Email Threat Review May 2022

Email Threat Review May 2022

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in May 2022 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 81.81
Spam 13.45
Threat 3.85
AdvThreat 0.85
Content 0.04

The following histogram shows the email volume per category per day.

Unwanted emails by category

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 33.8
HTML 17.0
PDF 16.4
Excel 13.7
Executable 5.8
Other 5.6
Disk image files 4.7
Word 1.7
Script file 0.6
Email 0.4
LNK file 0.3

The following histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Research industry 7.0
Manufacturing industry 4.4
Automotive industry 4.3
Media industry 4.0
Mining industry 4.0
Utilities 4.0
Education industry 3.8
Healthcare industry 3.7
Transport industry 3.7
Construction industry 3.6

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

 

This month saw an increased threat index for the research industry. Other industries display a slightly relaxed threat index compared to the previous month.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 40.0
URL 14.9
Advance-fee scam 7.8
Executable in archive/disk-image 4.3
Extortion 4.0
Impersonation 2.0
Maldoc 1.4
HTML 1.3
PDF 0.3
Other 23.9

The following histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 60.9
Amazon 7.6
DHL 5.6
UPS 2.1
Dropbox 1.6
Microsoft 1.5
Netflix 1.4
LinkedIn 1.4
Fedex 1.2
Volks- und Raiffeisenbank 1.1
1&1 1.0
Postbank 1.0
Other 13.6

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

Although we observed some pauses in the ongoing Sparkasse phishing campaigns, Sparkasse still dominates our charts. Sparkasse is a German public bank.

Email Threat Review May 2022

Email Threat Review April 2022

Executive Summary

  • Around 2022-04-07, an obtrusive malspam campaign spreading the Formbook malware using malicious Word documents exploiting CVE-2017-11882 made Word documents this month’s most used file format in attacks.
  • On 2022-04-22, the Emotet botnet operators started using LNK files to spread via email. But at the end of the month, they switched back to XLS malicious documents.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in April 2022 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 80.58
Spam 13.88
Threat 4.71
AdvThreat 0.81
Content 0.03

The following histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails from 2022-04-07 to 2022-04-12 can be attributed to a large-scale sextortion email scam campaign in the German language.

Sextortion email

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Word 47.2
Archive 19.0
PDF 11.5
HTML 9.2
Excel 6.1
Executable 2.6
Disk image files 2.4
Other 1.3
Script file 0.4
Email 0.1
LNK file 0.1

The following histogram shows the email volume per file type used in attacks per seven days.

File types used in attacks

The spike around 2022-04-07 can be attributed to a large and very obtrusive malspam campaign spreading the Formbook malware using malicious Word documents exploiting CVE-2017-11882.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Manufacturing industry 5.3
Healthcare industry 5.2
Research industry 5.0
Automotive industry 4.9
Media industry 4.5
Education industry 4.3
Utilities 4.1
Construction industry 4.0
Professional service industry 3.9
Mining industry 3.9
Retail industry 3.8

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

The Top 3 industries in our email threat index remain unchanged. However, the research industry has fallen from 1st to 3rd place.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 37.7
Other 29.8
URL 9.8
Advance-fee scam 8.1
Maldoc 7.4
Extortion 2.9
Executable in archive/disk-image 2.8
Impersonation 1.6

The following histogram shows the email volume per attack technique used per hour.

Attack techniques

The increase in maldocs (malicious documents) used can be attributed to the aforementioned large-scale Formbook campaign. The maldocs of the Formbook campaign can also be clearly seen in the data plot around 2022-04-07.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 77.3
Amazon 5.0
Other 7.2
LinkedIn 3.0
Postbank 2.2
Deutsche Post / DHL 2.0
Dropbox 1.1
Netflix 0.7
Microsoft 0.6
UPS 0.5
Fedex 0.4

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

The German bank Sparkasse continues as the most impersonated entity used in attacks.

Highlighted threat email campaigns

This month we want to highlight Emotet’s LNK file campaign. Emotet is malicious software that is used to steal personal information from infected computers. It is a type of Trojan horse that is spread through spam email messages. Emotet can also be used to install other types of malware on an infected computer, such as ransomware.

