VIPRE’s Usman Choudhary on Email Threats

In the ever-evolving digital landscape, email remains a favored weapon for cybercriminals. Usman Choudhary, general manager of VIPRE Security Group provides perspectives and lessons learned from his organization’s latest Email Threat Trends Report. In the following interview, Usman sheds light on critical trends, tactics, and vulnerabilities that leaders must address to safeguard their digital assets.

Based on VIPRE’s latest email threat landscape report (a quarterly look into email threat trends) what are some of the geographical hotspots and targeted sectors?

Based on the geographical distribution of email threats, the outcomes are always changing, but our most recent look into threats, insights, and takeaways from threat actors, currently the US, UK, Ireland, and Japan as major sources of global spam and phishing email attempts. The runners-up changed from Germany and Turkey to the UK, Ireland, and Japan. Possible socioeconomic factors could contribute to the shift, or it could be nothing more than criminal hackers bouncing from place to place as analysts get wise to their geo-specific tricks. It’s wise to keep in mind that many threat actors use servers based in other countries (predominantly North America) but they themselves live elsewhere.

Regarding target sectors, this seems to be an ever evolving change. For example, right now, the manufacturing industry is undergoing the brunt of email-based attacks (43% in Q1 2024), surpassing sectors like finance and healthcare. Again, the sectors targeted are continuously changing. For example, in our 2023 annual report the targeted sectors were financial services, information technology, healthcare, education, and government sectors. I expect we’ll continue to see shifts in the sectors targeted. 

What are the most prevalent emerging threats and tactics used to attack organizations?

‘Scams’ within the spam category are growing in popularity among cybercriminals, surpassing phishing emails in Q1 2024. This trend indicates a shift in cybercriminal tactics, with scammers becoming more innovative and deceptive in their approach.

There’s been a notable increase in phishing emails masquerading as communications from Human Resources. These emails falsely claim to relate to employee benefits, compensation, or insurance within a company. They often contain malicious attachments in .html or .pdf formats, featuring phishing QR codes that redirect recipients to phishing sites upon scanning.

In email phishing campaigns, 75% of emails leverage links, 24% favor attachments, and 1% use QR codes. Cybercriminals are employing links in phishing emails for URL redirection, compromised websites, and newly created domains. 

What are the most prevalent emerging threat attack tactics you’re seeing or that you expect to gain ground in the near-term?

One of the most pressing emerging tactics include the use of .ics calendar invites and .rtf attachment file formats to trick recipients into opening malicious content. That is a tried-and-true tactic that we will see more of. 

Additionally, for the remainder of this year, in the US we’ll see an increased share of election-related email scams. However, the worst part is that they not only endanger individuals or companies, but an entire democratic process.

As mentioned, we’ll also see more “HR-related” emails. 

Thanks to the advent of generative AI technologies like ChatGPT, highly convincing phishing emails can now be sent in virtually any language. Beyond well-known brands, our observations indicate a notable increase in phishing emails masquerading as communications from human resources. However, it’s often difficult to tell whether ChatGPT wrote the email versus your actual HR team – until it’s too late. 

What about brand spoofing? Still a thing?

Yes, unfortunately, brand spoofing remains a popular threat vector. Microsoft has been the most spoofed brand historically and it remains on top of the spoofing heap. It is the price of success for the company. It’s used by millions and millions of consumers and used by more than 80% of Fortune 500 companies, so scammers love it. 

So, with Microsoft reigning, it’s the runner-ups that vie for second-class supremacy. Looking at the last two Q1 reports (2023 and 2024), let’s look at side-by-side comparisons of the most prevalent companies that are spoofed:

Q1 2023

  • Microsoft
  • DHL
  • WeTransfer
  • Apple

Q1 2024

  • Microsoft
  • DocuSign
  • eFax
  • PayPal

Last year, it was physical packages, file sharing, and anything Apple. This year, phishers are baiting users with ways to digitally send faxes, the now less-popular PayPal, and DocuSign – the all-too-familiar online signing agent used to ink important documents like loans, insurance papers, and other legal documents.

Are there any favorite phishing link strategies? If so, any takeaways?

While the fact that “.com” was again the most favored TLD by attackers is no new news, the runners-up again are. In Q1 2023, “.ca” and “.net” took second and third place, respectively, but this year the lineup looks different. They are:

  • com
  • org
  • 3 .uk
  • 4 .cloud
  • 5 .fr

Possible reasons for the success of the top domains?

