Clean links and sophisticated scams mark new era in email attacks

Analysis of 7 billion emails shows clean links are duping users, malicious EML attachments increased 10-fold in Q4, and social engineering attacks are at all-time highs, according to VIPRE Security.

EML attachments

The rise of the EML file attachments

In 2024, QR code hacks or quishing will increase, use of AI to create content for spam emails including deepfakes will rise; highly personalized social media mining will grow further; and a wide array of file types and formats – especially EML – will be used to propagate phishing and malware attacks. There will also be a marked uptick in state-sponsored attacks.

As network security tools have improved in recent years, the corporate inbox has become an ever more attractive target to attackers. Often protected by nothing more than human nature and an antivirus, cybercriminals continue to use email to launch their most basic and persistent attacks. Now and again, they get a bit creative, which has come to bear in the past twelve months.

Regarding the method of attack, threat actors this past year favored links over other delivery methods (like attachments and QR codes) nearly seven to one (71%). The year before, VIPRE saw a 50/50 split, but their popularity is improving as attackers are getting smarter about what kinds of links they leverage. Based on this current trend, such links are expected to increase this year, although not in the ways we might assume.

Regardless of the slight percentage decrease, phishing emails continue to tie with scam emails in volume, making them a perennial favorite of hackers and a constant threat to inboxes. When it comes to phishing, 71% of emails are still using links as their primary bait. Attachments show up in 22% of cases, and the remaining 7% are attributed to embedded QR codes or quishing.

While EML attachments were a present threat throughout 2023, they increased tenfold in Q4. The benefit of sending malicious payloads via EML file is that they can get easily overlooked by many basic email security solutions when attached to the actual phishing email (which comes out clean). The malicious directions, hidden in plaintext within the body of the EML, may then encourage users to navigate to a link, call a phone number, or otherwise engage in a scam. Because of the novelty of EML use, curious users are prone to open, follow, and fall prey.

Malware skyrockets

Q4’s top malware family, AgentTesla, infiltrates a target machine and harvests sensitive data off any number of qualifying browsers. This shows that attackers are launching malware merely for reconnaissance now, as valuable artifacts like username, computer name, operating system, CPU name, RAM, and IP address may fetch more on the Dark Web than they could garner in a one-off attack.

Email-delivered malware remains a favorite, increasing by 276% between January and December of last year. However, despite the boost, it accounted for only 5% of malspam, trailing commercial spam (“Deal Ends Now!”), general scams, and phishing. Perhaps threat actors have found that it’s easier to trick end users than security solutions, which do manage to snag malware despite falling behind in emerging tactics like social engineering attacks. Consequently, numbers are low. The real weak link remains humans, as the prevalence of social engineering attacks will attest; of all spam emails, 35% were scams, and 22% were phishing attempts.

Financial services (22%) was the most targeted sector by phishing and malspam emails, followed by information technology (14%), healthcare (14%), education (10%), and government (8%). Information technology experienced a 59% increase in attacks between Q1 and Q4, whilst attacks on government inboxes went up by a staggering 16,000%.

“When you take a look at the kinds of threats we’re seeing today, a lot of them are preventable. It just takes the right tools, but most companies don’t know they exist because email doesn’t always get the same kind of security attention as the rest of the network. Unfortunately, threat actors know this,” said Usman Choudhary, general manager, VIPRE Security Group.

Email attack methods are diversifying, and current email security solutions continue to fall further behind. QR code hacks are intensifying, AI is continuing to revolutionize attacks, and more and more malware is being spun up that evades traditional defenses.

As attackers are getting stealthier, more creative, and more powerful in their schemes, it becomes vital to make data-driven decisions when planning a successful counter-strategy.

Don't miss