On 2022-04-22, the Emotet botnet operators started to use LNK files to spread the Emotet malware via emails. To this end, they replaced their previously used malicious XLS documents with an LNK file. LNK files are shortcuts that link to other files. However, these files can also inject commands into executable files. This can allow malware to be installed on the user’s computer without their knowledge. If a user receives a .lnk file from an untrusted source, they should not open it.

The emails containing Emotet’s malicious LNK files follow the same email conversation threat hijacking scheme as regular Emotet emails. The LNK malware was usually sent where the malicious XLS document would be placed, i.e., in some cases directly attached to the email but in others attached in a password-protected ZIP file with the password listed in the email.

Emotet email

The LNK files had different variations. All of them used Windows\system32\cmd.exe as the target file for the LNK. The command-line arguments of the LNK were then used to provide commands to cmd.exe to execute. In one variant, a VBS script was appended to the end of the LNK file, which was extracted via findstr and written to a .vbs file, and executed by the command line arguments in the LNK file.

Other variants used Powershell in the command line arguments of the LNK files to execute a download of the Emotet loader.

Emotet LNK file

The following histogram shows the email volume for Emotet’s LNK email campaign per 3 hours, comparing it against its XLS campaign.

Highlighted threat email campaigns

We assume that Emotet’s operators switched back to XLS files because their LNK files had a much higher detection rate across security vendors.

Email Threat Review May 2022

Email Threat Review March 2022

Executive Summary

This month’s notable insights:

  • Increase in malicious Excel attachments used in attacks due to Emotet.
  • Reduction in industry threat index compared to last month but overall threat index still above last year’s average levels.
  • Phishers attempt large-scale fraud through the impersonation of NGOs and Ukrainian refugees, asking for donations for Ukrainian refugees and war victims – mostly in Bitcoin. Similar and more targeted schemes have also been observed.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in March 2022 and compare them to previous ones.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 72.98
Spam 20.55
Threat 5.27
AdvThreat 1.16
Content 0.04

The following histogram shows the email volume per category per day.

Unwanted emails by category

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for criminal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 36.9
Excel 22.3
HTML 14.7
PDF 9.4
Disk image files 4.8
Executable 4.4
Other 3.7
Word 3.5
Script file 0.4
Email 0.1
LNK file 0.0
Powerpoint 0.0

The following histogram shows the email volume per file type used in attacks per seven days.

File types used in attacks

Attacks using HTML attachments continued to decline from 33.6 % to 14.7 %. The continued increase in malicious Excel attachments from 12.4 % to 22.3 % can still be attributed to Emotet currently spreading with malicious Excel documents.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Research industry 6.6
Manufacturing industry 5.9
Healthcare industry 5.8
Media industry 5.7
Automotive industry 5.6
Education industry 5.3
Retail industry 4.6
Mining industry 4.6
Professional service industry 4.5
Construction industry 4.5

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

Even though its threat index dropped from 10.5 % to 6.6 %, the research industry remains the most threatened industry. The median threat index of all industries declined slightly from 4.9 % to 4.2 %. For comparison, the overall median threat index of all industries for the year 2021 was 4.0 %. This means even though we see a drop from last month’s elevated values, the values are still above last year’s average.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 36.1
Other 28.5
URL 12.1
Advance-fee scam 11.8
Executable in archive/disk-image 3.4
Maldoc 3.3
Extortion 2.7
Impersonation 2.1

The following histogram shows the email volume per attack technique used per hour.

Attack techniques

The spike on 2022-03-16 in advance-fee scams is caused by emails referencing the German investment TV show “Höhle der Löwen” (German’s version of the British Dragon’s Den or the US Shark Tank TV show). The emails claim an investment opportunity that was too good and therefore banned from airing on the TV show.

Advanced-fee scam email

The attackers try to lure the victims into “investing” in a Bitcoin trading bot or, in some other way, transfer money to the attackers in exchange for significant monetary returns. The financial returns are not true, and the offer is a scam.

The emails were sent in a concise time span, causing this sharp spike in the data. This advance-fee scam campaign’s other less pronounced activity spikes were on 2022-03-03, 2022-03-10, 2022-03-20, 2022-03-26, and 2022-03-31. However, the email volume per hour was smaller than for the campaign on 2022-03-16.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 66.7
Other 11.7
Amazon 7.6
Deutsche Post / DHL 3.1
Volks- und Raiffeisenbank 3.1
Postbank 2.4
Fedex 1.6
LinkedIn 1.4
Dropbox 1.0
Microsoft 0.9
Strato 0.5

Hornetsecrurity observed a new peak of NGO (e.g., ‘Other’ as seen above) scams this month. The ongoing war in Ukraine lures fraudsters into the mix. Fraudsters impersonate NGOs and Ukrainian refugees to gather US Dollars or Bitcoin donations. In general, in times of crisis, fundraising scams are imminent.

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

After last month’s large-scale LinkedIn phishing campaign, the German Sparkasse bank again takes first place for most impersonated brand in attacks.

Email Threat Review May 2022

Email Threat Review February 2022

Executive Summary

  • Hornetsecurity registered an increase in threat emails during February 2022.
  • URL-based email and phishing attacks continue to be significant.
  • With 47.1 % of impersonated brands, LinkedIn has been the most impersonated brand in ongoing phishing campaigns.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in February 2022 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 79.77
Spam 14.20
Threat 5.13
AdvThreat 0.87
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails starting on 2022-02-16 can be attributed to a large-scale reoccurring sextortion email scam campaign in the German language. This campaign then transitioned to the Dutch language on 2022-02-24. Parallel to these campaigns, we also registered more threat emails.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 33.6
Archive 29.0
Excel 12.4
PDF 9.9
Disk image files 4.6
Executable 3.7
Other 3.5
Word 2.9
Script file 0.3
LNK file 0.1
Email 0.0
Powerpoint 0.0

The following histogram shows the email volume per file type used in attacks per seven days.

File types used in attacks

There has been a decline in email attacks using HTML documents for either payload delivery or credential phishing compared to previous ones. Instead, attacks using archive files, e.g., ZIP documents, to encapsulate malicious script files and other executables were on the rise. The increase of malicious Excel documents from 10 % to 12.4 % can be attributed to Emotet activity, which currently uses malicious Excel documents as an infection vector.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Research industry 10.5
Entertainment industry 7.3
Healthcare industry 7.3
Education industry 7.0
Hospitality industry 6.9
Manufacturing industry 6.7
Media industry 6.6
Automotive industry 6.6
Retail industry 6.1
Utilities 5.6

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

Overall our email threat index increased over all industries. The top four industries’ positions remain unchanged. However, the threat index of the research industry rose the most out of all the observed industries. While the threat index of the research industry increased from 6.8 % to 10.5 %, the threat index of the entertainment industry only rose from 6.4 % to 7.3 %. The threat index of the healthcare industry increased from 5.3 % to 7.3 %.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 48.4
Other 32.0
URL 10.6
Extortion 2.3
Advance-fee scam 2.2
Executable in archive/disk-image 1.9
Impersonation 1.8
Maldoc 0.8
LNK 0.0

The following histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
LinkedIn 47.1
Volks- und Raiffeisenbank 24.4
Sparkasse 9.2
Amazon 5.2
Fedex 4.1
Deutsche Post / DHL 2.2
Postbank 0.6
UPS 0.4
Microsoft 0.4
Other 6.4

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

LinkedIn was impersonated in several phishing campaigns this month.

LinkedIn phishing email

Additionally, we detected the continuation of the phishing campaigns against German banks, namely Volks- und Raiffeisenbank, Sparkasse, and Postbank.

Email Threat Review May 2022

Email Threat Review January 2022

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in January 2022 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 79.84
Spam 15.33
Threat 4.01
AdvThreat 0.78
Content 0.04

The following time histogram shows the email volume per category per day.

Unwanted emails by category

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 38.9
Archive 23.2
PDF 12.0
Excel 10.3
Disk image files 5.0
Executable 4.2
Other 3.1
Word 2.7
Script file 0.4
LNK file 0.2
Email 0.1
Powerpoint 0.0

There is an increase in HTML attachments used in attacks from 22.8 % to 38.9 % from last month.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Research industry 6.8
Entertainment industry 6.4
Healthcare industry 5.3
Education industry 5.3
Mining industry 5.2
Manufacturing industry 4.9
Media industry 4.7
Automotive industry 4.5
Hospitality industry 4.3
Construction industry 4.2

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

The research industry’s threat emails share increased from 4.1 % to 6.8 % last month. Making the research industry again the industry most threatened by email attacks.

The global median threat email share over all companies regardless of industry increased from 3.2 % to 3.7 %. This indicates that the increase in threat email share targeting the research industry is higher than the overall increase in threat email share.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 43.5
Other 34.0
URL 10.1
Impersonation 3.7
Extortion 3.5
Advance-fee scam 2.3
Executable in archive/disk-image 2.0
Maldoc 0.8
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

The increase in URL-based attacks from last month’s 7.3 % to 10.1 % can be attributed to Emotet URL-based malspam campaigns.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Volks- und Raiffeisenbank 61.2
Other 10.3
Sparkasse 9.7
Amazon 6.0
Postbank 5.9
Deutsche Post / DHL 4.1
Microsoft 0.9
UPS 0.8
1&1 0.6
Commerzbank 0.4

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

In September 2021, we first reported a large-scale phishing campaign that mimicked emails from German banks. Since then, the campaign has been ongoing. This month the campaign focused heavily on the Volks- und Raiffeisenbank brand. Consequently, the brand has been the most impersonated brand of January 2022. It attributed to 61.2% of all brand impersonation attacks.

Email Threat Review May 2022

Email Threat Review December 2021

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in December 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 80.70
Spam 14.27
Threat 4.15
AdvThreat 0.84
Content 0.04

The following time histogram shows the email volume per category per day.

Unwanted emails by category

Readers of our previous reports likely already guessed that the spike in rejected emails at the start of December can be attributed to a large-scale monthly re-occurring sextortion scam spam campaign targeting German-speaking victims.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 28.8
HTML 22.8
PDF 18.5
Excel 11.8
Disk image files 4.8
Other 4.4
Executable 4.4
Word 3.6
Email 0.7
Script file 0.2

The distribution of file types in attacks using attachments is virtually the same as in previous months.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Manufacturing industry 4.8
Media industry 4.6
Education industry 4.3
Research industry 4.1
Mining industry 4.1
Healthcare industry 4.0
Agriculture industry 3.9
Automotive industry 3.9
Hospitality industry 3.7
Entertainment industry 3.5

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

The research industry threat index has dropped from 6.0 to 4.1. Further, the Hospitality industry made it into the top 10. This is likely due to targeting criminals who know that other industries will have reduced email traffic due to the holidays, making it harder for threat emails to blend in, while the hospitality industry (hotels, restaurants, etc.) has increased business over the holidays.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 49.2
Other 31.4
URL 7.3
Extortion 3.3
Impersonation 3.0
Advance-fee scam 2.5
Executable in archive/disk-image 2.5
Maldoc 0.8
LNK 0.0

The following histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 50.1
Volks- und Raiffeisenbank 24.0
Amazon 5.2
Postbank 4.2
Other 3.8
Deutsche Post / DHL 3.6
PayPal 1.5
DocuSign 1.0
LinkedIn 0.9
Microsoft 0.8
1&1 0.7

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

On 2021-12-05, the long-running large-scale phishing campaign against the two German banking associations, Sparkasse and Volks- und Raiffeisenbanken also targeted the German Postbank. The emails use the same lure as the campaigns we previously reported on. The user is informed about an alleged change at the bank concerning the European Payment Services Directive 2 (PSD2). The user is requested to review and confirm the changes to their data.

Postbank phishing

Emotet Christmas campaign

Emotet is known for sending campaigns for specific seasonal events. We previously reported on Emotet’s Halloween campaign. Emotet also sent threat emails this Christmas.

The emails were very primitive and only featured one link.

Emotet Christmas email

As usual, the link in the email downloads an Office document which malicious macro code downloads and executes the Emotet malware.