Here’s a depressing statistic: Of the half-billion emails studied by FireEye for its January-June email report, only 32% were clean and made it into the inbox.
Another 58% were blocked by threat intelligence as abnormal, meaning that they came from managed block lists, compromised IPs and malicious domains. And 10% were blocked based on attachment detonation, URL inspection and impersonation detection.
That last 10% were the only emails that contained malware — the remainder did not. That doesn’t mean they were legitimate. Of the malware-free emails, 81% were classified as phishing.
Impersonation emails, being more complicated to execute, were flat. Still, FireEye warns that these attacks are highly dangerous.
They “appear to come from a trusted source, imply urgency and are malware-less, making it difficult or email security solutions and users to recognize their inauthenticity.”
In addition, criminals can “spoof the display name and username portion of an email header,” the study adds. “Instead of having to go through the process of buying and registering a domain similar to or one that sounds like the recipient’s domain, they can simply change the display/username.”
Malware-laden emails peaked in January, with June a close second. The lowest incidence was in April — the same month that malware-free volume spiked.
The reason is that those emails targeted accounting and human resources personnel. W2 fraud attacks can expose an employee’s “name, address, and Social Security number, as well as their wage, salary, and amount of taxes withheld from their paycheck,” FireEye continues.
It adds: “Once tax season is over and May rolls around, attackers switch to malware-based threats.”
The firm relies on antivirus and anti-spam engines, in-house developed algorithms, multi-vector virtual execution (MVX) engine and machine learning to block malicious messages.