Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in October 2022 and compare them to the previous month’s threats. The report provides insights into the following:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.
Email category %
Rejected 78.73
Spam 15.41
Threat 4.17
AdvThreat 1.64
Content 0.05
The following histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to those listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:
Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.
File type (used in malicious emails) %
HTML 27.8
Archive 24.9
PDF 16.6
Disk image files 7.9
Excel 6.5
Executable 5.0
Word 4.4
Script file 0.9
Other 5.9
The following histogram shows the email volume per file type used in attacks per 7 days.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).
Industries Share of threat in threat and clean emails
Mining and metal industry 4.5
Manufacturing industry 4.0
Healthcare industry 3.9
Automotive industry 3.8
Research industry 3.7
Transport industry 3.6
Media industry 3.6
Utilities 3.5
Entertainment industry 3.4
Information technology industry 3.4
The following bar chart visualizes the email-based threat posed to each industry.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.
Attack technique %
Phishing 27.8
URL 10.8
Advance-fee scam 7.1
Executable in archive/disk-image 3.8
Extortion 3.5
HTML 2.3
Impersonation 1.0
Maldoc 0.8
PDF 0.1
Other 42.7
The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.
Impersonated brand or organization %
Sparkasse 29.8
DHL 14.3
Amazon 12.7
Metamask 2.5
Santander 2.4
LinkedIn 2.1
Microsoft 2.1
Intuit 1.7
1&1 1.7
PayPal 1.3
Strato 1.2
Mastercard 1.2
Fedex 1.2
American Express 1.1
UPS 1.1
Barclays Bank 1.0
Royal Bank of Canada 1.0
HSBC 1.0
Other 20.6
The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour. This month we detected several phishing emails impersonating MetaMask (a software cryptocurrency wallet used to interact with the Ethereum blockchain). On 2022-10-31, the most extensive detected campaign impersonating MetaMask. MetaMask thus enters this month’s top impersonated brands ranking in 4th place.

Highlighted threat email campaign

This month the threat actors distributing the QakBot malware via email conversation thread hijacking attacks started to alter the subjects of the stolen emails they send replies to. We believe this is done to impede analysis. In an email conversation thread hijacking attack, the threat actors steal emails from victims and then reply to these emails with the original email conversation and subject being quoted in the fake reply email. These emails are often hard to spot in legitimate email traffic because they use legitimate email subjects and stolen content. However, if the attackers use the same stolen email multiple times for such reply attacks, an administrator in an attacked company could find other attack emails by searching for the same subject. To prevent this, the threat actors behind the QakBot malware campaign with bot ID BBxx started to insert repeat characters in their stolen email subjects. In the following examples, we see emails whose original subject was Erinnerung (the German word for Reminder). The actors used this stolen email to form multiple attack emails by changing the subject to Erinnerrunng, Erinnneerrungg, and Erinnnerruung by randomly doubling characters in the subject. The lower part in each email is quoted from the original stolen email and is not altered like the subject.