1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

Email security is one of the main topics of concern for any IT department, and for good reason. Security breaches often lead to loss of sensitive data, operation downtime, and lost revenue. So we conducted an email security survey of 420+ businesses, and found that 23% of them, or 1 in 4, reported an email-related security breach. Of these security breaches, 36% were caused by phishing attacks targeting arguably the weakest point of any security system, end users.

The survey also examined how companies operating on the Microsoft 365 platform handle email security, and whether or not they use the baked-in Microsoft 365 security tools, or resort to third-party solutions. It is important to keep in mind that the results reveal the number of security breaches that respondents were aware of, and that often potential security breaches are reported months after they occur, missed completely, or not reported at all.
Reported Email Security Breach

What’s the main cause of email security breaches?

Of the security breaches respondents reported knowing about, 36% were caused by phishing attacks specifically targeting end users. More surprising is that 62% of all reported email security breaches occurred due to user-compromised passwords and successful phishing attacks.
User Compromised PW and Phishing Attacks
This fact reconfirms what many already think to be true – that your email security functions are only as useful as the training provided to end users to use said functions correctly and responsibly.

Use of Microsoft 365 Security Features

Keeping this data in mind, we then wanted to quantify and understand what companies are doing to bolster their email security. We asked a series of questions around most of the security features currently built into Microsoft 365. More specifically, we asked whether companies are using them, and if not, why. Here’s what we found:

● 1/3 of companies do not enable Multi-Factor Authentication for all users
● More than half (55%) of those who use MFA do not use Conditional Access
● 69% of respondents do not digitally sign messages
● 58% of respondents do not use encrypted email

Do not enable MFA for users
These issues are also compounded by the fact that 57% of our respondents also mention that they do not leverage Microsoft 365 Data Loss Prevention policies and 23% of these point to a lack of knowledge about the implementation of such policies as the reason.
Leverage DataLoss Prevention Policies

68% of companies expect Microsoft 365 to keep them safe from email threats, yet 50% use third-party solutions

There seems to be a disconnect between the expectations that businesses have of Microsoft 365’s email security, and the reality: While 2 out of every 3 expect Microsoft to keep them safe from email threats, half of all respondents resort to third-party solutions to supplement email security.
MS Keeping Safe from Email Threats
MS Email Security Features Licensing

Third-Party Solutions most effective, with 82% reporting no breaches

Those that use third-party solutions reported the lowest rate of email security breaches in comparison to organizations using security packages offered by Microsoft 365. An impressive 82% of all our respondents who use third-party email security solutions reported no breaches.
82 Percent report no Security Breaches
Additionally, of those who reported paying extra for Microsoft’s Enterprise Mobility & Security E3 or E5, 48% also use third-party solutions. So while expectations of Microsoft 365’s email security are high, the reality is most companies believe it’s not enough; and the numbers back up that claim.

Which companies are the most vulnerable to email security threats?

For context, here is some geographical data about our respondents: the overwhelming majority (63.8%) hail from North America, with Europe trailing at 26.5%. The rest are split between Asia (3.5%), Africa (2.9%), Australia (1.3%), Latin America (1.3%), and the Middle East (0.5%).
74% of all security breaches reported in this survey were by companies that fell within two company size brackets. Those with 201-500 employees and 501-1000 employees. This is likely due to a combination of factors such as budget and recruitment priorities that do not recognize digital security as a major concern at the outset.
Reported Breaches based on Company Size
Once the employee count exceeds 1,000, the incidence of an email breach decreases to 17% – probably due to reactions to previous security concerns and the ability to invest in more robust security protocols and more advanced IT infrastructure. Illustrating this point is the fact that companies with 1,001+ employees are 11% more likely to have MFA enabled for all users than those with 201-500 employees.
Here’s another interesting tidbit: North American respondents reported 5% more email security breaches than their counterparts in Europe. Yet both regions use Multi-Factor Authentication at the same rate: 68%. This could be due to the fact that US breaches tend to yield much higher payouts, so US organizations might be targeted more aggressively.

How do companies feel about storing sensitive data on Exchange Online & Microsoft 365?

MS365 and MS Exchange Security Concerns
The majority of respondents reported no concerns with storing sensitive data, but it results that nearly 4 of every 10 companies do not store sensitive data using the Microsoft 365 platform due to data security concerns. That percentage is not insignificant considering that platforms such as Microsoft 365 are critical to most company operations.