“.org”s inspire trust, “.uk” may not be viscerally associated with scams (although that might be changing), “.cloud” emails are becoming more common in a society that’s all but migrated to it, and “.fr” might share the same neutral or positive – or perhaps, simply “as yet unsullied” – online reputation to oft-targeted Americans as the UK.

How are phishers employing email links in their attempts?

The malicious phishing emails employing links were categorized into five basic categories to highlight the methods most preferred by attackers. They are:

  1. URL redirection (54%)
  2. Compromised websites (22%) 
  3. Newly created domains (15%)
  4. File storage links (6%)
  5. XSS vulnerability links (4%)

Threat actors are known for their persistent efforts to devise new methods for delivering malicious or phishing attacks to unsuspecting victims. Any new trends identified from your research?

We saw a noted sense of urgency induced by the use of words like “immediate.” Additionally, the email may originate from a free email service provider, such as Gmail, which is often a red flag for suspicious emails. Also, the use of colloquialisms and cliches, especially in a context where business-level writing is expected, can provide additional clues (note the use of “in the grand scheme of things”).

In a notable incident observed by VIPRE AV Labs before the end of February, a series of deceptive messages emerged masquerading as replies to previous emails. These messages utilized a technique known as thread hijacking and contained zipped HTML attachments, effectively concealing their malicious intent within unsuspecting inboxes.

When recipients open the zipped HTML attachment, they unknowingly set off a chain of events that compromise their system’s security. The HTML file serves as a passage for exploitation, redirecting the user’s system to a file hosted on an external server via the Server Message Block (SMB) protocol. Also, it is important to note that each HTML file has its own distinct hash. This detail makes it challenging for detection purposes, adding another layer of complexity to efforts aimed at uncovering them.

Despite its harmless appearance, this redirection hides a malicious intent, allowing threat actors to gain unauthorized access to sensitive data within the victim’s system such as username, IP address, computer name and domain name.

The email threat landscape is always changing. Traditional email security services are becoming increasingly irrelevant, and cutting-edge techniques like attachment sandboxing, link isolation, and even employee awareness training are taking the lead as our best defense against inbox crime. 

As the cybersecurity industry shoots high, attackers shoot low and seek to circumvent email security defenses not with might, but with wit. Inserted links in email appear to be clean at first scan because it’s the second redirected link that’s corrupted; emails don’t warrant a red flag because the only thing malicious is the invitation to call a vendor back; and clean .html attachments lead to nefarious QR codes.

What are some lessons learned from the email threats you analyzed?

Reflecting on historical email threats, several patterns have emerged over the years. In Q1 2024, VIPRE processed 1.8 billion emails, 234 million of which were spam, and 11 million of which could only be caught by advanced Link Isolation. An overwhelming 95% of the email samples analyzed were spam. The spam category broke down into commercial emails, scams, phishing emails, and malware, by volume. Different from last year, scams overtook phishing emails in popularity this first quarter.

Organizations have adapted their defenses in various ways. They have implemented AI-enhanced email security solutions, and have started to use adaptive threat protection capabilities across the entire delivery chain. VIPRE Email Security Link Isolation, “like URL sandboxing for your email,” caught more than 11 million emails that would have gone undetected otherwise.

Can you offer strategies for IT leaders?

As IT leaders, there are specific strategies they can implement to stay ahead of evolving email threats. First, they can leverage advanced threat intelligence to gain insights into the latest threats and adapt their defenses accordingly. Second, they can implement robust email security solutions that offer comprehensive protection against a wide range of threats. Third, they can conduct regular security audits to identify and address potential vulnerabilities.

To foster a security-conscious culture within their organizations, IT leaders can take several steps. They can provide regular security training to their employees to keep them informed about the latest threats and safe online practices. They can also implement strict security policies and ensure that they are adhered to. Finally, they can promote a culture of transparency and openness, where employees feel comfortable reporting potential security issues. They also can employ security awareness training to ensure their employees are up-to-date on the latest threats and how to protect themselves against potential phishing attempts.

Any closing thoughts?

We see these malicious infections every day. We sift through hundreds of thousands of them, and millions – even billions – of emails. Informed with this up-to-the-minute threat knowledge, we put everything we have into our email security solution and offer it as a way for our customers to stay safe, informed, and ready for whatever challenges your inbox next.

By Randy Ferguson