Vipre highlights evolving email threats in Q1 2024 report

VIPRE Security Group has unveiled its Q1 2024 Email Threat Trends Report, which underscores the evolving landscape of global email-based threats. The study, grounded on the analysis of 1.8 billion emails, reveals significant insights into the sources and types of these threats.

The United States tops the global list as the principal origin of spam emails, closely followed by the United Kingdom, Ireland, and Japan. According to the report, the US, UK, and Canada are also the countries most targeted by email-based attacks.

Industries such as manufacturing, government, and information technology (IT) are notably beleaguered by malicious actors. The manufacturing sector bore the brunt of 43% of email-based attacks, while government and IT sectors experienced 15% and 11% respectively. This marks a shift from the previous year's first quarter when financial, healthcare, and education sectors were the primary targets.

The report also depicts a shift in cybercriminal tactics, illustrating that scams have overtaken phishing emails in popularity among spam categories for Q1 2024. Phishing emails are increasingly appearing as communications from Human Resources, falsely related to employee benefits, compensation, or insurance within a company. These emails often contain malicious .html or .pdf attachments, which host phishing QR codes directing recipients to fraudulent websites when scanned.

When it comes to phishing techniques, attackers prefer links, used in 75% of phishing emails, followed by attachments and QR codes at 24% and 1% respectively. The study highlights that 54% of phishing emails utilise URL redirection, 22% employ compromised websites, and 15% leverage newly-created domains as part of their malicious campaigns. Furthermore, attackers are employing innovative methods such as .ics calendar invites and .rtf file attachments to tempt recipients into opening harmful content.

In the realm of malware distribution, cybercriminals are increasingly using links in malspam emails rather than attachments. The concealment of malware within cloud storage platforms like Google Drive has become more common. The prevalence of malware-based emails using attachments jumped to 22% in Q1 2024, up from 3% in the previous year. This surge has made Pikabot the top malware family, followed by IceID.

The report also reveals the use of web application vulnerabilities, particularly Reflected Cross-Site Scripting (XSS), which cybercriminals exploit to avoid detection. They utilise various tactics including encoding URLs, using images as the entire email content, and directing victims through multiple URLs. Additionally, attackers are employing thread hijacking of NTLM (NT LAN Manager) to impersonate authenticated users, gaining unauthorised access by extracting NTLM challenge-response hashes from legitimate SMB (Server Message Block) sessions.

"Criminals are using email with success to scam, infiltrate networks, and unleash malicious payloads," stated Usman Choudhary, Chief Product and Technology Officer at VIPRE Security Group. "We're witnessing bad actors relentlessly exploiting human vulnerabilities and software flaws, circumventing email gateways and security measures with alarming precision. Robust email and endpoint defences, coupled with a vigilant human frontline, remain our strongest defence against these unyielding attacks."