Cyber threats on the rise – additional security layers strongly recommended for Microsoft 365

Microsoft is considered the biggest driver of the cloud movement and Microsoft 365 has brought the world’s most-used office suite to the cloud. Both critical and sensitive files are uploaded and exchanged every day by millions of business customers in the Microsoft suite – and cybercriminals are aware of this. The risks of cyberattacks are increasing every day and more incidents are being reported by both private individuals and companies of all sizes. As the survey shows, it is not only large global operating companies that are affected but also small and medium-sized ones that are increasingly becoming the focus of hackers.

Protect Microsoft Office 365 with 365 Total Protection – a comprehensive Security & Compliance Suite for Microsoft 365, specifically designed for the cloud service and integrates seamlessly. 365 TP is available in two versions: 365 Total Protection Business includes multiple features, such as email and data security, and thus proves to be a reliable additional protection against spam and malware attacks. Advanced features and advanced protection mechanisms are included in 365 Total Protection Enterprise. With AI-based forensic analysis mechanisms, URL malware control, and ATP sandboxing, even the latest targeted cyberattacks, such as ransomware or business email compromise, are blocked.

Furthermore, the service is characterized by its fast, 30-second onboarding process, intuitive operation, and low maintenance requirements.

Click here for more information: https://www.hornetsecurity.com/en/services/365-total-protection/

Leakware-Ransomware-Hybrid Attacks

Leakware-Ransomware-Hybrid Attacks

Summary: Leakware-Ransomware Hybrids

Since December 2019, ransomware operators have been using leakware/ransomware hybrid attacks more and more often. These attacks combine the classic ransomware attack with a leakware attack. In a classic ransomware attack, the victim’s data is encrypted and is only decrypted back after the victim pays a ransom fee to the ransomware operators. In a leakware attack, the data is stolen, and the victim is blackmailed with the data being published publicly unless he pays a certain fee. In a leakware/ransomware hybrid attack, the data is first stolen, then encrypted. Then the victim is first asked to pay the ransom for decryption. If the victim declines to pay the ransom, the attackers threaten him to release the stolen data publicly. In some cases, business partners and/or customers of the victim are also contacted and informed of the impending data release to put even more pressure on the victim.

In this article we outline how these leakware/ransomware hybrid attacks work, how they differ from classic ransomware attacks, and how you can protect yourself against them.


Background: What is Ransomware?

With the rise of crypto currencies, ransomware has become popular for cybercriminals. While ransomware existed before crypto currencies, the logistics of the ransom transfer were greatly simplified by crypto currencies.

According to ID Ransomware, a free service to identify ransomware, there exist 928 different pieces of ransomware1.

Ransomware is often distributed and deployed by other malware. A popular attack vector is email. A typical infection chain of a ransomware attack is the following:

Infection chain of email-based ransomware attack

Actors behind ransomware are financially motivated. Their ransomware encrypts the victim’s data. The attackers will only decrypt the data if the victim pays a ransom.

Ransom demands can range from a few hundred Euro for decrypting a single computer, over several thousand for computers of a small business, up to millions for large corporations and/or government entities. The largest publicly known ransom to ever be paid amounted to $4.5M. It was paid by the U.S. travel management company CWT2.


Classic Ransomware

The interaction and information flow of a classical ransomware case is as follows:

Ransomware interaction flow



New Leakware/Ransomware Hybrid

Since December 2019, actors behind the Maze ransomware operation began combining a previous attack known as leakware with ransomware.

In a leakware attack, data of the victim is stolen, and the attackers threaten to publish the data if the victim does not pay a ransom. Leakware is therefore the opposite to ransomware. Instead of denying the victim access to the data, access to the data is granted to everyone in case the victim does not pay.

This new leakware/ransomware hybrid scheme combines both leakware and ransomware. To this end, before encrypting the victim’s data via ransomware, the data is exfiltrated to the ransomware operators, who then threaten to publish the data if the victim refuses to pay the ransom.

In addition, some ransomware operators will contact the victim’s business partners or customers, whose data is often among the data to be published. The operators behind the Clop ransomware are notorious for doing this. This is used to further increase pressure on the victim to pay the ransom.

The interaction and information flow of the new leakware/ransomware hybrid is as follows:

Ranshameware interaction flow

The problem for the victims is that, even if they pay the ransom, there is no guarantee the leaked data will be deleted – only the promise of criminals. The leaked data could be sold in the underground economy, used in future attacks, and even used to extort the same victim again with the same data at a later point in time.


