It’s that time of year when we make our predictions about the biggest email security threats that will emerge in the coming year. Vade experts weigh in on the threats that will have the biggest impact on businesses in 2021.
1. Thread hijacking will grow
A technique featured in the wave of Emotet malware attacks that began in July 2020, thread hijacking is a formidable email security threat that will grow in prominence, according to Sébastien Goutal, Chief Science Officer at Vade.
“The technique,” Goutal said, “consists of using existing email conversations with victims to spread to new victims.” Using tools like Outlook Scraper, Emotet gangs obtain access to email threads on infected computers. “Once inside,” Goutal said, “hackers inject themselves into threads and ask recipients to click on a malicious link or open a weaponized Word document.”
According to Goutal, thread hijacking is highly successful for two reasons: First, because the malicious email is sent from a trusted sender (the user whose email is infected), and second, the context of the existing discussion lowers the guard of the targeted recipients.
Additionally, Goutal says we can expect to see an increase in other advanced techniques featured in Emotet campaigns, including techniques that bypass AV engines, such as VBA macro code obfuscation in Word documents.
2. Remote image-based threats will push email security filters to their limits
Building on the success of image manipulation techniques to bypass email filters, hackers are now using remote images to store malicious textual content, according to Damien Riquet, Research Engineer at Vade. Unlike images embedded in email, remote images, Riquet says, must be fetched over a network. Detecting a remote image over a network is complex and time-consuming, and it cannot be done in real time. Below are some of the techniques hackers are using to confuse email filters with remote images:
- Use of unique URLs to make URL blacklisting inefficient
- Use of multiple redirections to slow down fetching of the image
- Use of cloaking techniques to make fetching of the image ineffective
- Hosting of the final malicious remote images on a high reputation domain (wikipedia.com, github.com, etc.) so that it is impossible to blacklist the final domain
- Less textual content in the image to make OCR (Optical Character Recognition) and NLP (Natural Language Processing) techniques less effective
While Computer Vision can analyze and extract relevant content from images, Riquet says, it’s expensive, CPU-intensive, and not widely available in commercial email filters. Because of this, Riquet says, we can expect to see more hackers using remote images in 2021.
3. Compromised accounts will present new opportunities
Compromised accounts are at the heart of the thread hijacking techniques in this year’s Emotet attacks. But they’re also being used in increasingly clever ways, including massive spam waves.
In November, Vade detected a wave of malicious spam coming from compromised accounts. According to Adrien Gendre, Chief Product and Services Officer at Vade, the technique involves using a compromised account to copy the spam email over to IMAP.
“With compromised account credentials,” Gendre said, “ the spammer connects to the compromised user’s account via IMAP to deposit the spam email.” In one day, Gendre said, Vade detected more 300,000 spam emails delivered using the compromised account method. “This technique allows a hacker to completely bypass an email filter, and without post-remediation capabilities, it’s very difficult to block” Gendre said. “The success we’re seeing,” he continued, “leaves no question that this threat, and the scramble to stop it, will continue throughout 2021.”
Additionally, although this method of attack is largely directed at consumers, Gendre expects it to appear in the business market. “Microsoft 365 has around 258 million business users,” Gendre said, “and adoption isn’t slowing down. I fully expect hackers to leverage Microsoft’s API to bypass border security with this new method.”
Businesses that rely on border security for Microsoft 365, including gateways, won’t be able to stop these attacks. “A solution that is integrated via API with Microsoft is becoming a requirement. An email security solution that is integrated with Microsoft can remove malicious emails from inboxes post-delivery. Gateways and other types of border security cannot do that.”
4. Business email compromise will go global
The growth in business email compromise (BEC) and difficulty in detecting it has led to new advancements in content analysis via artificial intelligence. However, most algorithms struggle to detect BEC in foreign languages.
“Initially,” Goutal said, “there was a lot of BEC in English and French. Now we are seeing BEC written in Italian, Spanish, German, Slovenian, etc.. This is a problem because a lot of security vendors focus on English language only, as they are US-based companies.”
According to Goutal, most algorithms are “English first,” and so the algorithms are naturally more capable in their mother tongue. “Vendors need to address BEC written in other languages,” said Goutal. “But,” he continued, “it requires a major update to their detection engine. This is both time and resource-intensive. The resulting vacuum will result in growth of BEC written in foreign languages while vendors struggle to catch up. Until then, I expect to see more BEC emails written in the target language.”
The typologies of BEC are also growing, according to Goutal. While most BEC scams previously centered on CEO fraud, gift card scams, and W2 harvesting, we’re seeing other typologies emerge, including lawyer, payroll, and banking fraud.
Additionally, targeted BEC attacks will give way to more broad attempts. Previously, BEC emails would target key employees in certain departments, such as accounting and HR. “That’s changing,” Goutal said. “Today, a single email can target 20-30 employees in a five-minute time frame. I expect to see this technique grow in the coming year.”
Finally, while most BEC emails feature a sense of urgency to get a victim’s attention, this will give way to more subtle messages, according to Romain Basset, Head of Channel Sales at Vade.
“Subtle requests are becoming more common,” said Basset. “Well-crafted requests, such as company news from HR or messages about promotions and business travel, appear more credible and are less likely to set off alarms. The purpose is to both start a conversation and trick the email filter. Once the conversation is initiated, many filters will automatically whitelist the email, allowing all future BEC emails with the hacker to go undetected.”
5. Vendor impersonation will exploit trust in cloud services
Accustomed to receiving emails with Word, PowerPoint, and Excel attachments or links to shared Microsoft 365 documents, users trust Microsoft and other cloud services they use most. Even if an email is suspicious, curiosity will always be piqued by an attachment. This makes users extremely vulnerable to vendor impersonation, which involves a hacker impersonating the supply chain.
“Attackers preying on users’ trust of Microsoft services, for instance, in phishing attacks, has proven the model for identifying business partners who can be impersonated within spear phishing attacks,” said E.J. Whaley, Channel Sales Engineer at Vade. “Rather than the CEO being impersonated,” Whaley said, “it will be your accounts payable contact from one of your vendors. I think we will continue to see more and more supply chain partners being impersonated.”
6. Hackers—and businesses—will get personal
Pandemic fatigue. Wildfires. Elections. Social tensions. The anxiety and stress of global events are taking a toll on citizens across the world. According to Riquet, hackers have exploited this fact to great effect in 2020 and will continue to do so in the coming year.
“We expect that in 2021 there will be more cyberattacks that use psychological tricks on a variety of subjects to leverage the emotional fragility of users,” Riquet said. COVID-19 drove many of the current event-based email attacks in 2020, and with the pandemic now reaching into to 2021, we expect to see the trend continue.
“Event-based attacks are successful because millions of people around the world are all experiencing the same thing, whether good or bad,” said Gendre. “They’re becoming so common that we’ve developed a feature that enables our customers to search their email logs for threats based on current events, including Black Friday and COVID-19. When they know they’re being targeted, and how, they can warn their customers and employees to watch out for the threats. It’s a sort of “heads-up” you don’t typically get when it comes to malicious emails.”
Hackers aren’t the only ones who recognize the value of human behavior in cybersecurity. While people are widely considered the weakest link in email security, when a vendor fails to block an attack, people become the last line of defense. Because of this, Basset says, vendors will increasingly move toward a human-centric approach to cybersecurity in 2021.
“Both vendors and end-client organizations now seem to understand that cybersecurity cannot solely rely on technology,” he said. “End users, while the targets, have to become allies.” While increased focus and investments on cybersecurity awareness is a start, solutions that empower users to influence the technology, including feedback loops and automated awareness training, will enable better detection and mitigation.