Email Security in 2024: Navigating the Evolving Threat Landscape

Email remains a primary battleground for both defenders and attackers, and it’s evident that we’re experiencing new challenges and complexities at the forefront of the battle, driven by rapid advancements in artificial intelligence (AI) and the relentless ingenuity of cybercriminals.

VIPRE’s latest Email Security Trends Report draws insights from a dataset of nearly 1 billion malicious emails intercepted by VIPRE’s global network over the past year—from the proliferation of deepfake-infused phishing attempts to the emergence of novel attack vectors such as quishing and mobile threats —to shed light on the evolving tactics employed by cyber adversaries. The survey examined more than 7.2 billion emails to identify the 950.39 million malicious emails, in which a balanced distribution between content-based detections (52%) and link-based detections (48%) was observed. 20 million emails were flagged for containing malicious attachments, and there were more than 500,000 previously unseen threats, underscoring the critical importance of proactive defense strategies in today’s threat landscape.

YARA rules, which look for statistical patterns and indicators that follow particular malware families and serve to catch malicious exploits that might otherwise fall through the cracks, accounted for millions of emails caught in malicious attempts. Last year, YARA rules caught between 1 million and 2 million generic malware instances each quarter, with a nearly 20% jump in Q4. The numbers were significantly less for specific cases, ranging between 70,000 and 400,000, but the Q4 jump exceeded 200%.

Phishing is big

Phishing continues to pose a significant threat to organizations across all sectors. Our research reveals a notable increase in malware attacks, with a 276% rise observed between the first and fourth quarters of 2023. Despite a slight decrease in phishing attempts, these malicious campaigns remain a persistent threat, requiring constant vigilance and adaptive security measures.

Sector-specific targeting is also evident, with financial services, information technology, healthcare, education, and government sectors being the most heavily targeted. While the frequency of attacks may vary, the overarching trend underscores the need for tailored defense strategies to mitigate the risk of cyber threats effectively.

The tactics employed by cybercriminals continue to evolve, with phishing attacks leveraging various techniques, including malicious links, attachments, and QR codes. Microsoft remains the most frequently spoofed URL, followed closely by Apple, DHL, Google, DocuSign, Amazon, and Dropbox. However, notable absences from previous years’ lists suggest shifting trends and emerging attack vectors.

Looking ahead, organizations must remain vigilant and proactive in their approach to email security. Organizations can mitigate risks and protect their critical assets in an increasingly complex threat landscape by staying abreast of emerging trends and embracing innovative technologies.

What to expect from the evolving email threat landscape

Rapid AI advancements have changed everything for everyone, but they must still be accounted for and prepared against. Attackers have revolutionized how they phish, and security experts need to revolutionize how we defend. Whoever controls email controls the organization’s high ground. As attackers are getting stealthier, more creative, and more potent in their schemes, it becomes vital to make data-driven decisions when planning a successful counter-strategy.  

From a sample size of 44,913 emails, 41,716 (95%) of which were classified as spam (which includes phishing, Malware, scam, adult, job, health, financial, and commercial categories), the various spam types broke down accordingly: 

  • 35% commercial spam (14,738)
  • 35% scam (14,658)
  • 22% phishing (9,182)
  • 5% malware (1,967)
  • Less than 3% adult, job, health, financial 

It was interesting to note a rise and fall in favored malicious email types each quarter and throughout the year. In 2023, we noticed the following trends:

  • 276% increase in emails containing malware between Q1 and Q4
  • 23% rise in scam emails between Q1 and Q4, with a 179% spike in Q2
  • 6.4% decrease in phishing emails between Q1 and Q4

Regardless of the slight percentage decrease, phishing emails continue to tie with scam emails in volume, making them a perennial favorite of hackers and a constant threat to inboxes. 

In 2023, financial services (22%) was the sector most targeted by phishing and malspam emails, followed by information technology (14%), healthcare (14%), education (10%), and the government sector (8%).

Quarterly stats revealed that while financial services, healthcare, and education ranked high in numbers, the overall frequency of attacks diminished between the first and fourth quarters. However, IT% experienced a 59% increase within the same timeframe, and attacks on government inboxes increased by 16,000%.

Phishing: Links, Attachments, and QR Codes 

Regarding phishing, most (71%) of emails still use links as their primary bait. Attachments appear in 22% of cases; the remaining 7% are attributed to embedded QR codes or quishing. 

Interestingly, between Q1 and Q4 of 2022, attachment-based phishing increased slightly (4%), link-based phishing decreased sharply (43%), and quishing went from zero instances to 417, a recorded jump of over 41,000%. 

Who Was Spoofed?

Just like last year, our research (and others) revealed Microsoft as the top-spoofed URL by a landslide, garnering 2,400 spoofs to second-place Apple’s roughly 350. Dissimilar to last year, the ensuing list looks as follows: 

  1. Microsoft
  2. Apple
  3. DHL
  4. Google
  5. DocuSign
  6. Amazon
  7. Dropbox

Previous years’ data showed Spotify and Zoom coming in high on the list; this year, they were nowhere to be seen. Possible reasons include the rush-to-remote effect we were still feeling strongly in 2022, whereas an August 2023 ResumeBuilder survey revealed that 90% plan on having their employees return to the office by this year. 

Phishing Links by Type

In 2023, malicious links were comprised mainly of compromised websites (45%), down slightly from last year, followed by URL redirection (34%), which wasn’t even a category in 2022. Next comes newly created domains (13%), down significantly from last year’s 39%, and file storage/cloud sharing (8%), which also didn’t make 2022’s list.

The main differences? URL redirection and file storage/cloud sharing were new this year, while one of last year’s categories (subdomain cybersquatting) did not appear in 2023. When viewing the quarterly trends, we notice a decline in all categories (compromised websites plummeting by 80%) except for URL redirection, which experienced a 463% uptick. 

Phishing Attachments

HTML attachments accounted for more than half (52%) of all malicious attachments. 

  • HTML (52%)
  • PDF (26%)
  • EML (20%)
  • ZIP (2%)

This is the first year .eml attachments have made the list in any significant way. Companies would be wise to spot the trend and prepare their users now. Last year, we flagged a growing uptick in HTML usage; this year, it was our primary contender. Significantly, HTML attachments declined by 27% by year’s end, but PDFs rose by more than 100% and EMLs by a drastic 4600%.

Malspam delivers a malicious payload

In our 2023 findings, there was an even divide between malspam emails with malicious attachments and those leveraging links. This divide is interesting, as last year’s figures showed malspam attachments favored 22% more.

The split between quarters is also worth noting; in Q1, there were 38 times more malspam attachments than links. By the end of the year, malspam links won out nearly two to one. Of those malicious links, 57% belonged to compromised websites, while 43% were attributed to cloud storage. Of the attachments, 35% were PDFs, 20% were ONEs, 16% were some forms of DOC file, and 13% or less each belonged to XLSX, HTML, ISO, and others.

Security experts must look one step ahead as attackers turn an eye toward the future. Email attack methods are diversifying, and current email security solutions continue to fall further behind. QR code hacks are intensifying, AI is continuing to revolutionize attacks, and more and more malware that evades traditional defenses is being spun up.

Oliver Paterson is director of product management, VIPRE Security Group.