Clop Ransomware as Example

Using the Clop ransomware as an example, we outline how a leakware/ransomware hybrid attack unfolds.

The Clop ransomware is operated by a threat actor commonly referred to as TA505. Hornetsecurity has reported on these activities previously3. Initial access takes place via a malicious email. TA505 does big-game hunting, i.e., they specifically target large corporations with high revenues. If a recipient opens the email and follows the instructions, which in most cases involve downloading a malicious document and allowing the document to execute macros, the recipient becomes a victim. The macro code in the document then downloads a remote administration trojan (RAT). This RAT gives the attackers remote access to the victim’s computer. The RAT is then used to move laterally within the victim’s company network and gather additional information. In addition, other tools (such as those from the Cobalt Strike framework) are often deployed to obtain domain admin rights. Valuable data is then exfiltrated. From victim data which was published in the past, we know that this data usually contains the complete shared drives of the infected company. Eventually, the Clop ransomware is deployed company-wide to encrypt and incapacitate as many systems as possible so the disruption to the company is maximized.

Then, the operators of the Clop ransomware send the victim to a ransom note website hosted via a Tor hidden service. This ransom note website includes details on the ransom and how to pay it.

Clop Decryptor website

Depending on the company size and estimated revenue, the demanded ransom is often in the millions. Again, TA505 does big-game hunting, i.e., they will only target large corporations with high revenues. The ransom note website also features a timer and a threat that if the ransom is not paid in time, the price will be doubled.

To proof to the victim that files can be decrypted, the ransom note site also offers a “Trial Decryption”.

Clop Decryptor Website's Trial Decryption

The ransom note site also features a support chat. Those chats are often used to negotiate the ransom, payment rates or deadline extensions.

Clop Decryptor website's Chat support

If a victim refuses to pay or does not enter negotiations, the ransomware operators start sending out mass-email notifications to the victim’s business partners and/or customers. Here is one example of such a notification email sent out by the Clop ransomware operators:

Clop notification email

The attached list.txt file contains a list of the Windows domains and their corresponding network shares from which the Clop ransomware operators have exfiltrated data. The links in the notification email point to the subpage on the Clop’s leak site where the stolen data is shared.

The Clop ransomware leak site is titled “CL0P^_- LEAKS”. It currently lists 13 victims. Here is an example of a leaked data view:

Clop leak site



List of Leak Sites

Currently, there exist leak sites for 13 different ransomware operations. The distribution of victims among each leak site can be seen in the following plot:

Victim distribution on ransomware leak sites




With 220 victims, the leak site of the Maze ransomware is the one with highest number of victims. Apparently, the operators behind the Maze ransomware have so many potential victims that they have formed the so-called Maze Cartel, in which the help other ransomware operations for a share of the profits.

Maze leak site

Interestingly, the Maze leak site is among the leak sites that are also acessible via the clear web and not just via a hidden service.


REvil / Sodinokibi

The second most dominant ransomware with a leak site is REvil. Their site, called “Happy Blog”, contains data from 67 victims.

REvil leak site

In June 2020, the actors behind the REvil ransomware also started to “auction” stolen data:

REvil auction

However, the auction site doesn’t contain any information on how to bid. It is likely just another mechanism to gain media attention and scare companies into paying the attackers.



With data from 59 victims, the “Doppel leaks” leak site of the DoppelPaymer ransomware comes in on third place.

DoppelPaymer leak site

The site is also accessible via a clear web domain.



The “Conti News” leak site of the new Conti ransomware already has data from 43 victims. From all current available information, the Conti ransomware seems to be the successor to the notorious Ryuk ransomware.

Conti leak site

Conti leak site

The site is also accessible via a clear web domain.

After Maze, Conti is currently the ransomware with the fastest growing victim count, sometimes increasing in up to 10 new victims per day. Here, it is worth noticing that only victims who refuse to pay the ransom are published on the leak sites.



Data from 37 victims of the NetWalker ransomware has been published on their leak site titled “NetWalker Blog”.

NetWalker leak site



Mespinoza / Pysa

The Mespinoza ransomware, also known as Pysa, has titled their leak site “Pysa’s Partners”. It features data from 28 victims.

Mespinoza leak site




The leak site of the Nephilim ransomware, called “Corporate Leaks”, contains data from 16 victims.

Nephilim leak site




The leak site of the RagnarLocker ransomware is titled “RAGNAR LEAKS NEWS”. It features data from 14 victims.

