Executive Summary

  • This month, large scale phishing attacks against two German banking associations (Sparkasse and Volksbanken und Raiffeisenbanken)


In this installment of our monthly email threat review, we present an overview of the email-based threats observed in September 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 80.83
Spam 14.15
Threat 4.07
AdvThreat 0.91
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails around 2021-09-23 can be attributed to a monthly reoccurring sextortion scam email campaign written in the German language that we observe each month.


The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 37.2
Archive 28.8
PDF 11.3
Excel 6.4
Disk image files 4.6
Other 4.0
Word 3.7
Executable 3.5
Powerpoint 0.2
Script file 0.2

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

We see the continuation of last month’s observation concerning the increase in HTML file attachments (.htm, .html, etc.) used in attacks. On closer analysis, the growth can be attributed to multiple campaigns using HTML files for phishing by having the phishing website attached directly to the email1 (thus circumventing URL filters). We already report on this technique in our blog.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Manufacturing industry 6.0
Research industry 5.7
Media industry 5.3
Healthcare industry 5.2
Automotive industry 5.1
Education industry 5.1
Transport industry 5.0
Construction industry 4.9
Mining industry 4.9
Retail industry 4.4

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

We observe an overall increase in threat emails per clean email received for all industry sectors.


Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Other 39.0
Phishing 29.1
Impersonation 10.3
URL 10.0
Advance-fee scam 3.5
Extortion 3.1
Executable in archive/disk-image 3.1
Maldoc 1.9

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 19.7
Volks- und Raiffeisenbank 15.0
Deutsche Post / DHL 13.5
DocuSign 12.5
Other 11.3
Amazon 8.9
PayPal 4.6
LinkedIn 1.9
Microsoft 1.7
UPS 1.3
HSBC 1.1

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

There is a significant increase in campaigns impersonating the German banks Sparkasse and Volks- und Raiffeisenbank. We detected multiple different phishing email campaigns targeting these two German banks.

One example phishing email impersonating Sparkasse:

Sparkasse Phishing

One example phishing email impersonating Volks- und Raiffeisenbank:

VR-Bank Phishing

In all variants of the large-scale campaigns, the banks allegedly changed their (security) processes and the user needs to log in to confirm the change to retain access to their bank account.


Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
Conti 40
LockBit 2.0 34
Pysa 15
Everest 8
Vice Society 7
Hive 5
REvil 5
RansomEXX 3
Lorenz 1

The following bar chart visualizes the number of victim data leaks per leak site.


On 2021-09-16, an unnamed law enforcement agency obtained the decryption keys for the REvil ransomware and BitDefender released a decryptor.

On 2021-09-21, the Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) added SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, to its OFAC sanction list for its part in facilitating financial transactions for ransomware actors. Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors related to ransomware.2

This month LockBit 2.0 added a DDOS protection CAPTCHA to their site.

LockBit 2.0 DDOS protection

Cl0p ransomware has also added a CAPTCHA to their leak site, preventing automatic monitoring of announcements.