Malicious attachments are making a comeback. These are email attachments, typically purporting to be documents or spreadsheets, that are laden with malware. Clicking on the attachment allows the malware to infect the user’s computer — from which it can spread to others in the same network, potentially infecting an entire company.

Malicious email attachments never went away, but as recently as last year, cybercriminals preferred to use Web links to deliver malware to unsuspecting victims. But attachments can evade many of the defenses erected against malicious URLs. And in the social media age, they can be targeted to thousands of users and spread across networks within hours.

Bait for Spear Phishing

As Karen A. Frenkel reported at CIO Insight, malicious attachments in emails are on the upswing. And while the total amount of spam email has been reduced substantially in the last year — thanks to the successful takedown of several botnets used for propagating spam — this new breed is more dangerous.

Malicious attachments are an old technique, but cybercriminals have gone back to it because it offers several advantages. Malware in email attachments can be platform-agnostic, running on practically any computer that loads it. It evades the reputation-based Web defenses that have been developed to identify suspicious URLs. And an email attachment can have any title or file format, allowing it to bypass most automated detection.

Malicious Attachments Target the User

Also adding to the risks from today’s malicious attachments are developments that have made email-based attacks more effective. The most important of these is the rise of so-called spear phishing, or targeted email attacks.

Unlike old-style phishing like the poor foreign widow emails of yore, spear phishing is targeted to particular individuals or occasions. For example, a spear phishing email may be addressed to the intended victim by name rather than a generic header such as “Dear Customer.” The result is that people are more likely to trust the email, click the link and infect their computers and networks.

Attackers are also leveraging social media both to gain targeting information such as people’s names and to access more potential targets. For example, spear phishing attacks geared to a high-profile event such as the Super Bowl can easily reach tens of thousands of victims via social media. And cybercriminals are also directing more such attacks at businesses. They know that a single mistaken click can expose the entire organization to attack.

Defense Against Spear Phishing

Because spear phishing, like other forms of social engineering, exploits the human factor, there is no purely technical defense. The best protection comes from user awareness of the threat and a corresponding wariness of emails that seem unusual or odd.

But big data analytics is also emerging as an effective tool for protection. By tracking large volumes of traffic, dynamic and predictive malware analytics can identify malicious attachments based on suspicious patterns that previously would have eluded detection. Combining analytics with digital forensics and effective use of such basic tools as archiving can help organizations detect malicious attachments before they do their damage.

More from Malware

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…

The Ransomware Playbook Mistakes That Can Cost You Millions

If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year between 2020 and 2021, continuing to rise since. Focusing on the extortion price of these attacks, the cost of a ransomware attack can appear finite…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti group), who are not known to have had a previous connection with Ramnit. This year has so far proven tumultuous…