RagnarLocker leak site



The leak site of the SunCrypt ransomware is simply titled “News”. However, researchers were able to contact the operators of the site and confirm that the leak site is associated with the SunCrypt ransomware. The leak site features data from 9 victims.

SunCrypt leak site




The Sekhmet ransomware leak site, titled “Sekhmet Leaks.” is only available via a clear web address. It currently features data from 8 victims.

Sekhmet leak site




In the first Avaddon campaign observed by Hornetsecurity4, no data was exfiltrated. The campaign distributed Avaddon via the Phorpiex botnet, and the encryption of the victims was fully automated. The campaign was hence not targeted at high-value victims for which a leak would be worthwhile. However, Avaddon has since been used in different campaigns and their leak site, titled “Avaddon Info”, has currently data from 4 victims.

Avaddon leak site



A very recent leak site is the “Darkside” leak site of the Darkside ransomware. It has data from 2 victims.


MedusaLocker / AKO

The MedusaLocker ransomware also had a leak site, which at one point featured data from 7 victims.

MedusaLocker leak site

However, currently the site only contains a “coming soon” message without any published contents of victims. It seems the site is currently being restructured.



The Nemty ransomware also used to have a leak site. The site was also reachable via a clear web domain. However, the site is currently not reachable anymore.



Hornetsecurity previously has analyzed the ProLock ransomware, which also claims to “have gathered […] sensitive data” and “would share it in case [the victims] refuse to pay”5. However, no ProLock leak site has appeared yet.


Conclusion and Remediation

The new leakware/ransomware hybrid attacks make malware infections more dangerous to businesses than ever before. While good backups helped against classic ransomware attacks, they do not provide any protection against private and/or confidential data being forcefully leaked to the public. The broad announcement of the data leak to business partners and customers will cause further damages and loss of reputation to victims as business partners and customers, but also competitors get unlimited access to internal documents, such as contracts, pricing, research and development findings, etc.

In general, the only protection against these leakware/ransomware hybrid attacks is to invest in effective IT security. With regards to email, Hornetsecurity’s Spam Protection Service and Hornetsecurity’s Advanced Threat Protection protect against leakware/ransomware hybrid attacks using email as their initial infection vector in the same way they protect against classic ransomware attacks using this access vector: by fending off these attacks at the very beginning of the attack chain before the attackers can even obtain initial access to your systems.




Further information:

  • More about Ransomware on the Hornetsecurity Knowledgebase.
The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

Around 300 billion e-mails are sent every day – the number of e-mails sent and received for private and business purposes is forecast to rise to 361.6 billion by 2024. However, not all e-mails that end up in users’ inboxes are wanted, and unwanted e-mails not only contain questionable advertising, but often also harmful attachments and links.

The experts of the Hornetsecurity Security Labs have analyzed how many e-mails are actually wanted by users and what dangers can lurk in their inboxes based on the e-mails received in the system for the year 2020 and have come to interesting results: Only 28% of the e-mails could be classified as “clean”, i.e. harmless by the Hornetsecurity filters – thus more than 70% of all addressed e-mails were unwanted by the recipient.

Which emails are already blocked in advance?

A total of 67% of incoming e-mails are blocked in advance by Hornetsecurity’s filter mechanisms: this means that these e-mails have not even been classified as harmful or unwanted due to various factors. In June 2020, the Security Lab analyzed the reasons for blocking incoming emails. Below we take a look at the most important ones. 

In first place with almost 58%, are e-mails that could be classified as spam in advance using a real-time blackhole list.

In second place with 12%, are emails that try to use Hornetsecurity’s mail servers as open relay. Open relay is the process by which an email server delivers emails for which it is not responsible. For example, if example.com has an email server, it should only accept email for mustermann@example.com. An open relay server would also accept mail for other domains, such as @test.com. These open relays are often misused to send spam with fake sender addresses.

In 5.9% of the e-mails blocked by Hornetsecurity, no correct sender address could be found. This is important because cyber criminals try to hide their identity or pretend to be someone else. For example: In the case of mustermann@example.com, if the domain example.com does not exist, the email is blocked.

In 5.3% of blocked e-mails, harmful content was found. Malicious content includes attachments such as *.xls, *.doc, *.pdf that contain malware, but also links that lead to malicious or compromised web pages.

What threats are found in the emails that were not blocked in advance?

The proportion of spam, malware and other threats in the non-blocked emails is also interesting. For this evaluation, the security experts checked the total number of incoming emails minus the blocked emails.

