Email Security
VIPRE Labs
Email is still one of the most used attack vectors by threat actors to deliver their malicious files and to lure unsuspecting victims into giving their sensitive information. For all the emails we received from Q1 and Q2 of 2022, 98% are verified spam emails.
Figure 1.0 Majority of the email received are spam
In Q1 of 2022, VIPRE Security received a higher spam submission compared to Q2. The month of March 2022 received the highest number of spam emails. Contributing to this number is the rise of mal-spam emails that use password protection for their attachments and cloud storage for links. Detailed analysis related to these mal-spam emails will be discussed further below.
Upon our analysis, the majority of spam type we received is scam related emails (47%), followed by commercial spam (31%), phishing emails (18%), and mal-spam emails (4%).
Figure 2.0 Received Spam Emails from Q1 and Q2 of 2022
Figure 3.0 Categorized Spam Types
Based on the spam emails that we’ve analyzed, most of them originate from IPs based in Russia.
The Analysis of the Spam Emails
BEC is Still on Top for Scam Related Emails
Figure 4.0 Categorized Scam Types
The majority of the scam emails we received are classified as Business Email Compromise or BEC (32%). Nowadays, BEC is the most widespread cyberattack for financial organizations. The tactic of BEC is that they disguise themselves to be from a high-level executive or trusted customer. Then an attempt is made to trick their victim into conducting a wire transfer or getting sensitive data by sending a spoof email. Some of the BEC attacks target specific victims within an organization.
Example of BEC received from Q1 and Q2:
Figure 5.0 BEC examples
As we can see in the above examples, the threat actors compose the BEC emails to look as legitimate as possible by:
- Disguising as a CEO.
- Starting their conversation with “are you available/free”, “send me your cell phone number”, or any phrase that is not suspicious at first.
- Not making the email urgent.
Once the victim replies to the email, the attacker will attempt to manipulate the victim in to conducting a money transfer.
Below is an example of a BEC email thread where the victim has replied:
Figure 6.0 Victim replied to BEC
Like the normal scam email, the header of the BEC’s email is noticeably forged:
Figure 7.0 Forged email header
Utilizing Newly Registered Domain
Another tactic we observed is that threat actors use newly registered domains (NRD) to deliver their spam emails. These domains mostly have been registered within the last 30-60 days and sometimes can only be active for a few hours or a couple of days. Threat actors utilize newly registered domains on sending spam emails because it can bypass spam filters that checks the spam email source. Since it’s newly registered, related information or reputation of the domain where the spam email came is limited.
Figure 8.0 Percentage of spam emails that uses NRD
Analyzing all the spam emails from Q1 and Q2 of 2022, 40% of the total spam emails received uses a NRD and it was mostly found in commercial spam emails (47%). We also found that spam emails which will damage organizations like mal-spam (11%), phishing emails (25%), and scam emails (17%) are found using newly registered domains.
Figure 9.0 Percentage of spam types that uses NRD
Examples of spam emails that use NRD:
Figure 10.0 Example of spam emails that uses NRD
Phishing and MalSpam Report: HTML Smuggling, QBot, and Many More
For all the phishing emails that we received from Q1 and Q2, we found that Microsoft is the top brand used for phishing.
Also, 51% of the total phishing emails used links inside of the phishing content and 49% used phishing attachments.
Figure 12.0 Percentage of phishing link vs phishing attachment
Phishing Links:
The phishing URLs/links we found consisted of:
- compromised websites
- newly created/registered URLs to phish
- a technique called “subdomain cybersquatting”.
Cybersquatting is a technique in which the threat actors confuse the victim by making their domain name appear safe by using legitimate brands or known website names. Threat actors can perform this technique on the URL’s subdomain or in the top level domain (TLD). The example below is where the URL pretends to be from Outlook by cybersquatting the subdomain:
Figure 13.0 Example of phishing email that used subdomain cybersquatting
As they encounter the name “outlook” or any other known brand for that matter (Facebook, google, etc.) in the URL, most users will immediately trust the URL.
Phishing Attachments:
Figure 14.0 Percentage of the phishing attachments
For the phishing attachment, we found that the majority are HTML/HTM files and that 90% of these files are related to HTML smuggling. This technique delivers malicious payload or another phishing page by utilizing HTML5 features and JavaScript. Usually, threat actors hide their payload inside of an HTML file by encoding it using base64. Then use JavaScript blob and other JavaScript features to assemble the phishing website or malicious file on the victim’s computer.
An example of a phishing email we received that uses the HTML smuggling technique on their attachment and a detailed analysis related to this can be found here “Unveil the Latest Spear-Phishing Campaign Leveraging HTML Smuggling”:
Figure 15.0 Example of phishing email that contains .html as attachment that used html smuggling
We can also in the total phishing attachments received that 12% are .eml files. These files are not the common phishing attachments such as a .HTML or .PDF. Threat actors use .eml files in order to hide and deliver phishing links/files as it can also bypass email gateways.
Here is an example of a phishing email containing a .eml as an attachment:
Figure 17.0 Example of phishing email contains eml as attachment
Mal-spam Emails
The mal-spam emails we received mostly use a compromised email thread to make it look like a legitimate conversation email. We found that the threat actors are utilizing cloud storage like OneDrive in order to deliver malware and password protected zip files. This will prevent their attack from being detected by anti-virus applications.
Figure 18.0 Example 1 of mal-spam email using compromised email thread
Figure 19.0 Example 2 of mal-spam email using compromised email thread
The majority of the malware extracted on all the mal-spam are related to QBot or Qakbot. This malware is known as a banking trojan which steals banking related data and credentials. As of today, this malware keeps on evolving and adding new features to its arsenal. VIPRE security has other analyses related to QBot which you can find here: Qbot Packed in ISO with DLL Side Loading and QBot Excels: Qakbot (Banking Trojan) Found in a Fake Email Thread’s Attachment
VIPRE Security protects customers from different spam, malware, and other associated infections across all builds of VIPRE. VIPRE uses advanced process protection and machine learning to protect against the latest threat attempting to penetrate businesses worldwide. Using the latest state of the art technology, VIPRE’s Engine protects customers 24×7, no matter where they reside.
Analysis by #Farrallel
