CIS Logo
tagline: Confidence in the Connected World

EI-ISAC Cybersecurity Spotlight – Common Malicious Email Campaigns

What it is

Malicious email campaigns attempt to trick a recipient into revealing confidential information, downloading malware, or sending money. These campaigns affect all sectors, including election infrastructure. The majority of these campaigns are opportunistic, meaning the tactics, techniques, and procedures (TTPs) are the same for every organization/industry.  Typically, the goal of the cyber threat actors behind malicious email campaigns is to reach as many inboxes as possible. This will increase the likelihood a recipient will interact with them. Three common opportunistic malicious email campaigns are credential harvesting emails, malspam, and business email compromise (BEC).

  • Credential harvesting emails attempt to trick users into entering their credentials into a fraudulent website to steal their login information. After entering the credentials, the user is often redirected to a legitimate webpage. Malicious email campaigns use harvested credentials to exploit the user’s email account or other accounts for additional malicious purposes. These campaigns are typically opportunistic. They use the same link, attachment, landing page, and a similar email body that is only slightly customized for a particular organization. Some recently observed credential harvesting emails seek to obtain login information for single sign-on platforms, such as Office 365, Google/Gmail, AOL, or Facebook.

o   Single Sign-On (SSO) fraud is a form of credential harvesting that leverages stolen credentials to access multiple platforms. For instance, an employee might use the same account to sign in to both their desktop and the payroll system. A compromise of the login for one would allow a cyber threat actor to exploit the other, such as altering direct deposit information.

  • Malspam (malware spam) emails contain malware, link to malware on malicious or compromised websites, or attempt to trick the user into opening malware hidden in an attachment. Malspam campaigns that spread Emotet, a modular banking Trojan, were recently observed imitating PayPal receipts, shipping notifications, or “past-due” invoices purportedly from a trusted third party. This is an opportunistic email campaign because it includes the same malware, type of attachments, and email body, but might make a minor change, such as the third party being impersonated.
  • Business Email Compromise (BEC) scams attempt to deceive organizations into sending money or personally identifiable information (PII), or use the organization’s name to fraudulently obtain material goods. The emails often originate from compromised, spoofed, or fraudulent accounts, which are used to issue a request, typically purporting to be a high-level executive. BEC scams often use specific information about the organization or the recipient but are opportunistic in the broad scope of their targeting and common TTPs. BEC scams are associated with significant data or financial loss for organizations. Some recent BEC campaigns include the purchase order fraud variant, W-2 and PII variant, and the financial theft variant.

Why does it matter

It's important to understand common malicious email campaigns and to know the difference between opportunistic and strategic targeting. This helps determine a malicious campaign’s scope, how to respond, and how to report the incident. Despite the seemingly sophisticated nature of many malicious emails, they are a common threat to multiple industries and are rarely strategically targeted. Organizations that realize this is a persistent threat can implement processes, procedures, and training to properly mitigate what are still potentially damaging activities.

Malicious email campaigns often take the same TTPs they used against other industries and employ them against a new entity. Features that appear targeted but are often used in opportunistic campaigns include logos, signature lines, proper names, links, attachments, and spoofed/ compromised email addresses. Cyber threat actors also exploit contact information posted online by organizations to expand their malicious campaigns. However, organizations should not assume that they are being strategically targeted based on these characteristics as this open source information is widely available. For example, malicious email campaigns employ the common tactic of impersonating IT helpdesk services sending fake “password reset” notices using the logo of your organization or your email provider.

What you can do

Election offices should prioritize training to help employees recognize malicious email campaigns. Training should emphasize employees not to open suspicious emails, click links contained in such emails, post sensitive information online, and never provide usernames, passwords, or personal information to any unsolicited request. After training employees, conduct organized phishing exercises to test and reinforce the concepts using services such as those provided by CIS or through DHS’s Phishing Campaign Assessment.

Election offices should also implement technical controls that include flagging emails from external sources with a warning banner. Additionally, offices can implement filters at the email gateway to sift out emails with known phishing indicators, such as malicious subject lines, and block suspicious links. Malicious email campaigns are sometimes successful so it is important to be prepared by adhering to the principle of least privilege. This ensures the repercussions from compromised accounts will be limited as users only have access to what they need for their job.

For all users, never open suspicious emails or click on unknown links. A simple way to check the true destination of a link is by hovering over it with the mouse. Furthermore, if messages appear to be phishing emails report them immediately to the IT department and wait for their directions.