About 10% of these analyzed e-mails were spam and about 3% were info mails. The Security Lab experts were also able to find malware in about 1% of all incoming e-mails, and just under 0.1% were even detected by Hornetsecury’s Advanced Threat Protection. These are attacks such as CEO fraud, spearphishing, or attacks that use new types of malware, which were only detected by the Hornetsecurity ATP Sandbox and not by classic filters. Conversely, this means that more than 10% of the e-mails that are not blocked in advance contain spam or attachments and content that are harmful to the user.

Although the majority of harmful e-mails can be blocked, companies should not yet sit back and relax. Cybercriminals are constantly finding new ways to send malicious emails to users and their attacks are still often successful.

The webshells powering Emotet

The webshells powering Emotet


The Hornetsecurity Security Lab presents details on the webshells behind the Emotet distribution operation, including insights into payload downloads and how from 2020-07-22 to 2020-07-24 Emotet payloads on Emotet download URLs were replaced with HTML code displaying GIFs. The analysis shows that the number of downloads of the malicious content behind the Emotet download URLs is significant and has been observed peaking at 50,000 downloads per hour. Highlighting that Emotet emails do get clicked. The analysis further shows that compromised websites are not just compromised once but multiple times by different actors and cleanup efforts by the website administrators are often insufficient leading to re-enabling of the malicious Emotet downloads.


Emotet is one of the most prolific malspam actors. They distribute their malware via malspam emails with either a malicious document attachment containing VBA macros or download links to those malicious documents. These malicious documents will then download the Emotet loader from the Emotet download URLs. These downloads are hosted on compromised websites. To this end, the actors behind Emotet use webshell malware on the compromised websites. These webshells are used to place new payloads, either malicious documents distributed via malicious links in emails, or the Emotet loader, on the compromised websites. Because compromised websites get blacklisted or the Emotet malware gets cleaned the actors use up around 300 to 400 URLs a day.

Technical Analysis

In this analysis we take a look at the Emotet webshells.

S.A.P. webshell

If you have access to the filesystem of a website compromised by Emotet getting the webshell used by Emotet is very simple. However, with a bit of luck, relying on misconfigurations in the compromised websites, and relying on another actor in the webshell realm, everyone Emotet webshell samples can be obtained without access to the compromised webservers.

First, the Emotet webshells reside in the directory one level below the directory containing the Emotet download, i.e., either an Emotet maldoc, or the Emotet loader executable download. So if the Emotet download URL is https://www.example.com/wp-includes/LYnUiE/, the webshell will usually reside in https://www.example.com/wp-includes/. However, we also have seen webshells in other directories. Next, we can hope for misconfigurations in the compromised websites and hope the directory containing the webshell is an open directory, i.e., it will list the directory contents as in the following example:

Emotet open directoryIn this example, import.php is the Emotet webshell and lpyc42 is the directory that will deliver the Emotet payload. Known filenames of Emotet webshells are user.php, common.php, import.php, update.php, link.php, license.php, menu.php, image.php, options.php, tools.php, core.php, edit.php, functions.php, config.php, and wp-list.php.

Obviously, access to the webshell is protected, i.e., when requesting the import.php file, the PHP code is executed by the webserver and only its output is served. However, on some servers we observed PHP files that had been renamed by adding an additional .suspected extension to the file.

Emotet open directory with renamed webshell (just ignore all the other webshells in that directory :D)This renaming was actually most likely done by a different malware named Vigilante Malware Cleaner. Information about Vigilante Malware Cleaner was first discovered and documented by Bruce Ediger in 2019 [VigilanteMalwareCleaner]. Existence of this renaming dates back to at least 2015. The Vigilante Malware Cleaner malware seems to compromise already compromised websites, then searches existing PHP files for suspected malware, and disabling suspected malicious PHP scripts by appending .suspected to their filenames and thus excluding the files from the list of files the server will execute as PHP code. This will cause the server to serve the file contents, i.e., the PHP source code of the webshell, directly instead. Using this we can download the PHP code of the Emotet webshell. Before being able to access the webshell the code queries a parameter f_pp, which is used to decode the webshell:

Encoded Emotet webshellThis f_pp parameter functions as a password to the webshell. Via OSINT research we found that the encoded webshell is identical to one found and decoded by another researcher in January [EmotetWebshellSamples].

To illustrate to the reader what someone logging into the this webshell with the correct f_pp parameter would see, we ran the decoded PHP code on a test system:

Emotet S.A.P. v.2.1 webshellThe webshell identifies itself as S.A.P. webshell with version v.2.1. The webshell allows an attacker to search, upload, and download files. It allows to execute arbitrary commands. It further offers convenient tools to dump SQL databases from the server, perform network scans, and/or brute force passwords.

