Trustwave Unveils 2025 Cybersecurity Threat Report for Energy and Utilities Sector, Highlights Surge in Ransomware Attacks. Learn More

Request a Demo

Trustwave Unveils 2025 Cybersecurity Threat Report for Energy and Utilities Sector, Highlights Surge in Ransomware Attacks. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

Trustwave SpiderLabs December 2024: Phishing and Email Security Insights

4 Minute Read

There was some good, bad, and neutral news when it comes to email threats in December 2024, according to new data compiled by Trustwave SpiderLabs’ MailMarshal email security team.

Trustwave SpiderLabs’ PageML, which is used in MailMarshal’s Blended Threat Module (BTM), flagged 19 million malicious URLs for VirusTotal, of which 2.2 million detections were only picked up by Trustwave. The team reported that 25% of all incoming spam emails were in fact phishing attacks of some type. This was driven by huge Japanese phishing campaigns and the use of various phishing-as-a-service platforms (PaaS).

Trustwave SpiderLabs found the increasing use of legitimate and semi-legitimate Remote Monitoring and Management tools (RMM) used in attacks.

The positive finding was that the number of malicious attachments noted in these attacks was down 1% for the month.

On the neutral side of the conversation, Trustwave SpiderLabs noted threat groups continued to use HTML and PDF attachments to launch phishing and malware attacks. Additionally, QR phishing (or quishing) and HR-themed phishing campaigns remained ongoing.

 

Malware

Let’s examine what malware and methodologies attackers used to inject into their target’s organization.

The most common executables, which are frequently enclosed in ZIP and RAR archives, found by Trustwave SpiderLabs in December include:

    • AgentTesla: A Remote Access Trojan (RAT) known for stealing information such as keystrokes, system clipboard data, and software credentials.
    • AyncRAT: A credential stealer and malware loader.
    • Formbook: An infostealer malware.
    • Remcos: A Remote Access Tool, can be used for penetration testing or malicious purposes.

Trustwave SpiderLabs found that PDFs were also commonly used in malware and spam campaigns. PDF files can be embedded with malicious scripts or links, making them a popular choice for attackers. PDF files with phishing links were often found in documents for fake job offers and invoices.

 

Email Malware Attachment Types: Last Month

The team found that HTML attachments continued as the number one malware attachment. This is likely because HTML attachments are easily disguised as legitimate emails. These are often used to redirect users to phishing websites or to deliver malicious code.

Notably, the Tycoon 2FA campaign leveraged HTML attachments to mimic Office 365 two-factor authentication portals, tricking users into entering their login credentials and one-time passcodes.

December saw HTML as the favored type of attachment, being used 36.7% of the time, followed by PDFs, 27.3%, and EXE23, 18.3%.

  • HTML attachments were used for HTML smuggling, phishing attachments, and redirectors.
  • EXE32 attachments were used for windows binary executables, commonly enclosed in archives like RAR, ZIP, ISP, and 7Zip, mostly various RATs.
  • PDFs mostly contained embedded URLs, that when clicked, would download malware, or redirect to credential phishing.

HTML and PDF files for phishing were fueled by PaaS kits like Tycoon and Rockstar2FA. These kits are favored due to their easy-to-use tools, which allow attackers to bypass email filters and redirect victims to phishing pages. These often mimic Office 365 login screens. To a lesser extent, phishers are using DOC and XLS files.

Other findings in phishing attacks included:

  • PaaS Adversary in The Middle (AiTM) Phishing Kits were prevalent. AiTM phishing kits like Rockstar, Tycoon and Mamba were very noticeable in email campaigns mostly targeting Microsoft 365 accounts. These kits enable attackers to bypass two-factor authentication (2FA) by harvesting session cookies, allowing unauthorized access to accounts without requiring reauthentication.
  • DocuSign platform abused in AiTM phishing and callback phishing campaigns. The DocuSign platform is actively abused by threat actors to deliver emails and host phishing content. These messages originate from legitimate DocuSign servers and links also lead to DocuSign hosted pages.
    • AiTM Phishing Campaigns - DocuSign emails that are linked to PaaS with AiTM capabilities. The messages we observed impersonate HR, payroll, and accounting departments.
    • Callback Phishing - Fake Order Campaigns - DocuSign email samples that impersonate various vendors including Norton, Geek Squad, and McAfee to deliver fake order confirmations.
  • QR code-based phishing continues to be a popular tactic often arriving with PDF and document files.  
  • Email marketing services are widely abused to deliver phishing and malware threats. The team continues to observe large-scale phishing attempts across various campaigns exploiting the SendGrid platform. Some of the threats are linked to PaaS operations and involve malware downloads through archive links from file-sharing services.
  • HR-themed phishing is still prevalent e.g., Annual Leave Compliance, Bonuses, Salary Reviews, Employee Performance, and Termination Notices.
  • There is an increasing trend in phishing campaigns targeting Japanese victims. These are messages impersonating well-known banking and e-commerce brands like Amazon, PayPay, American Express, JCB. Common lures include fake account notifications and enticing points or rewards offers.

