Reflecting on 2020’s record-breaking year of spam and inbox threats.
Purging your inbox has become a year-end tradition for many. A short hiatus for the holidays often provides a quiet moment to flush the previous year’s mountain of spam. And, from the looks of our 2020 inbox, years of herculean efforts to harden email defenses have fallen short. The most-targeted business attack vector continues to be our inboxes.
So, as we take a collective deep breath before plunging into 2021, here is look at past, present and future inbox threats and trends.
In 2020, our spam folders bulged with malware-laced emails, phishing lures linking to ransomware schemes, impersonation attacks, spoofed brand and fake domain missives, and dubious requests from legit-sounding companies. So, what defined 2020 in spam?
A Banner Year for Spam
COVID-19 was a dominant theme for spammers and phishers – a trend predicted to continue into 2021. As companies sent millions of cubicle workers to their home offices, they were left to fend for themselves when it came to being judge, jury and deleter of email. That alone was worry enough for some infosec professionals.
“Many global corporations have been forced to adopt remote-working policies for office-based employees to help ensure the safety of the workforce during the COVID-19 pandemic, and threat actors have followed them home,” wrote Mimecast in its yearly roundup on email trends.
The work-from-home reality created a wave of new criminal opportunities. Crooks changed their attacks quickly to reflect job insecurity, health concerns and product shortages. Cyberattackers reached a peak in April, sending 1.5 million malicious emails per day related to COVID-19, according to Forcepoint X-Labs.
Next, up the popularity of collaborative business tools, such as Zoom, Skype and Trello, spurred on by the work-from-home trend, triggered a flood of inbox attacks. A typical ploy circulated earlier this month when attackers sent malicious Zoom-themed initiations via email, text and social media messages. The goal was to steal credentials for the videoconferencing platform.
The other big trend in phishing lures? You guessed it – the 2020 United States presidential election. The hype gave crooks ample bipartisan opportunities to use inboxes to spread both misinformation and malware.
Beyond the Grift
Beyond inbox impersonation fraud, business email compromise (BEC) and email phishing attacks, criminals leveraged clever technical traps to ensnare victims.
A phishing campaign in September used overlay screens and email-quarantine policies to steal targets’ Microsoft Outlook credentials. In April, Apple patched two zero-day security vulnerabilities actively exploited by threat actors for the previous two years. The bugs were remotely exploitable by attackers who, in order to exploit, simply needed to send an email to victims’ default iOS Mail application on their iPhone or iPad to launch their attack.
Malicious attachments, once again, were dominant inbox attack vectors.
This year researchers at Kaspersky reported an uptick of malicious files disguised as notifications from delivery services. “We uncovered a mailing targeting employees connected to sales in some capacity. The scammers persuaded recipients to open the attached documents supposedly to pay customs duties for the import of goods. Instead of documents, the attachment contained [malware] Backdoor.MSIL.Crysan.gen,” they wrote.
The 2020 Verizon Data Breach Investigations Report (DBIR) found that malicious email attachments were the leading cause of data breaches and ransomware attacks. But email links beat out attachments as the most-used vector for infection, with 40 percent of attacks using this method.
As threat groups hone their attacks — researching and testing out new tactics, techniques and procedures — the tools to protect our inboxes have seen near-Manhattan Project levels of investment over the years. Still, attacks such as BEC contributed to massive losses for companies in 2020. In the past five years BEC attacks have cost business $26 billion, according to the FBI.
That’s driven the popularity of solutions such as Domain-based Message Authentication, Reporting and Conformance (DMARC) – an authentication protocol sometimes called a zero-trust email model. DMARC is designed to give email domain owners the ability to protect their domain from unauthorized use. Of course DMARC is not new, but as impersonation attacks continue to rack up victims, it’s a technology getting a lot of second looks.
Microsoft, who dominates the email provider space with its Microsoft 365 office productivity suite, also made attempts to help with the inbox deluge. This year, it rolled out a beta version of its Application Guard for Office, which isolates Office 365 productivity application files (including Word, Powerpoint and Excel) that are potentially malicious.
But still, Mimecast researchers believe Microsoft is leaving room for improvement. In a study of Microsoft customers, the firm found nearly 60 percent of respondents said they suffered a Microsoft 365 service outage over the past year. That creaked open the door to attacks, researchers argue.
“At present there is no in-built or inherent business continuity within Microsoft 365 services should there be an interruption to Microsoft cloud services via common attack methodologies, such as a denial-of-service attack, a datacenter hardware failure, or other form of interruption in relation to their cloud services,” Mimecast researchers wrote.
“If there’s even a short outage, users are more likely to bypass corporate security with personal email accounts to conduct business,” they added.
That creates a thinner human-based line of defense — something that makes a system administrator’s hair stand on end.
The TL;DR on spam threats past, future and present can be summed up in this dichotomy.
As employees, we are both fiercely guarded, skeptical – if not paranoid – users of email. But we are infinitely human and vulnerable to the foibles of emotion and impulsive behavior. Add to that our sometimes misguided trust and understanding of security tools — for example, VPNs protect connections, but can’t filter a spear-phishing attack — and inboxes become the soft underbelly of our cybersecurity armor.
Tech-based inbox security solutions and state and federal anti-spam laws can only solve part of the problem. A recent Iomart study of U.K. businesses found that only eight percent of firms offer regular security training to remote workers.
“Many businesses would not survive the operational — let alone financial — impact of a data breach. By understanding the potential risk and introducing positive behavior around cyber-awareness, they have a much better chance of surviving an incident,” wrote Bill Strain, security director at Iomart.
While some pin hopes on 2021 to herald new inbox-protection technologies such as advanced artificial intelligence to weed out threats, the reality is the bad guys are using the same core defensive tech to build offensive weapons. If 2o21 is anything like 2020, we are all going to have to keep on our toes.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!