The pandemic completely reshaped the e-mail threat landscape. The mass shift over to remote working and the inevitable transfer of most communications to the online format has stimulated a rise in both phishing and BEC attacks. The increased flow of business correspondence has made it far easier for cybercriminals to disguise their e-mails among the stack of legitimate ones, for which reason mimicking business correspondence has become a major attack vector. Many social-engineering tricks — like a notification that urges the victim to respond to an e-mail ASAP — have also been given a new lease of life. The main trends that we’ve observed in 2022 are as follows:
- A surge in spam mailings with malicious content to infect the victim’s computer
- Active use of social-engineering techniques in malicious e-mails more typical of spear phishing (adding signatures to mimic specific departments; using business language and context appropriate for the target company; piggybacking current events; referring to real company employees)
- Widespread spoofing — the use of e-mail addresses with domain names similar to the real ones of target organizations (differing only by a couple of characters)
As a result, the creators of malicious spam mailings have been able to disguise them as internal messages and business correspondence between companies, and even as notifications from government agencies. Here are the most illustrative examples we’ve come across this year:
Malware in e-mails
The main trend of the outgoing year has been malicious mailings disguised as business correspondence. To get the recipient to open an attachment or download a linked file, cybercriminals typically try to convince them that the e-mail contains business-relevant information such as a commercial offer or an invoice for delivery of goods. The malware is often placed in an encrypted archive, the password for which is given in the body of the message.
For example, throughout the whole year we encountered the following scheme: attackers gained access to genuine business correspondence (most likely by stealing it from previously infected computers) and sent new e-mails to all participants with malicious files or links. In other words, they were able to develop the conversation in a plausible way. This ruse makes malicious e-mails harder to spot, and increases the likelihood that the victim will fall for it.
In most cases, when a malicious document is opened, either the Qbot or Emotet Trojan is loaded. Both can steal user data, harvest information on a corporate network, and distribute other malware such as ransomware. In addition, Qbot can be used to access e-mail and steal messages; that is, it serves as a source of correspondence for further attacks.
As the end of the year approaches, the topic of malicious e-mails is becoming ever more inventive. For example, in early December, scammers pretending to be a charity organization asked victims to part with their old equipment. Of course, to take part in this noble venture, they had to download a file supposedly containing the list of accepted devices. But in fact, the attachment was a malicious executable file hidden in a password-protected archive.
In another e-mail campaign, under the guise of invoices, attackers sent out tens of thousands of archives containing a malicious Trojan backdoor to allow remote control over the infected computer. Most interestingly, the attached archive had extensions like .r00, .r01, etc. It’s likely that its creators wanted to pass the attachment off as part of a large RAR archive in an attempt to bypass automatic protection systems configured for certain file extensions.
Fake government notifications
E-mails imitating official notifications from ministries and other government departments have become more frequent this year. This trend is especially noticeable in the Russian-language segment of the internet. E‑mails of this type are tailored to the profile of the specific organization. The sender address usually resembles the department’s real domain, and the malicious attachment most often bears a relevant title, such as “Comments on the results of the meeting”. One such attachment contained malicious code to exploit a vulnerability in Equation Editor, a component of Microsoft Office.
Piggybacking current events
In the Russian-language segment of the internet, we also saw a surge in malicious e-mail activity based on the current news agenda. For example, in October, cybercriminals distributed malware under the guise of call-up orders, exploiting Russia’s “partial mobilization”. The e-mails cited the Russian Criminal Code, used the heraldry and style of the Ministry of Defense, and prompted the recipient to download the order via the link provided. In fact, the link pointed to an archive with an executable script that created an executable file and ran it.
In addition, we registered an e-mail purporting to come from Russian law enforcement agencies. The message invited the victim to download a “new solution” to protect against online threats from “hostile” organizations. In reality, however, the program that got installed on the computer was a ransomware Trojan.
How to stay safe
Cybercriminal schemes are becoming ever more sophisticated each year, and the methods of mimicking business correspondence — ever more convincing. So to keep your corporate infrastructure protected against e-mail attacks, pay attention to organizational measures as well as technical. In other words, besides having security solutions both at the corporate mail server level and on all internet-connected devices, we recommend regular cybersecurity awareness training for employees.