2m malicious emails bypass secure gateways in 12 months

Two million malicious emails bypassed traditional email defences, between July 2020-July 2021, according to a new report from Human Layer Security company Tessian.

The emails were flagged by inbound email security tool Tessian Defender as malicious and analysed by Tessian researchers to reveal the tactics cybercriminals use to carry out advanced spear-phishing attacks that bypass defences.

During this time period the retail industry was targeted most often, with the average employee in this sector receiving 49 malicious emails a year. This is significantly higher than the overall average of 14 emails detected per user, per year. Employees in the manufacturing industry were also identified as major targets, with the average worker receiving 31 malicious emails a year.

Are cybercriminals becoming more sophisticated? 

To evade detection, attackers have been using impersonation techniques. The most common tactic was display name spoofing (19%), whereby the attacker changes the sender’s name and disguises themselves as someone the target recognises. Domain impersonation, whereby the attacker sets up an email address that looks like a legitimate one, was used in 11% of threats detected by Tessian. 

The brands most likely to be impersonated in the emails detected between July 2020 and July 2021 were Microsoft, ADP, Amazon, Adobe Sign and Zoom. 

Account takeover attacks were also identified as a major threat, an attack vector that, on average, costs businesses $12,000. In this case, the malicious emails come from a trusted vendor or supplier’s legitimate email address, and likely won’t be flagged by a secure email gateway as suspicious. Tessian data found that account takeover comprised 2% of malicious emails analysed, and the legal and financial services industries were targeted most by this type of attack.

Staying aware and taking an advanced approach 

Tessian found that less than one-quarter (24%) of the emails flagged contained an attachment. In addition, 12% of malicious emails contained neither a URL or file – a sign that attackers are moving away from using typical indicators of an attack. Links, however, do still prove to be a popular and effective payload, with almost half (44%) of malicious emails containing a URL.

Most malicious emails were delivered around 2pm and 6pm and attackers also capitalised on specific times of the year. Tessian found the biggest spike in malicious emails immediately before and following Black Friday, a time when many people expect to receive a surge of emails touting deals. 

“Gone are the days of the bulk spam and phishing attacks, and here to stay is the highly targeted spear phishing email. Why? Because they reap the biggest rewards,” said Josh Yavor, Tessian’s Chief Information Security Officer.

“The problem is that these types of attacks are evolving every day. Cybercriminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as organisations’ last line of defence. It’s completely unreasonable to expect every employee to identify every sophisticated phishing attack and not fall for them. Even with training, people will make mistakes or be tricked. Businesses need a more advanced approach to email security to stop the threats that are getting through - the attacks that are causing the most damage - because it’s not enough to rely on your people 100% of the time.”