The fact that the decoding processes relies on the f_pp parameter as password and we found multiple instances of the identical encoded webshell code dating back to January strongly suggests that Emotet reuses passwords for their webshells.

GIF hijacking

Even though we do not have logs or other forensic artifacts of the systems in question, we, based on our previous outlined findings, agree with the opinion stated by other researchers that the recent incident in which Emotet downloads were replaced with HTML code displaying GIFs is a result of insufficient security of the Emotet webshells. This hypothesis is supported by the fact that Emotet seems to have changed their webshell on 2020-07-27 and the GIF hijacks stopped. But indications of new GIF hijackings emerged on 2020-07-31. This could be the time it took the GIF replacement actor to figure out the new password. However, new GIF hijackings are not wide spread, which could indicate whatever Emotet is doing to defend itself against the GIF hijackings is working. The used GIFs can be interpreted as a statement towards the actors behind Emotet that the actors behind the GIF replacements are still watching and determined to continue the disruption of the Emotet operation:

Emotet is being watched GIF

Emotet is being watched GIFOn later Emotet compromised websites we also multiple times found variations of the following webshell:

Possible new Emotet webshellWe are, however, not certain this is the new Emotet webshell, but would like to point out that the webshell realm is a very crowded space, e.g. we observed one webserver that had two GIF hijackings, two (presumably) by Vigilante Malware Cleaner to .suspected renamed webshells, as well as, as a new active Emotet download – in just one directory (other parts of the server contained even more webshells):

Emotet opendir with 2 GIF hijackingsThis means the website was not once, or twice, but at least three times used as a download for Emotet (2020-07-23 and 2020-07-28). The website would likely still server Emotet payloads but luckily its bandwidth limit was exceeded.

Emotet download stopped working due to exceeded bandwidth limitSo there is a possibility that the actors placing the GIFs are gaining access via a vulnerability of the website itself, or are even affiliated with the Vigilante Malware Cleaner malware. But we are a email security provider and hence do not have enough visibility into the website compromise landscape to make any definit statements.

Download statistics

Talking about download quotas, there is a way to externally monitor Emotet payload download statistics. Emotet uses a PHP script to collect download statistics grouped by operating systems given in the downloader’s User-Agent string. These statistics are delivered as an JSON object in a subdirectory of the Emotet payload download directory named as $path , '/.' . sha1(basename($path)):

Emotet download statsSo the statistics for https://www.example.com/wp-includes/LYnUiE/ could be queried from https://www.example.com/wp-includes/LYnUiE/.a2dd7d055bb668528c29e16f789755fb3aae277b.

Going again by previously shared Emotet webshell code [EmotetWebshellSamples] the numbers correspond to Windows (4), Linux (3), Apple (2), Android (1) and unknown (0) operating systems found in the downloader’s User-Agent string:

Emotet statistic PHP codeWe proceeded to scrape these statistics. The counters are reset every time the Emotet Tier 2 servers push updated maldocs and loader executables to the compromised websites via the webshells. Hence, when a new count was higher than a previous count, we took the difference as the number of downloads happening between scrapes. But in case the count is lower then a previous count, we assume the count was reset and take the new count as number of downloads since our last scrape. This way we also nullify stuck download statistics, i.e., download statistics that do not get reset anymore. We scraped with a frequency of 1 minute. Emotet updated the documents with a frequency of around 10 minutes. Because Emotet targets the Windows operating system we only consider the download statistics for the Windows operating system. For 12 hours of 2020-07-29 the obtained statistics of 739 Emotet download URLs (533 of which registered active downloads in the presented time frame) can be visualized as follows:

Emotet downloads on 2020-07-29This is a stacked plot, i.e., each URLs download number is plotted individually but their total shows the cumulative number of all download URLs. Each different color represents a different Emotet download URL. These figures obviously include downloads by security researchers and automated security systems such as sandboxes. We also miss any downloads that happen between one of our scraping runs and Emotet resetting the download counter. However, the figures still give an interesting insight into Emotet downloads and hence the click rate of Emotet. In our observation the cumulative number of Emotet downloads peaked at 50,000 downloads per hour.

