New report uncovers evolving email threat landscape for Q1 2024

VIPRE Security Group has released its Q1 2024 Email Threat Trends report, revealing an evolving threat landscape and emerging tactics by malicious actors in email-based attacks. The report, based on an analysis of 1.8 billion emails, provides insights into email usage and behaviours in various enterprises, and forms part of VIPRE Antivirus Labs' continuous research findings.

The United States has been identified as the top source of spam emails worldwide, followed by the UK, Ireland, and Japan. In addition, the US, UK, and Canada are most subjected to email-based attacks. "Criminals are using email with success to scam, infiltrate networks, and unleash malicious payloads", warns Usman Choudhary, Chief Product and Technology Officer at VIPRE Security Group.

The report reveals notable changes in sectors targeted by attackers. In Q1 2024, the manufacturing sector suffered 43% of email-based attacks, with government (15%) and IT (11%) sectors following. This represents a shift from Q1 2023, which saw the financial, healthcare, and education sectors being targeted most frequently.

Further, scams within spam are reportedly growing in popularity among cybercriminals, exceeding phishing emails in the first quarter of 2024. Notably, a surge in phishing emails posing as HR communications concerning benefits, compensation, or insurance within companies has been observed. These emails often include malicious .html or .pdf attachments, featuring phishing QR codes that lead to phishing sites upon scanning.

As per the report, in email phishing campaigns, a significant 75% of emails leverage links, while 24% use attachments, and 1% employ QR codes. Cybercriminals use links in phishing emails primarily for URL redirection, compromised websites, and newly created domains. Innovative strategies to carry out phishing attacks include the use of .ics calendar invites and .rtf attachment file formats to trick recipients into opening malicious content.

Driven by the efficacy of password-oriented phishing emails that use links, a surge in malicious links in malspam emails is noted alongside a significant increase in malware hidden in cloud storage platforms like Google Drive. Attachments in malware-based emails rose to 22% in Q1 2024, a sturdy rise from a mere 3% in Q1 2023.

The void left by the dismantled Qakbot malware has led to the rise of Pikabot as the top malware family, with IceID as a distant second.

Criminals are also seen exploiting a web application vulnerability, noticeably Reflected Cross-Site Scripting (XSS), focusing on the tag attribute href, to evade detection. Various tactics such as using images as entire email content, encoding URLs, and directing the victim through multiple URLs are being deployed. Malevolent actors are gaining access by hijacking the authentication thread of NTLM, a security protocol used by Microsoft Windows operating systems for authentication.

"We're witnessing bad actors relentlessly exploiting human vulnerabilities and software flaws, circumventing email gateways and security measures with alarming precision. Robust email and endpoint defenses, coupled with a vigilant human frontline, remain our strongest defense against these unyielding attacks," concludes Choudhary.