In this installment of our monthly email threat review, we present an overview of the email-based threats observed in December 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 80.70
Spam 14.27
Threat 4.15
AdvThreat 0.84
Content 0.04

The following time histogram shows the email volume per category per day.

Unwanted emails by category

Readers of our previous reports likely already guessed that the spike in rejected emails at the start of December can be attributed to a large-scale monthly re-occurring sextortion scam spam campaign targeting German-speaking victims.


The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 28.8
HTML 22.8
PDF 18.5
Excel 11.8
Disk image files 4.8
Other 4.4
Executable 4.4
Word 3.6
Email 0.7
Script file 0.2

The distribution of file types in attacks using attachments is virtually the same as in previous months.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Manufacturing industry 4.8
Media industry 4.6
Education industry 4.3
Research industry 4.1
Mining industry 4.1
Healthcare industry 4.0
Agriculture industry 3.9
Automotive industry 3.9
Hospitality industry 3.7
Entertainment industry 3.5

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

The research industry threat index has dropped from 6.0 to 4.1. Further, the Hospitality industry made it into the top 10. This is likely due to targeting criminals who know that other industries will have reduced email traffic due to the holidays, making it harder for threat emails to blend in, while the hospitality industry (hotels, restaurants, etc.) has increased business over the holidays.


Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 49.2
Other 31.4
URL 7.3
Extortion 3.3
Impersonation 3.0
Advance-fee scam 2.5
Executable in archive/disk-image 2.5
Maldoc 0.8
LNK 0.0

The following histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 50.1
Volks- und Raiffeisenbank 24.0
Amazon 5.2
Postbank 4.2
Other 3.8
Deutsche Post / DHL 3.6
PayPal 1.5
DocuSign 1.0
LinkedIn 0.9
Microsoft 0.8
1&1 0.7

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

On 2021-12-05, the long-running large-scale phishing campaign against the two German banking associations, Sparkasse and Volks- und Raiffeisenbanken also targeted the German Postbank. The emails use the same lure as the campaigns we previously reported on. The user is informed about an alleged change at the bank concerning the European Payment Services Directive 2 (PSD2). The user is requested to review and confirm the changes to their data.

Postbank phishing

Emotet Christmas campaign

Emotet is known for sending campaigns for specific seasonal events. We previously reported on Emotet’s Halloween campaign. Emotet also sent threat emails this Christmas.

The emails were very primitive and only featured one link.

Emotet Christmas email

As usual, the link in the email downloads an Office document which malicious macro code downloads and executes the Emotet malware.