Executive Summary

• HTML is now the most used file type in email attacks with attachments.

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in September 2022 and compare them to the previous month’s threats.

The report provides insights into the following highlights:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations
• Highlighted threat email campaigns

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category	%
Rejected	78.25
Spam	15.75
Threat	3.91
AdvThreat	2.04
Content	0.04

The following histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to those listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category	Description
Spam	These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content	These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat	These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat	Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected	Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails)	%
HTML	31.1
Archive	23.0
PDF	12.3
Word	10.2
Disk image files	8.2
Executable	4.2
Excel	3.7
Script file	3.2
Other	4.0

The following histogram shows the email volume per file type used in attacks per 7 days.

This month, HTML attachments have become the most commonly used file type in attacks with attachments. Excel macro documents are still in decline.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries	Share of threat in threat and clean emails
Research industry	6.0
Media industry	4.9
Manufacturing industry	4.6
Mining and metal industry	4.6
Entertainment industry	4.2
Healthcare industry	4.1
Retail industry	4.1
Construction industry	4.1
Information technology industry	3.9
Utilities	3.8

The following bar chart visualizes the email-based threat posed to each industry.

With an Industry Email Threat Index of 6.0, the research industry remains at the top position. The education industry, which ranked 3rd last month, fell sharply from 4.3 to 3.8, thus not making the top 10 anymore. The mining and metal industry saw a significant increase from 3.4 to 4.6, making it enter the top 10 at place four from the previous month’s 14th place.

Overall the Email Threat Index across all industries increased compared to last month. This is expected as the summer month with summer holidays usually causes a drop in threat emails sent.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique	%
Phishing	26.3
URL	9.9
Advance-fee scam	6.1
Extortion	4.2
Executable in archive/disk-image	3.5
HTML	2.1
Impersonation	1.1
Maldoc	0.7
PDF	0.1
Other	46.2

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization	%
Sparkasse	35.7
DHL	11.1
Amazon	7.1
Santander	3.9
Royal Bank of Canada	3.2
LinkedIn	2.3
Fedex	1.9
1&1	1.8
Postbank	1.7
Targobank	1.5
UPS	1.3
Microsoft	1.3
Commerzbank	1.2
HSBC	1.2
Intuit	1.1
American Express	1.0
Other	23.7

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour.

Highlighted threat email campaigns

Around 2022-09-24, we observed a large-scale phishing campaign impersonating the Royal Bank of Canada.

Contents

In this monthly email threat review instalment, we present an overview of the email-based threats observed in August 2022 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category	%
Rejected	81.01
Spam	14.03
Threat	3.29
AdvThreat	1.62
Content	0.04

The following histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to those listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category	Description
Spam	These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content	These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat	These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat	Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected	Our email server rejects these emails directly during the SMTP dialogue because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types used in Attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails)	%
Word	26.1
HTML	22.2
Archive	20.7
PDF	12.5
Disk image files	7.2
Executable	4.2
Excel	4.0
Script file	0.7
Other	2.5

The following histogram shows the email volume per file type used in attacks per 7 days.

HTML attachments used in attacks increased further from 14.8% to 22.2%. As of last month, we attribute this increase to Microsoft’s recent changes to disable Macros in Microsoft Office documents by default. Excel files continued to decrease from 5.1% to 4.0%.

The increase in Word documents used in attacks from 5.1% to 26.1% can mainly be attributed to a malicious email campaign using an RTF attachment exploiting the CVE-2018-0798 vulnerability to distribute the Snake Keylogger malware. Most of the emails were sent to a minimal number of recipients, with several hundred thousand duplicate emails of this campaign being sent to each such recipient. All of which Hornetsecurity’s filters detected and quarantined, of course.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries	Share of threat in threat and clean emails
Research industry	5.8
Transport industry	4.7
Education industry	4.3
Manufacturing industry	4.2
Entertainment industry	4.1
Media industry	4.1
Utilities	3.9
Retail industry	3.7
Healthcare industry	3.7
Construction industry	3.6

The following bar chart visualizes the email-based threat posed to each industry.

The overall Industry Email Threat Index increased slightly from last month. The research industry increased over-proportionally from 4.8% to 5.8%. Another significant increase could be measured in the education industry, which increased from 3.6% to 4.3%, from 8th to 3rd place.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the per cent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these per cent values for all organizations within the same industry to form the industry’s final threat score.

Attack Techniques

The following table shows the attack techniques used in attacks.

Attack technique	%
Phishing	29.2
URL	11.4
Advance-fee scam	9.2
Extortion	5.0
Maldoc	3.6
Executable in archive/disk-image	3.6
HTML	2.2
Impersonation	1.1
PDF	0.7
Other	34.0

The following histogram shows the email volume per attack technique used per hour.