Trustwave MailMarshal provides layered protection against email-based threats.

Learn More

December’s Business Email Compromise (BEC) Findings

BEC emails are overwhelmingly sent via free webmail platforms. This chart shows the top freemail sources for BEC in MailMarshal Cloud from the last month.

Figure 1. Top freemail sources for BEC in MailMarshal Cloud from the last month.
Figure 1. Top freemail sources for BEC in MailMarshal Cloud from the last month. 

However, BEC emails sent using mass mailing platforms were continued from November into December, with around 250 samples received through MailMarshal Cloud. Some recent trends include:

  • Request for Contact still dominated with more than half of the total recorded submissions this month.
  • There’s a trend of using the impersonated executive's name in the subject line, instead of the From or Reply-to field.
  • The most targeted department is accounting. Invoice Transaction and Request for Accounts Receviable documents BEC attacks are sent directly to the department’s email address.
  • Gift purchase emails using the pretext of holiday gift were also observed.

The pie chart below shows the types of BEC lures used in the message body over the last month. The top lure is still Request for Contact where threat actors are sending short emails asking for mobile number/WhatsApp contact.

Figure 2. types of BEC lures used in the message body over the last month
Figure 2. Types of BEC lures used in the message body over the last month.

 

What a BEC Email Looks Like

Luckily, Trustwave receives multiple samples of what threat actors use for their phishing attacks, so we can give you a quick look at how they look, read, and attempt to fool the recipient. Some emails were a bit specific about the topic, such as client request. In this example, the fraudster invites the victim to a meeting or discussion. This is used as a pretext to ask for the victim’s phone number.

Figure 3. example, the fraudster invites the victim to a meeting or discussion
Figure 3. Email example, in which the fraudster invites the victim to a meeting or discussion.

 

Email Spam Types: December

Now let’s see how the various spam “themes” were used in December.

As noted earlier, phishing emails now comprise about 25% of all spam sent. This mass phishing capability is driven by PaaS platforms and other phishing kits.

Figure 4. Spam Type Distributions
Figure 4. Spam type distributions.

 

How Trustwave MailMarshal Protects Against Email-Based Attacks

Powered by advanced AI, MailMarshal is a Secure Email Gateway that blocks phishing, BEC, and malware threats that other solutions overlook, including complex threats hidden in images and QR codes.

MailMarshal’s Key Features:

  • Advanced Threat Detection: Leverages AI and machine learning to spot and contain the latest phishing, ransomware, and BEC threats.
  • Layered Defense: With 20+ security layers, MailMarshal captures over 99.99% of email-based threats.
  • Low False Positives: Maintains a false positive rate of less than 0.001%, reducing the time spent on investigating benign alerts.
  • Real-Time Threat Intelligence: Continuously updated with the latest threat intelligence from Trustwave’s global security team.
  • Flexible Deployment: Available on-premises, cloud, or hybrid, and integrates seamlessly with Microsoft 365.

 

Secure Your Email Now with Trustwave MailMarshal

Trustwave MailMarshal doesn’t just check the box—it transforms email security into a strategic advantage for organizations looking to protect against the ever-evolving threat landscape. By combining advanced technology and real-time intelligence, MailMarshal offers unmatched threat prevention, reduces risk, and strengthens security resilience across your organization.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Threat Intelligence Email Security

Latest Intelligence

Ransomware’s Evolution: Key Threat Groups Targeting the Energy and Utilities Sector in 2025
Trustwave SpiderLabs: The Ransomware Trends Confronting the Energy and Utilities Sector
Trustwave SpiderLabs: Ransomware Attacks Against the Energy and Utilities Sector Up 80%

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo