Executive Summary

  • Hornetsecurity registered an increase in threat emails during February 2022.
  • URL-based email and phishing attacks continue to be significant.
  • With 47.1 % of impersonated brands, LinkedIn has been the most impersonated brand in ongoing phishing campaigns.


In this installment of our monthly email threat review, we present an overview of the email-based threats observed in February 2022 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 79.77
Spam 14.20
Threat 5.13
AdvThreat 0.87
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails starting on 2022-02-16 can be attributed to a large-scale reoccurring sextortion email scam campaign in the German language. This campaign then transitioned to the Dutch language on 2022-02-24. Parallel to these campaigns, we also registered more threat emails.


The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 33.6
Archive 29.0
Excel 12.4
PDF 9.9
Disk image files 4.6
Executable 3.7
Other 3.5
Word 2.9
Script file 0.3
LNK file 0.1
Email 0.0
Powerpoint 0.0

The following histogram shows the email volume per file type used in attacks per seven days.

File types used in attacks

There has been a decline in email attacks using HTML documents for either payload delivery or credential phishing compared to previous ones. Instead, attacks using archive files, e.g., ZIP documents, to encapsulate malicious script files and other executables were on the rise. The increase of malicious Excel documents from 10 % to 12.4 % can be attributed to Emotet activity, which currently uses malicious Excel documents as an infection vector.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Research industry 10.5
Entertainment industry 7.3
Healthcare industry 7.3
Education industry 7.0
Hospitality industry 6.9
Manufacturing industry 6.7
Media industry 6.6
Automotive industry 6.6
Retail industry 6.1
Utilities 5.6

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

Overall our email threat index increased over all industries. The top four industries’ positions remain unchanged. However, the threat index of the research industry rose the most out of all the observed industries. While the threat index of the research industry increased from 6.8 % to 10.5 %, the threat index of the entertainment industry only rose from 6.4 % to 7.3 %. The threat index of the healthcare industry increased from 5.3 % to 7.3 %.


Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 48.4
Other 32.0
URL 10.6
Extortion 2.3
Advance-fee scam 2.2
Executable in archive/disk-image 1.9
Impersonation 1.8
Maldoc 0.8
LNK 0.0

The following histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
LinkedIn 47.1
Volks- und Raiffeisenbank 24.4
Sparkasse 9.2
Amazon 5.2
Fedex 4.1
Deutsche Post / DHL 2.2
Postbank 0.6
UPS 0.4
Microsoft 0.4
Other 6.4

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

LinkedIn was impersonated in several phishing campaigns this month.

LinkedIn phishing email

Additionally, we detected the continuation of the phishing campaigns against German banks, namely Volks- und Raiffeisenbank, Sparkasse, and Postbank.