A Look at the Email Threat Landscape in Q1 2023
Social engineering scams are one of the most pervasive and enduring attack techniques. From the most rudimentary phishing emails riddled with spelling mistakes to sophisticated, personalized business email compromise (BEC) attacks, email plays a central role in the social engineering threat landscape.
VIPRE recently released its Email Threat Trends Report for Q1 2023, which analyzed 1.8 billion emails to provide the cybersecurity industry with a comprehensive understanding of contemporary email threats. This article will break down some of the key findings from that report.
Phishing
Phishing scams have long been a favored attack technique for cybercriminals looking to capitalize on users’ lack of cybersecurity awareness. VIPRE’s report reflected phishing’s enduring popularity; phishing attempts made up a significant chunk of the 220,000 spam emails identified, second only to spam emails. A staggering 28% of all spam emails belonged to phishing campaigns.
The lion’s share of spam (76%) and phishing (94%) emails came from the United States. However, it’s important to note that the U.S. houses most data centers, meaning these figures are likely skewed. Even if the phishing scams originated from another country, we would have no way of knowing the origin.
However, it was Europe and not the United States that was hit with the most phishing emails in Q1 2023. The UK was inundated with phishing emails–more so than the rest of Europe–perhaps because opportunistic cybercriminals were attempting to capitalize on the media circus in the lead-up to the coronation of King Charles III.
Unsurprisingly, financial institutions were the primary target of phishing and malspam emails (25%), closely followed by health care (22%) and educational (15%) institutions.
Most phishing emails included language evoking a sense of urgency to fool users into clicking links or attachments without considering whether they might be malicious. However, others mimicked a service already in use to intercept users before the legitimate company could get to them; for example, sending a spoof WeTransfer download link. Of all impersonated brands, Microsoft came out firmly on top; cybercriminals leveraged false Microsoft emails three times more than other top organizations such as Apple, DHL or WeTransfer.
Cybercriminals masqueraded as everything from Microsoft File Share (link) to benign voice messages (attachment) and included Microsoft branding in spoof emails to fool unsuspecting users. As with last year’s report, cybercriminals favored the “.com” top-level domain (TLD), with the next-most-popular top-level domains “.ca” and “.net” only making up one-fourteenth of the total share. However, it’s important to note that phishers increasingly resorted to country code top-level domains in Q1 2023.
Malicious Links Vs. Attachments
Email threats typically leverage malicious links or attachments to deploy malware on a victim’s network. Malicious links take the victim to a compromised website, whereas malicious attachments, once downloaded, install malware on a victim’s device.
Cybercriminals heavily favored malicious links over attachments in Q1 2023. Of the 61,600 phishing emails identified, 77% used nefarious links, while only 23% leveraged malicious attachments.
Most malicious links led to compromised websites; tactics included embedding malicious scripts into forms on the site (injection attacks), automatically downloading a malware agent upon clicking the link (drive-by download), and swapping legitimate hyperlinks for malicious ones.
As for malicious attachments, cybercriminals favored “.html” file types, which accounted for 88% of all malicious attachments, likely because these hackers can code and obfuscate these file types, making detection and attribution more difficult. Cybercriminals also favored spoof “invoice” attachments to fool their victims.
However, malicious total attachment use fell dramatically from last year, from 49% to 23%. Also of note is threat actors’ tendency to hide their payload inside an HTML file by encoding it using base64 and leveraging JavaScript blob and other JavaScript features to assemble the malicious file on the victim’s computer.
Malspam
While cybercriminals favored sketchy links for their phishing emails, 97% of malspam emails leveraged malicious attachments. Attackers even used different file types for their malspam emails, 64% of which were Microsoft OneNote files (“.one). Microsoft OneNote malware activity contributed to a significant spike in malicious email activity in February 2023.
In conclusion, social engineering scams continue to be a significant and persistent threat in the cybersecurity landscape. Cybercriminals continue to favor phishing scams, with phishing attempts making up a substantial portion of spam emails. Financial institutions, health care organizations and educational institutions are the primary targets of these attacks.
Most spam and phishing emails originated in the United States, but this data is untrustworthy due to the concentration of data centers in the country. Interestingly, Europe experienced the highest number of phishing emails, with the UK coming out as the top target, possibly due to the media frenzy surrounding the coronation of King Charles III.
Microsoft emerged as the most impersonated brand in Q1 2023, with cybercriminals leveraging false Microsoft emails at a significantly higher rate than other popular brands. Phishers predominantly relied on malicious links leading to compromised websites rather than attachments. Malicious attachments often took the form of spoofed invoices.
Interestingly, malspam emails predominantly employed malicious attachments, particularly Microsoft OneNote files, which significantly increased malicious email activity in February 2023.
Overall, these findings emphasize the importance of user awareness, vigilance and robust cybersecurity measures to combat the persistent threat of social engineering attacks. Organizations and individuals must stay informed about evolving tactics and implement effective defenses to protect themselves from these ever-present risks.
