Executive Summary

  • This month, we saw a continuation of the large scale phishing attack against German banks that started at the end of last month.


In this installment of our monthly email threat review, we present an overview of the email-based threats observed in October 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 80.92
Spam 13.50
Threat 4.68
AdvThreat 0.86
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The large spike in unwanted emails, around 2021-10-26, can be attributed to a monthly reoccurring sextortion scam email campaign.


The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 37.3
Archive 25.8
PDF 13.1
Excel 7.0
Disk image files 5.2
Other 4.2
Executable 3.4
Word 3.3
Powerpoint 0.4
Script file 0.1

Other file types not individually listed are email files (forwarded as .eml attachments), Windows desktop shortcut files (.lnk), Internet shortcut files (.url), Java Archive files (.jar), iCalendar files (.ics), vCard Files (.vcf), e-book file formats (.epub, .mobi), and many other even more exotic file formats. These are combined under “Other”.

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Education industry 5.6
Healthcare industry 5.6
Manufacturing industry 5.5
Research industry 5.4
Automotive industry 4.8
Media industry 4.7
Construction industry 4.6
Utilities 4.4
Mining industry 4.1
Transport industry 4.0

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index


Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 47.4
Volks- und Raiffeisenbank 17.7
Other 6.9
Deutsche Post / DHL 5.8
Amazon 5.4
DocuSign 4.4
PayPal 2.4
UPS 2.1
LinkedIn 1.5
Fedex 1.5

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

Here we see the continued impersonation of two German banking associations to spread phishing.


Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. Our automated monitoring observed the following number of leaks on ransomware leak sites (not protected by CAPTCHAS):

Leak site Number of victim data leaks
Conti 65
Blackmatter 44
Pysa 27
Hive 8
Cuba 7
LV 6
REvil 4
Vice Society 4
Everest 3
Atomsilo 2
Bonaci 2
Xing Team 2
RansomEXX 1

The following bar chart visualizes the number of victim data leaks per leak site.


We add the following ransomware leak sites to our monitoring:

  • Atomsilo

Atomsilo leak site

  • Blackmatter

Blackmatter leak site

  • Bonaci

Bonaci leak site

On 2021-10-04, Europol announced two arrests and seven property searches in Ukraine in relation to a ransomware gang. Europol did not name the ransomware gang.1

On 2021-10-26, Europol announced action against 12 criminals involved with LockerGoga, MegaCortex and Dharma ransomware, among others.2

On 2021-10-29, the US Justice Department announced the extradition of a Russian national from South Korea to the US for its alleged role in Trickbot malware development and deployment.3