attacker in hopes that the victim will hand over all passwords while trying to log into the fake password form.

Remediation is not so simply. Because the phishing webpage is loaded locally into the victims browser, blacklists such as Googles Safebrowsing will not warn the user that a phishing webpage is opened. Another thing is the exfiltration mechanism. The single HTTP POST request is send to a likely compromised WordPress website, making it hard to discover in a busy network and because there is no visible phishing website online also hard to investigate by a network analyst.

The safest way to protect against these HTML phishing webpage attachments is to not allow them into the users mailbox in the fist place. For example, the precise analysis mechanisms of Hornetsecuritys Spam Filtering Service and Malware Protection detect such emails in the first filter instances and block these phishing emails before they can be delivered to a mailbox.