Why email is still the favorite way of delivering cyberattacks [Q&A]
Although business IT has seen many changes over the last year, email remains the main vector for carrying out cyberattacks.
In its latest Global Security Report Zix looks at the trends in email attacks over the last year and the impact they have. We spoke to David Wagner, president and CEO of, Zix to find out more.
BN: How did the email security threat landscape change in 2020?
DW: In 2020, cybercriminals leaned on the use of more targeted attacks instead of the large volume email blasts of the past. Credential stuffing and password spraying techniques were also widespread, which serves as a reminder of why employees must take precautions such as using a password management app to protect themselves and the business.
Cybercriminals leveraged thousands of stolen email logins and passwords to execute attacks from recognizable and trusted sources successfully. They even went as far as attempting to steal cell phone numbers to obtain direct contact to unsuspecting victims and dodge any edge gateways or email filtering defenses.
Additionally, malicious hackers also increased their use of the 'living off the land' (LOtL) approach to phishing campaigns, which occurs when these individuals seek to blend in by exploiting native tools that already exist in the target environment.
BN: What were the most used business email compromise (BEC) attack tactics?
DW: Not surprisingly, attackers took advantage of the pandemic in various ways in 2020, including phony PPE distribution email scams and posing as organizations such as the CDC, WHO, and SBA to execute hundreds of thousands of phishing and malware attacks per day. Remote work was also a heavy focus, with the first half of 2020 showing a hefty uptick in attacks posing as collaboration and productivity solutions. Attack themes included Microsoft Zoom, Teams, SharePoint, Dropbox, Slack, and many others.
In the latter half of 2020, attackers abused SendGrid (acquired by Twilio) to launch phishing attacks quite extensively, to the point that researchers began seeing SendGrid IP's being blocked by third-party real-time blackhole lists (RBLs) such as Spam Haus that seek to identify and block spam sources.
BN: Malware attacks dominated the headlines in 2020. How have these campaigns evolved?
DW: Malware threats continued to shift in the direction of more chained attack methods. Analysts noted the use of Remote Access Trojans saw an increase, which consequently led to the download of a banking trojan and/or ransomware.
The amount of malware distributed via email attachment decreased from last year as cybercriminals sought to pursue more tailored attacks. Security analysts found that Microsoft Excel files (XLS, XLSM) were preferred over Word files as the most abused attack vector. However, Word files were still heavily used throughout 2020.
BN: How has the SolarWinds attacked changed email security?
DW: According to The Cybersecurity and Infrastructure Security Agency (CISA), the SolarWinds perpetuators utilized the Microsoft 365 and Azure software of the agencies and businesses they targeted. While the extent to which Office 365 was used is still under investigation, the fact that it was misused in any capacity demonstrates why businesses can't rely on the solution's built-in email threat protection to protect against rapidly evolving digital threats.
BN: What can businesses expect for the state of email cybersecurity in 2021?
DW: The disruptions of COVID-19 will persist throughout the year, influence bad actors and serving as a catalyst for attacks. Vaccine-themed attacks have quickly grown to be one of the most popular events to leverage this year, and with the rollout still well underway that is not expected to change anytime soon.
Supply chain attacks will undoubtedly continue to pose a significant threat. The fallout from SolarWinds has only just begun, but the situation perfectly captures the threat companies face from e-crime factions and state-sponsored actors alike.
Security teams must continue to stay alert for tailored phishing attacks and advance ransomware methods as they get ready for the 'new normal' work environment and defenses shift to meet the pressures of in-office and work from home and hybrid-model work circumstances.