Trustwave Blog

Trustwave 2021 Email Threat Report Highlights Critical Trends in Email Security in the Age of Advanced Threats | Trustwave

Written by | May 19, 2021

Most mature organizations have recognized the importance of email security and subsequently added various new levels of defense to their security stack to protect against the ever evolving email threat landscape. Although the instances of compromise via email malware are trending lower, the threats themselves haven’t gone anywhere – and the consequences of inadequate email security have never been higher in the age of advanced threats.

In the new 2021 Email Threat Report from Trustwave, we break down real-life examples of the latest email threats and critical trends from the past year to help you gain an understanding of the current landscape so you can prepare your email security strategy.

The 2021 Email Threat Report highlights several key trends, including:

  • Microsoft Excel file attachments were the single biggest attachment type utilized by attackers in 2020, representing 39 percent of malicious attachments, up from 7 percent in 2019.
  • Forty-three percent of malicious Excel attachments made use of Excel 4.0 macros.
  • Longer term attacks seem to lead as the preferred method of email attack
  • Over 50 percent of BEC emails come from Gmail accounts.
  • Phishers increasingly used free cloud infrastructure to host phishing pages and files for sending emails, hosting phishing pages, storing files and more.
RESEARCH REPORT

2021 Email Threat Report

The Trustwave 2021 Email Threat Report, featuring data and analysis from the SpiderLabs Email Security Research and Malware Analysis Team, details some of the most significant email threats organizations face, and provides insight on the tricks and techniques cybercriminals are using to snare their victims.

We sat down with Phil Hay, Senior Research Manager, Email Security and Malware Analysis at Trustwave SpiderLabs to discuss some of the key trends from the 2021 Email Threat Report.

It appears that malware numbers were quite low last year and even into this year. Why is that?

Although on the surface this appears to be the case, it’s more likely a return to more “normal” levels of malware, percentagewise. The period from 2016-2018, was an abnormally high period of activity; the Necurs botnet in particular drove a massive number of spammed malware downloaders, leading to widespread ransomware and various other infections. It’s also worth noting that the longer-term trend of lower spam volumes, fewer and smaller botnets, resulting in less volume of email-borne malware. That does not negate the fact that there are still operators disseminating their malware via email, so the threat remains very much alive, just on a slightly smaller scale.

For organizations wanting to defend against threats, how has COVID-19 changed email security?

As noted in the report, apart from COVID-themed email threats which was inevitable, not much changed, as the longer-term email trend attacks continue to surpass any short-term changes. For example, using Office document files to deliver malware is still an overriding trend as well as the use of novel file types such as the COVID-themed .jnlp attachment example referenced in the report.

One area we did see a change in was driven by the increased number of employees working from home. This shift hastened a move to cloud-services, which brings with it an entirely different set of security challenges (more on that below).

Has the shift to cloud changed email security / attacker behavior? Is it easier to launch attacks?

Many organizations moved their teams to cloud services due to convenience and price and attackers are no different.

In the 2021 Email Threat Report, we detail how free cloud services are used in phishing attacks. Bad actors piggyback on the good reputation and the free or low-cost services of these cloud providers to bypass security checks. The bad guys don’t like to pay for infrastructure costs anymore than the next guy!

Another noteworthy area is the continued migration by organizations to cloud email services such as Office 365. Compromised O365 accounts are a highly sought-after commodity, as they can be used to launch targeted phishing, man-in-the-middle or BEC attacks. Once an account is compromised, attackers can then launch additional assaults within the organization. These attacks appear legitimate to users since they originate from actual accounts within the organization.

What should organizations be doing to protect themselves from email threats?

All email security strategies are a combination of technology, non-technical policies, awareness and training. Some key areas of focus include:

  • Deploying a capable email gateway scanner
  • Clearly define inbound email policies
  • Lock down your email as much as possible
  • Odd, rare or unusual file attachments should be quarantined or scrutinized prior to downloading or opening
  • Deploy Multi-factor Authentication on all cloud email accounts
  • Ensure a strong password policy to lessen account takeover risk
  • Deploy anti-spoofing and authentication technologies to identify BEC attacks against your own domains
  • Regularly train and educate all users on the nature of today’s email threats

Interested in ensuring your organization has the best email security posture? Learn more about Trustwave MailMarshal and its powerful email security capabilities here.