{"id":20471,"date":"2022-12-13T21:04:56","date_gmt":"2022-12-13T17:04:56","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/email-threats-in-2022\/20471\/"},"modified":"2022-12-13T21:04:56","modified_gmt":"2022-12-13T17:04:56","slug":"email-threats-in-2022","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/email-threats-in-2022\/20471\/","title":{"rendered":"E-mail threats in 2022"},"content":{"rendered":"<p>The pandemic completely reshaped the e-mail threat landscape. The mass shift over to remote working and the inevitable transfer of most communications to the online format has stimulated a rise in both phishing and <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-bec-attack\/34135\/\" target=\"_blank\" rel=\"noopener nofollow\">BEC<\/a> attacks. The increased flow of business correspondence has made it far easier for cybercriminals to disguise their e-mails among the stack of legitimate ones, for which reason mimicking business correspondence has become a major attack vector. Many social-engineering tricks \u2014 like a notification that urges the victim to respond to an e-mail ASAP \u2014 have also been given a new lease of life. The main trends that we\u2019ve observed in 2022 are as follows:<\/p>\n<ul>\n<li>A surge in spam mailings with malicious content to infect the victim\u2019s computer<\/li>\n<li>Active use of social-engineering techniques in malicious e-mails more typical of spear phishing (adding signatures to mimic specific departments; using business language and context appropriate for the target company; piggybacking current events; referring to real company employees)<\/li>\n<li>Widespread spoofing \u2014 the use of e-mail addresses with domain names similar to the real ones of target organizations (differing only by a couple of characters)<\/li>\n<\/ul>\n<p>As a result, the creators of malicious spam mailings have been able to disguise them as internal messages and business correspondence between companies, and even as notifications from government agencies. Here are the most illustrative examples we\u2019ve come across this year:<\/p>\n<h2>Malware in e-mails<\/h2>\n<p>The main trend of the outgoing year has been malicious mailings disguised as business correspondence. To get the recipient to open an attachment or download a linked file, cybercriminals typically try to convince them that the e-mail contains business-relevant information such as a commercial offer or an invoice for delivery of goods. The malware is often placed in an encrypted archive, the password for which is given in the body of the message.<\/p>\n<p>For example, throughout the whole year we encountered the following scheme: attackers gained access to genuine business correspondence (most likely by stealing it from previously infected computers) and sent new e-mails to all participants with malicious files or links. In other words, they were able to develop the conversation in a plausible way. This ruse makes malicious e-mails harder to spot, and increases the likelihood that the victim will fall for it.<\/p>\n<p>In most cases, when a malicious document is opened, either the <a href=\"https:\/\/securelist.com\/qakbot-technical-analysis\/103931\/#_blank\" target=\"_blank\" rel=\"noopener\">Qbot<\/a> or <a href=\"https:\/\/securelist.com\/emotet-modules-and-recent-attacks\/106290\/#_blank\" target=\"_blank\" rel=\"noopener\">Emotet<\/a> Trojan is loaded. Both can steal user data, harvest information on a corporate network, and distribute other malware such as ransomware. In addition, Qbot can be used to access e-mail and steal messages; that is, it serves as a source of correspondence for further attacks.<\/p>\n<p>As the end of the year approaches, the topic of malicious e-mails is becoming ever more inventive. For example, in early December, scammers pretending to be a charity organization asked victims to part with their old equipment. Of course, to take part in this noble venture, they had to download a file supposedly containing the list of accepted devices. But in fact, the attachment was a malicious executable file hidden in a password-protected archive.<\/p>\n<p>In another e-mail campaign, under the guise of invoices, attackers sent out tens of thousands of archives containing a malicious Trojan backdoor to allow remote control over the infected computer. Most interestingly, the attached archive had extensions like .r00, .r01, etc. It\u2019s likely that its creators wanted to pass the attachment off as part of a large RAR archive in an attempt to bypass automatic protection systems configured for certain file extensions.<\/p>\n<h2>Fake government notifications<\/h2>\n<p>E-mails imitating official notifications from ministries and other government departments have become more frequent this year. This trend is especially noticeable in the Russian-language segment of the internet. E\u2011mails of this type are tailored to the profile of the specific organization. The sender address usually resembles the department\u2019s real domain, and the malicious attachment most often bears a relevant title, such as \u201cComments on the results of the meeting\u201d. One such attachment contained malicious code to exploit a vulnerability in Equation Editor, a component of Microsoft Office.<\/p>\n<h2>Piggybacking current events<\/h2>\n<p>In the Russian-language segment of the internet, we also saw a surge in malicious e-mail activity based on the current news agenda. For example, in October, cybercriminals distributed malware under the guise of call-up orders, exploiting Russia\u2019s \u201cpartial mobilization\u201d. The e-mails cited the Russian Criminal Code, used the heraldry and style of the Ministry of Defense, and prompted the recipient to download the order via the link provided. In fact, the link pointed to an archive with an executable script that created an executable file and ran it.<\/p>\n<p>In addition, we registered an e-mail purporting to come from Russian law enforcement agencies. The message invited the victim to download a \u201cnew solution\u201d to protect against online threats from \u201chostile\u201d organizations. In reality, however, the program that got installed on the computer was a ransomware Trojan.<\/p>\n<h2>How to stay safe<\/h2>\n<p>Cybercriminal schemes are becoming ever more sophisticated each year, and the methods of mimicking business correspondence \u2014 ever more convincing. So to keep your corporate infrastructure protected against e-mail attacks, pay attention to organizational measures as well as technical. In other words, besides having security solutions both at the <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">corporate mail server<\/a> level and on all internet-connected <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">devices<\/a>, we recommend regular <a href=\"https:\/\/k-asap.com\/en\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">cybersecurity awareness training<\/a> for employees.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>What tricks were most popular with malicious e-mail senders in 2022?<\/p>\n","protected":false},"author":2704,"featured_media":20472,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[2176,1815,76,692],"class_list":{"0":"post-20471","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-bec","11":"tag-e-mail","12":"tag-phishing","13":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/email-threats-in-2022\/20471\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/email-threats-in-2022\/24974\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/email-threats-in-2022\/27541\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/email-threats-in-2022\/25305\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/email-threats-in-2022\/26033\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/email-threats-in-2022\/28418\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/email-threats-in-2022\/27451\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/email-threats-in-2022\/34405\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/email-threats-in-2022\/46582\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/email-threats-in-2022\/20133\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/email-threats-in-2022\/20731\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/email-threats-in-2022\/29783\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/email-threats-in-2022\/33023\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/email-threats-in-2022\/28757\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/email-threats-in-2022\/25677\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/email-threats-in-2022\/31352\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/email-threats-in-2022\/31054\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/e-mail\/","name":"e-mail"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2704"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20471"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20471\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20472"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}