The spike in attacks using malicious documents (maldocs) can be attributed to the previously discussed emails using an RTF attachment exploiting the CVE-2018-0798 vulnerability to distribute the Snake Keylogger malware.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization	%
Sparkasse	33.4
DHL	9.9
Amazon	8.8
Postbank	3.7
LinkedIn	3.3
UPS	3.1
HSBC	2.3
Dropbox	1.8
1&1	1.8
DocuSign	1.7
Strato	1.4
Santander	1.4
Intuit	1.3
Microsoft	1.3
Fedex	1.2
Other	23.6

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour.

It’s a constant stream of phishing and other attacks impersonating big brands and organizations to entice recipients to open emails.

Executive Summary

• Qakbot is distributed via a complex infection chain using email conversation threat hijacking, HTML smuggling, and DLL side-loading. All techniques aim to bypass defense mechanisms.

 

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in July 2022 and compare them to the previous month’s threats. The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations
• Highlighted threat email campaigns

 

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category	%
Rejected	82.11
Spam	13.42
Threat	3.02
AdvThreat	1.40
Content	0.05

The following histogram shows the email volume per category per day. The spike in rejected emails between 2022-07-17 and 2022-07-19 can be attributed to a sextortion scam spam campaign.  

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category	Description
Spam	These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content	These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat	These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat	Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected	Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails)	%
Archive	27.5
PDF	16.5
HTML	14.8
Disk image files	8.3
Executable	5.4
Excel	5.1
Word	5.1
Script file	0.8
Other	16.4

The following histogram shows the email volume per file type used in attacks per 7 days. The drop in Excel documents used in attacks from 14.4 % to 5.1 % can be attributed to attackers shifting tactics due to Microsoft’s measures to disable Excel 4.0 macros per default. The prominent malware distributed via malicious Excel 4.0 macros was QakBot and Emotet. QakBot switched to a complex infection chain using HTML smuggling and DLL side-loading, which we highlight later in this report.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries	Share of threat in threat and clean emails
Research industry	4.8
Manufacturing industry	4.1
Transport industry	4.0
Mining industry	4.0
Utilities	3.8
Media industry	3.7
Information technology industry	3.6
Education industry	3.6
Agriculture industry	3.4
Construction industry	3.4

The following bar chart visualizes the email-based threat posed to each industry. While the research industry’s Email Threat Index fell from 7.2 to 4.8, it is still in the lead. However, it is now closer to the second most threatened manufacturing industry.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique	%
Phishing	29.4
URL	12.5
Advance-fee scam	9.4
Extortion	5.3
Executable in archive/disk-image	4.6
Maldoc	2.3
HTML	1.6
Impersonation	1.2
PDF	1.2
Other	32.4

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization	%
Sparkasse	36.8
DHL	9.0
Amazon	6.7
LinkedIn	3.8
1&1	2.8
Postbank	2.8
Microsoft	2.4
Intuit	2.1
Mastercard	1.8
HSBC	1.5
American Express	1.5
DocuSign	1.5
UPS	1.3
Fedex	1.3
Strato	1.1
Volks- und Raiffeisenbank	0.9
Other	12.1

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour. This month saw Intuit, best known for its TurboTax and QuickBooks tax and accounting software, rising from 13th to 8th place on our most impersonated company brand in phishing attacks.

Highlighted threat email campaigns

QakBot was distributed via a complex infection chain using HTML smuggling and DLL side-loading to evade detection. HTML smuggling uses HTML to bundle malicious content into one HTML attachment. Hornetsecurity has reported about HTML smuggling previously in the context of phishing in which the phishing website was fully contained in the HTML attachments.¹ In the observed QakBot campaign, the emails distributing malicious HTML files are used to deliver the QakBot malware onto the victim’s computer without the need for an additional download, as was the case in previous Excel document-based QakBot attacks.³ When received by the victim, the malware is built from the HTML code, making additional second-stage downloads unnecessary, giving organizations fewer opportunities to detect such malware infection. In addition to HTML smuggling, the campaigns use a chain of password-protected encrypted ZIP files containing an ISO file, an LNK file, two DLL files, and a legitimate calc.exe binary. The complete chain works as follows: First an email using email conversation thread hijacking² with an HTML attachment is received. The HTML attachment pretends to be an Adobe “Online Document”, immediately prompting the user for a download. The ZIP file download is facilitated via Javascript, with the ZIP file contents being encoded as base64 within the HTML document. This way, no additional network communication is triggered. Additionally, the HTML document displays the password needed to decrypt the ZIP file. The ZIP file contains an ISO image file, which includes two DLL files, an LNK file, and a legitimate calc.exe executable. The LNK file is used to launch the legitimate calc.exe from the path within the mounted ISO file. The calc.exe is then used to side-load one of the malicious DLLs (in the example seen in the screenshots named WindowsCodecs.dll). This first DLL is used to load the actual QakBot malware DLL (in the example seen in the screenshots named 102755.dll) via regsvr32.exe.

