Email security, Vulnerability Management

Malware is increasingly bypassing at least one email gateway at organizations

An employee at a tech startup company works on his computer
An employee at a tech startup company works on his computer
An employee at a tech startup company works on his computer on the first day back in the office on March 24, 2021, in San Francisco.(Photo by Justin Sullivan/Getty Images)

As if the financial and payments industries required further confirmation that bad actors are outpacing most business network security in their sophistication, a new report found that there has been a growing spike in malware using “shortcuts” to get past email gateways and into stored data.

HP Inc.’s most recent HP Wolf Security Threat Insights Report, released Wednesday, reviewed the increasing rise in the second quarter of this year in the spread of multiple malware families — including QakBot, IceID, Emotet, and RedLine Stealer — across several key sectors.

Not surprisingly, slick, experienced threat actors are shifting their focus more and more to using so-called “shortcut” or LNK files to deliver their malware more quickly, the report noted. Perhaps more troubling, the research identified an 11% jump in the number of enterprises’ archive files that contained malware, including LNK files placed there by attackers via compressed email attachments to help them evade email scanners.

Indeed, even in regulated industries known for protecting their internal security and privacy — like financial services — the report found that 14% of email-related malware discovered in companies’ systems had slipped past at least one email gateway security scan in the second quarter of 2022. Further, nearly 7 out of 10 (69%) malware payloads are delivered via email, compared with just 17% that originate from web downloads, according to HP’s findings.

Patrick Schläpfer, malware analyst at HP Inc., said that threat actors’ capabilities to sneak past ostensibly sophisticated endpoint security, like network email scanners, so frequently should definitely provide a wake-up call to many financial cyber experts.

“This indicates that malicious and stealthy email campaigns employees across the finance and payments industries are reaching user inboxes and putting organizations at risk of attack,” he pointed out.

The number of malware families that were discovered has only bumped up a little — with 593 different families of malicious payloads used in attacks, as opposed to 545 in the first quarter of the year.

“Attackers are testing new malicious file formats or exploits at pace to bypass detection,” said Dr. Ian Pratt, global head of security for personal systems for HP Inc., “so organizations must prepare for the unexpected.”

Financial departments and corporate payments services are also facing intensified attacks, according to the Threat Insights report. Although there has been a recent spike (11%) in malware invading archive files, attached and embedded spreadsheets still remain the top malicious file type. Also, the most common words used in email phishing lures involved financial transactions such as “order, payment, purchase, request and invoice.”

Until generic phishing lures stop successfully tricking users into clicking on malicious files or links, cybercriminals will continue to leverage them, Schläpfer said.

“Financial institutions must remove the onus from users to spot malware campaigns in the first place and put a safety net in place for the most common attack vectors like email, browsers and downloads,” he added. “By taking an architectural approach to security, even if an employee clicks on something that deploys malware, threats are isolated and unable to gain a foothold in systems.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.