Phishing is the biggest cyber threat faced by businesses. Phishing emails are malicious email messages that use deception to obtain sensitive information or trick individuals into installing malware. During the pandemic, cybercriminals took advantage of COVID-19 trends and created phishing emails that spoofed trusted entities such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention offering up to date information on the coronavirus. Companies offering personal protective equipment (PPE) were impersonated when there was a shortage of supply, and recently pharmaceutical firms have been spoofed to send offers related to COVID-19 vaccines.

One of the primary aims of these scams is to obtain Microsoft 365 credentials, which give the attackers access to the treasure trove of data that is typically found in email accounts. The compromised emails accounts are used in email impersonation attacks on other individuals in the organization, or in business email compromise (BEC) attacks to trick finance department employees to make fraudulent wire transfers. A single compromised Microsoft 365 account can give attackers the foothold they need for a much more extensive attack on the organization, with phishing emails the initial attack vector used to deliver ransomware.

These phishing emails can be difficult for employees to identify, even when they are provided with security awareness training. Once an email lands in an inbox, there is a high chance to that email being opened and an employee taking the action requested in the email, so it is essential for businesses to have an effective email security solution in place that can identify and block these malicious messages.

Malware Delivery via Email is Increasing

Recent research has shown that phishing emails are now the primary method used to deliver malware and the number of emails distributing malware is increasing. A study recently published by HP in its threat insights report shows 88% of malware is now delivered via email, with the volume of messages distributing malware increasing by 12% from the previous quarter. Many of these emails contain executable files that directly install the malware on devices or run malicious code that launches memory-only malware.

Traditional antivirus software solutions often fail to detect malware variants sent via email. Antivirus software is signature based, so in order for malware to be detected, its signature must have been loaded into the AV software’s virus definition lists. If there is no signature, the malware will not be detected as malicious. The HP study showed almost a third of all phishing emails used to distribute malware involve previously unseen malware variants.

The threat groups conducting these phishing campaigns use obfuscation techniques and packers that allow malware to evade antivirus software. It typically takes an average of 8.8 days for the hashes of malware variants to be added to AV engines.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

Blocking new malware variants is difficult, but not impossible. One of the ways that these emails can be detected is through the use of a sandbox. Email security gateways with sandboxes first scan inbound messages and check attachments using AV engines. Email attachments that are suspicious but are not determined to be malicious from the AV scan are then sent to the sandbox for in-depth analysis. Within the secure environment of the sandbox, the files are investigated for any malicious actions such as command and control center callbacks.

No anti-malware controls will detect all malware variants but using a spam filtering solution such as SpamTitan that uses sandboxing technology will greatly improve the malware detection rate and will help to keep your inboxes malware free.  SpamTitan also allows rules to be created for departments, job roles, and individuals that will further improve protection against malware attacks. Rules can be set to prohibit certain file types from being delivered to inboxes – the types of files that are commonly used to deliver or mask malware.

For instance, a recent phishing campaign conducted to distribute NanoCore malware used a .zipx (compressed) file to hide the malware from email security solutions and JavaScript (.js) files are similarly used to install malware. By blocking these uncommon file types for individuals who do not need to run those files will also help to reduce risk.

With phishing and malware attacks increasing, businesses need to ensure that their cybersecurity defenses are up to scratch and are capable of detecting and blocking these and other email and web threats. If you are receiving spam and phishing emails in your inboxes, have suffered a malware attack via email, or simply want to improve your defenses against email and web-based threats, give the TitanHQ team a call to find out more about cybersecurity solutions that can greatly improve your security posture at a very competitive price.