Separating the download URLs by their served payloads (based on MIME type analysis) we can see that most downloads are for the Emotet maldoc. The Emotet loader is downloaded far less often:

Emotet downloads on 2020-07-29If we plot the download numbers according to time after the URL was first observed we see that each URL’s download numbers peak within the first hour the URL was first observed. At that time each observed Emotet URL got around 200 downloads per hour. However, URLs keep getting downloads even 12 hours after the URL was first observed. Hence, every download URL blocked or taken down is potentially one Emotet victim less, even if the blocking or take down happens 12 hours too late.

The following line plot illustrates individual URL download performance:

Emotet downloads aligned by time URL was first observedStacking download figures for URLs the falloff trend can clearly be observed. After 9 hours the number of downloads drops to 1/3 of the downloads observed right after the URL was newly observed:

Emotet downloads aligned by time URL was first observed as stacked plotWe think a proportion of the initial peak can be attributed to automated security systems scanning the Emotet malspam and thus downloading the Emotet maldocs from the Emotet download URLs. This is confirmed by again separating the data in URLs serving the Emotet maldocs and URLs serving the Emotet loader:

Emotet downloads aligned by time URL was first observedThe number of downloads of the Emotet loader has a slower rise to the peak then the downloads of the Emotet maldoc, supporting our hypothesis. Further, there is no steep falloff in Emotet loader downloads.

On average the Emotet loader was downloaded at a rate of around 1500 per hour, while the Emotet maldocs were downloaded at a rate of around 7500 per hour.

Failed cleanup attempts

During monitoring the Emotet download URLs more closely we also witnessed failed cleanup attempts multiple times. Often site administrators delete the directory containing the Emotet download. However, they miss cleaning all the webshells. The actors behind Emotet then simply regenerate the deleted files with their next payload update. We also observed Emotet using a previous compromised website again.

Other observed mistakes

Being such a large operation it is inevitable that the actors behind Emotet make mistakes. While allowing another actor to hijack their payload downloads is one mistake, other mistakes include (but are not limited to) messing up the replacement regular expression, so we could observe download URLs delivering Emotet maldocs with broken filenames, such as InvJP0732{:REGEX:.doc, INVOICE-Q84{:REGEX:.doc, invoice-UBO7631{:REGEX:.doc, etc. We are certain the {:REGEX: part should be {:REGEX:[0-9]{3,6} (or something like that), a special syntax used by the Emotet generation processes to expand the filename base on a random but character restrained pattern. These {:REGEX:[...] patterns have also previously leaked in attachment filenames and are part of Emotets automation process. Please note that depending on your Browser the : in the filenames may be replaced with _ because : is not a valid character on the Windows operating system. Monitoring the Emotet operation very closely reveals a lot of such mistakes overtime and the insights gained can be used to strengthen our own defenses against Emotet.

Conclusion and Countermeasure

As this analysis by the Hornetsecurity Security Lab shows Emotet is not just sent in large volume but its malicious content is also downloaded in significant large numbers.

On the network you should block known Emotet URLs. In case browsing to random websites is not an activity necessary to fulfill your business, you can block the domains and not just the specific URLs. This provides better protection because, as has been shown, Emotet and potentially other actors can misuse the compromised website again, either by regaining access via left behind webshells, or by reinfecting the website via the initial access vector, e.g., a WordPress vulnerability or weak password. The block should be kept even if the Emotet download is gone, as the site may still be compromised. It is highly likely that you will never actually need to visit any of these websites at all, thus keeping the websites blocked shouldn’t cause negativ effects.

Hornetsecurity’s Spam Filtering Service, with the highest detection rates on the market, already detects and blocks Emotet emails based on known indicators. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting yet unknown threats.



Privacy Shield: The end of transatlantic data exchange?

Privacy Shield: The end of transatlantic data exchange?


Currently, it is recommended that affected data flows be identified and switched to alternatives that meet the required level of protection under GDPR. We would therefore like to assure you that Hornetsecurity’s cloud email security services are not affected by the invalidation of Privacy Shield and can continue to be used as usual.


On 16.07.20 the European Court of Justice (ECJ) overturned the data protection framework between the USA and Europe. Although this does not immediately mean the end of data transfer between the two continents, it does have far-reaching consequences. Let’s take a quick look at it.

Privacy Shield – What does it contain?

The Data Agreement came into force at the beginning of 2016 as the successor to the Safe Harbour Agreement. The aim of the Privacy Shield, according to its creators, was to provide legal certainty not only for a higher level of protection for citizens, but also for European companies that exchange data with the USA. US companies would thus be obliged to store the data of EU citizens for only as long as it was used for the original purpose. Data protection experts criticised this agreement from the very beginning, as they suspected that it would not offer any significant changes compared to the previous safe harbour agreement.
For example, the Privacy Shield offered approaches for better data protection, but this was still far from reaching the European standard. In particular, US secret services were able to access data of EU citizens without any restrictions. This fact prompted the ECJ to declare the Privacy Shield invalid.

Out with the Privacy Shield – and now what?

Can data still flow between the USA and Europe? It is clear that the removal of the Privacy Shield agreement creates confusion. First of all, it is important to realize that a distinction must be made between private individuals and companies. Private individuals can still send private emails to the US or make a booking on a US website. The situation is different for companies.
Around 5,000 companies are directly affected by the ECJ’s decision, as they invoke the Privacy Shield when transferring data to the USA. These include companies such as Facebook, Microsoft and Amazon. In order to initially continue to ensure legal data exchange to the USA, companies can alternatively invoke the standard contract clauses that have been practicable to date. But here, too, the question is: Can these still be valid, even if they cannot exclude access by secret services?
German data protection experts, in particular, are beginning to talk about Europe’s digital independence. The Berlin data protection expert Maja Smoltczyk, for example, calls on those responsible for transferring personal data to the USA to switch to service providers in the EU in order to ensure an adequate level of data protection.
It can therefore be assumed that there will be no ‘go ahead’ in the data protection debate to overcome legal uncertainty.

What does this mean for Hornetsecurity customers?

In principle, Hornetsecurity provides its core service in Germany within secure data centers there. There is no data exchange with the USA and Hornetsecurity is therefore not directly affected by this decision.
All subcontractors in a third country commissioned by Hornetsecurity, who have named the Privacy Shield as the basis for data transmission, also have alternative legal bases, so that if one legal basis is no longer applicable, one of the other possibilities will take over. The two other variants for the transfer of data from the European Economic Area to other countries, especially the USA, are Binding Corporate Rules / binding internal data protection regulations and EU standard contractual clauses/EU standard contractual clauses. Our customers will find the exact information about our subcontractors in the Order Processing Agreement in Annex 3.

Perhaps also of interest to you

Cybercrime threatens the future of the logistics industry

Cybercrime threatens the future of the logistics industry

A reliable flow of goods is essential for a healthy economy and to ensure the population has the supplies it needs. The digital transformation of the logistics industry has been the largest contributor to the optimization of workflows and processes and created more transparency in supply chains. Logistics 4.0 is characterized by IT networking and automated processes. However, the digitalization of the logistics industry does not bring only advantages, because the dynamic transformation of systems neglects some security factors:

For example, outdated servers, unpatched systems or a lack of employee expertise can lead to risky security gaps. Cyber criminals are offered plenty of attack vectors to penetrate internal systems. Company-wide e-mail communication is one of the most frequently used gateways for hacker attacks. With phishing, malicious attachments and links to fake websites, cybercriminals have particularly high chances of successful attacks.

The lynchpin of the economy targeted by hacker attacks

As one of the world’s largest and most important industries, the logistics sector is increasingly being targeted by cyberattacks. But how vulnerable is it compared to other industries? What are the purposes of hackers’ attacks on specific companies? What attack techniques are the affected companies exposed to? In the “Cybersecurity Special – Cybercrime threatens the future of the logistics sector” the security experts from Hornetsecurity provide answers to these questions. The Hornetsecurity Security Lab analyzed about 1,000 domains with the largest email volume and was able to identify the top 10 industries worldwide that were particularly affected by cyberattacks via email in 2019.

Following the energy sector, the logistics industry is particularly threatened by hacker attacks. The analysis by the security experts at Hornetsecurity found that around 14 percent of the companies at risk from malicious emails are part of the logistics industry. The disruption of tightly timed operations within logistics companies can have unexpected consequences: from the theft of sensitive company data to the shutdown of important supply chains. The demonstrable increase in cybercrime and numerous examples of successful hacker attacks on companies in the logistics industry underscore the relevance of comprehensive IT security in companies.

Hornetsecurity takes a detailed look at the current threat situation in which logistics companies find themselves, based on in-depth analyses of past and current cyberattacks, and explains the tactics behind the various types of attacks on the logistics industry. In addition, the security experts analyze how a malware campaign approaches a company to find a potential target for the attack. It is clear that the danger posed by cyberattacks on logistics is far greater than generally assumed – the results of the research, summarized in the Cybersecurity Special, provide an alarming overview.