Methodology

Hornetsecurity observes thousands of threat email campaigns of varying threat actors ranging from unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only a subset of those threat email campaigns.

References

• ¹ https://www.hornetsecurity.com/en/security-informationen-en/html-phishing-asking-for-the-password-twice/
• ² https://www.hornetsecurity.com/en/security-information/email-conversation-thread-hijacking/
• ³ https://www.hornetsecurity.com/en/threat-research/qakbot-distributed-by-xlsb-files/

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in June 2022 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category	%
Rejected	78.69
Spam	15.90
Threat	4.13
AdvThreat	1.23
Content	0.05

The following histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category	Description
Spam	These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content	These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat	These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat	Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected	Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

There are a few reasons why HTML, PDF, ZIP, and Excel files are often used in email attacks. One reason is that these files can be used to embed malicious code that can be executed when the file is opened. The victims can easily execute executable files, e.g., .exe files, without needing additional software, e.g., Microsoft Office. Another reason is that these files can be used to trick users into divulging sensitive information, such as passwords or credit card numbers. This is especially relevant for HTML files. Often phishers send HTML files, and when opened, they appear to be the login menu to banking sites. Finally, these files can be used to install, deploy and start malware on a victim’s computer.

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails)	%
Archive	35.6
HTML	18.5
Excel	14.4
PDF	12.6
Disk image files	5.5
Executable	5.0
Word	3.5
Other	4.9

The following histogram shows the email volume per file type used in attacks per 7 days.

Industry Email Threat Index

Attackers preferably target the research industry this month. The research industry is full of sensitive information. By successfully phishing key employees, attackers may get access to critical research details. Additionally, the research industry is often slow to adopt new security technologies due to budget constraints, making it easier for attackers to exploit vulnerabilities.

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries	Share of threat in threat and clean emails
Research industry	7.2
Manufacturing industry	4.2
Transport industry	4.0
Automotive industry	3.9
Utilities	3.9
Information technology industry	3.8
Media industry	3.7
Mining industry	3.7
Retail industry	3.4
Agriculture industry	3.4

The following bar chart visualizes the email-based threat posed to each industry.

The threat index of the research industry remains elevated above 7.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

Phishing dominates email attacks because it is a very effective way to trick people into giving away their personal information or clicking on malicious links. Phishing emails often look like they come from a legitimate source, such as a well-known company or website. They often contain urgent or alarming language that can trick people into taking action without thinking. Modern tools allow phishers to retrieve 2FA codes or session cookies from their victims to circumvent security.

The following table shows the attack techniques used in attacks.

Attack technique	%
Phishing	30.7
URL	11.5
Advance-fee scam	7.4
Executable in archive/disk-image	5.3
Extortion	4.1
Maldoc	3.4
HTML	2.3
Impersonation	1.3
PDF	0.3
Other	33.8

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

Some of the most commonly impersonated brands in email phishing attacks are banks, credit card companies, shipping companies, and online retailers. These types of attacks usually involve the attacker sending an email that appears to be from a legitimate company, and asking the recipient to provide personal or financial information. In many cases, the email will contain a link that leads to a fake website that looks identical to the real website. The attacker then uses the information that is collected to commit fraud or identity theft.

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization	%
Sparkasse	17.3
DHL	11.8
Amazon	11.3
1&1	4.6
Postbank	4.1
Microsoft	3.8
UPS	3.8
Volks- und Raiffeisenbank	3.3
LinkedIn	2.9
DocuSign	2.7
Other	34.4

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour.

It’s a constant stream of phishing and other attacks impersonating big brands and organizations to entice recipients to open the emails.

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in May 2022 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category	%
Rejected	81.81
Spam	13.45
Threat	3.85
AdvThreat	0.85
Content	0.04

The following histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category	Description
Spam	These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content	These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat	These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat	Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected	Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails)	%
Archive	33.8
HTML	17.0
PDF	16.4
Excel	13.7
Executable	5.8
Other	5.6
Disk image files	4.7
Word	1.7
Script file	0.6
Email	0.4
LNK file	0.3

The following histogram shows the email volume per file type used in attacks per 7 days.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries	Share of threat in threat and clean emails
Research industry	7.0
Manufacturing industry	4.4
Automotive industry	4.3
Media industry	4.0
Mining industry	4.0
Utilities	4.0
Education industry	3.8
Healthcare industry	3.7
Transport industry	3.7
Construction industry	3.6

The following bar chart visualizes the email-based threat posed to each industry.

