In 2020, we saw firsthand how quickly threat actors can evolve to leverage rapidly changing local and world events. The pandemic and the 2020 U.S. election had a dramatic effect on how malicious actors coordinated and distributed their email attacks. Zix | AppRiver Security analysts sought to assess exactly how these bad actors shifted their tactics last year to take advantage of this unprecedented period of time.
The Zix | AppRiver Global Security Report for 2020 takes a deep dive into the top threats and trends in email security. We will be breaking down three of the major attack shifts we saw this year.
#1: Business Email Compromise (BEC) Attacks Persist with New Tactics
Bad actors used thousands of stolen email credentials to launch attacks from familiar and trusted sources, and impersonation attacks persisted with new theme variations. Attackers abused SendGrid (acquired by Twilio) to launch phishing attacks quite extensively in the latter half of 2020, to the point that researchers began seeing SendGrid IP’s being blocked by third-party RBL’s such as Spam Haus.
Scammers also increasingly attempted to gain cell phone numbers from unsuspecting victims in order to circumvent any edge gateways or email filtering defenses by obtaining a direct line of communication to the recipient.
#2: Malware Threats Continued Evolution Toward More Chained Attack Techniques
The volume of malware being delivered via attachment was down overall from last year as malicious actors opted for more targeted attacks versus the scattergun tactic Zix | AppRiver Security analysts saw in previous years. Excel files (XLS, XLSM) were favored over Word files as the most used attack vector. However, word files were still heavily relied upon throughout 2020.
Malware threats continued their evolution toward more chained attack techniques. Analysts observed the use of Remote Access Trojans increase which often led to the subsequent download of a banking trojan and/or ransomware. Malware-as-a-service options also became even more accessible on underground markets.
#3: 2020 Set New Records with Countless Billions of Company Records Breached
The most notable breach of 2020 was announced in December when Microsoft and FireEye confirmed an ongoing supply chain attack of SolarWinds’s Orion IT monitoring and management software. It is estimated that 18,000 organizations downloaded the ‘trojanized’ SolarWinds Orion versions.
According to The Cybersecurity and Infrastructure Security Agency (CISA)’s January 8th report, the SolarWinds hackers used the Microsoft 365 and Azure tools of the companies in their targeted attacks. Investigators are currently working to piece together exactly how Office 365 was used. However, the fact that it was exploited in any capacity shows that businesses can’t rely on Office 365’s built-in email threat protection to defend against digital threats.
Other prominent 2020 breaches included Walgreens, T-Mobile, and Keepnet Labs. Credential stuffing and password spraying attacks were also popular, proving that taking precautions such as utilizing a password management app is critical for employees to protect themselves and the business.
In 2020, we saw how attackers embraced the use of more targeted attacks versus the large volume email blasts of the past and escalated their use of “living of the land” (LOtL) style phishing attacks, which attempt to fly under the radar by utilizing native tools that already exist in the target environment.
The disruptions of COVID-19 will continue to impact and serve as a catalyst for bad actors, with vaccine-themed attacks growing in popularity. Additionally, supply chain attacks will become more common. We have only just begun to see the fallout from the SolarWinds compromise, but it perfectly captures the risk companies face from e-crime groups and state-sponsored actors alike.
Security teams must remain alert for personalized phishing attacks and evolving ransomware tactics as they prepare for the “new normal” work landscape and defenses evolve to meet the demands of in-office, work from home, and hybrid-model work scenarios.
To learn more about the state of email cybersecurity over the past year as well as the rest of our predictions on what attacks we will see in 2021, download the full 2020 Global Security Report here.