Malware-less Email Attacks Increasingly Common, FireEye Finds

While email attachments that include viruses and ransomware are still a risk, most email attacks no longer include malware.

FireEye Email Security Report

FireEye released its first half of 2018 Email Threat Report on Sept. 12, finding that most of the email its security systems have analyzed were potentially at risk.

The analysis is based on a sample set of over half a billion emails that FireEye examined from January to June 2018. Only 32 percent of email traffic seen by FireEye was considered to be "clean," meaning it had little or no risk and was delivered to user inboxes. However, just because an email isn't considered to be clean doesn't mean it has malicious intent. According to FireEye, only one in every 101 emails was determined to have malicious intent.

"Not only is email the most pervasive form of communication, it is also the most popular vector for cyberattacks," Ken Bagnall, vice president of email security at FireEye, wrote in statement. "This makes email the biggest vulnerability for every organization.”

Bagnall's statement is backed up by FireEye's data, which found that email is the point of entry for 91 percent of all cyber-attacks. 

In terms of how the percentage of clean email was determined by FireEye, there are both connection and content level indicators of threat that were considered. Fifty-eight percent of emails were blocked at the connection level, where abnormal email traffic is identified based on a managed block list of compromised IP addresses and known malicious domains. An additional 10 percent of emails were blocked at the content level, due to malicious attachments, malware URLs or impersonation detection.

Malware-less Attacks

Impersonation attacks include Business Email Compromise (BEC), which is an email attack where an organization is tricked into paying a fraudulent invoice. According to a recent report from the FBI, BEC attacks have claimed $12.5 billion in global losses since October 2013.

FireEye considers impersonation and BEC to be a class of attack it refers to as malware-less—that is, there is no executable virus or file that is directly associated with the attack. According to the report, 90 percent of all email attacks blocked by FireEye in the first half of 2018 were malware-less, with only 10 percent containing some form of malware, including ransomware, viruses or spyware.

Looking deeper into what makes up malware-less email, FireEye reported that phishing attacks accounted for 81 percent of the blocked malware-less email, with 19 percent coming from impersonation attacks.

Email Attack Timing

While email attacks can and do come at any time of the day, any day of the week, FireEye noticed a number of timing trends.

According to the report, Friday is the most common day for an impersonation attack. Other forms of malware-less email attacks were more likely to occur on a Thursday. For malware-based email attacks, Monday and Wednesday were the most common delivery days.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.