 

This month saw an increased threat index for the research industry. Other industries display a slightly relaxed threat index compared to the previous month.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique	%
Phishing	40.0
URL	14.9
Advance-fee scam	7.8
Executable in archive/disk-image	4.3
Extortion	4.0
Impersonation	2.0
Maldoc	1.4
HTML	1.3
PDF	0.3
Other	23.9

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization	%
Sparkasse	60.9
Amazon	7.6
DHL	5.6
UPS	2.1
Dropbox	1.6
Microsoft	1.5
Netflix	1.4
LinkedIn	1.4
Fedex	1.2
Volks- und Raiffeisenbank	1.1
1&1	1.0
Postbank	1.0
Other	13.6

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour.

Although we observed some pauses in the ongoing Sparkasse phishing campaigns, Sparkasse still dominates our charts. Sparkasse is a German public bank.

Executive Summary

• Around 2022-04-07, an obtrusive malspam campaign spreading the Formbook malware using malicious Word documents exploiting CVE-2017-11882 made Word documents this month’s most used file format in attacks.
• On 2022-04-22, the Emotet botnet operators started using LNK files to spread via email. But at the end of the month, they switched back to XLS malicious documents.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in April 2022 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations
• Highlighted threat email campaigns

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category	%
Rejected	80.58
Spam	13.88
Threat	4.71
AdvThreat	0.81
Content	0.03

The following histogram shows the email volume per category per day.

The spike in rejected emails from 2022-04-07 to 2022-04-12 can be attributed to a large-scale sextortion email scam campaign in the German language.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category	Description
Spam	These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content	These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat	These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat	Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected	Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails)	%
Word	47.2
Archive	19.0
PDF	11.5
HTML	9.2
Excel	6.1
Executable	2.6
Disk image files	2.4
Other	1.3
Script file	0.4
Email	0.1
LNK file	0.1

The following histogram shows the email volume per file type used in attacks per seven days.

The spike around 2022-04-07 can be attributed to a large and very obtrusive malspam campaign spreading the Formbook malware using malicious Word documents exploiting CVE-2017-11882.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries	Share of threat in threat and clean emails
Manufacturing industry	5.3
Healthcare industry	5.2
Research industry	5.0
Automotive industry	4.9
Media industry	4.5
Education industry	4.3
Utilities	4.1
Construction industry	4.0
Professional service industry	3.9
Mining industry	3.9
Retail industry	3.8

The following bar chart visualizes the email-based threat posed to each industry.

The Top 3 industries in our email threat index remain unchanged. However, the research industry has fallen from 1st to 3rd place.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique	%
Phishing	37.7
Other	29.8
URL	9.8
Advance-fee scam	8.1
Maldoc	7.4
Extortion	2.9
Executable in archive/disk-image	2.8
Impersonation	1.6

The following histogram shows the email volume per attack technique used per hour.

The increase in maldocs (malicious documents) used can be attributed to the aforementioned large-scale Formbook campaign. The maldocs of the Formbook campaign can also be clearly seen in the data plot around 2022-04-07.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization	%
Sparkasse	77.3
Amazon	5.0
Other	7.2
LinkedIn	3.0
Postbank	2.2
Deutsche Post / DHL	2.0
Dropbox	1.1
Netflix	0.7
Microsoft	0.6
UPS	0.5
Fedex	0.4

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

The German bank Sparkasse continues as the most impersonated entity used in attacks.

Highlighted threat email campaigns

This month we want to highlight Emotet’s LNK file campaign. Emotet is malicious software that is used to steal personal information from infected computers. It is a type of Trojan horse that is spread through spam email messages. Emotet can also be used to install other types of malware on an infected computer, such as ransomware.

On 2022-04-22, the Emotet botnet operators started to use LNK files to spread the Emotet malware via emails. To this end, they replaced their previously used malicious XLS documents with an LNK file. LNK files are shortcuts that link to other files. However, these files can also inject commands into executable files. This can allow malware to be installed on the user’s computer without their knowledge. If a user receives a .lnk file from an untrusted source, they should not open it.

The emails containing Emotet’s malicious LNK files follow the same email conversation threat hijacking scheme as regular Emotet emails. The LNK malware was usually sent where the malicious XLS document would be placed, i.e., in some cases directly attached to the email but in others attached in a password-protected ZIP file with the password listed in the email.

The LNK files had different variations. All of them used Windows\system32\cmd.exe as the target file for the LNK. The command-line arguments of the LNK were then used to provide commands to cmd.exe to execute. In one variant, a VBS script was appended to the end of the LNK file, which was extracted via findstr and written to a .vbs file, and executed by the command line arguments in the LNK file.

Other variants used Powershell in the command line arguments of the LNK files to execute a download of the Emotet loader.

The following histogram shows the email volume for Emotet’s LNK email campaign per 3 hours, comparing it against its XLS campaign.

We assume that Emotet’s operators switched back to XLS files because their LNK files had a much higher detection rate across security vendors.