Evolving Cyber Threats of the New Normal

The COVID-19 pandemic has been a difficult experience for everyone as both businesses and employees try to adjust to a fully remote working environment while other businesses deemed “essential” were able to remain open for physical operations with additional restrictions in place. This quick pivot as businesses tried to adjust has resulted in decreased business for some and outright closure for others.

One sector benefiting from the shift to remote work continues to be cybercrime, including Malware-as-a-Service (MaaS) model cybercrime groups, who will attack a specific target for the right price. The shift by many to fully remote operations has presented cybercriminals with an continuous opportunity for financial gain during the pandemic. Businesses that may not have had a remote work policy in place or properly implemented security controls to manage remote work are easy targets for threat actors. Additionally, without the ability to communicate face-to-face during the course of business, the volume of emails being sent to conduct business has increased. Attackers have seen these factors and decided to capitalize on the opportunity presented to them.

One organization tracking this trend is Mimecast, a company specializing in cloud-based email management and security. Mimecast provides solutions that filter emails to provide protection against malicious URLs, malware, impersonation attacks and internal threats. In June of this year, Mimecast released their Threat Intelligence Report – Black Hat USA Edition 2020 whitepaper. This whitepaper covers the overall cyber threat landscape both in the United States and globally for the period January 2020 to June 2020. Using data from the threats that Mimecast’s email security solutions have detected and blocked, the report provides key insights into the latest trends occurring in the 2020 cyber threat landscape.

From January 2020 to June 2020 the Mimecast Threat Center analyzed more than 195 billion emails in the US and Caribbean region, and globally, Mimecast processed over 378 billion emails. 92 billion emails of the 195 billion emails processed in the US were rejected as being potentially malicious. 671 million emails globally and 290 million emails in the US were linked to a cyber-attack campaign. The day with the greatest number of detections was April 21st, 2020 in the United States with 3.9 million detections and February 11th, 2020 globally with 7.1 million detections.

From analyzing these blocked emails, Mimecast was able to report that threat actors were increasingly attempting to impersonate legitimate email senders, otherwise known as phishing. Mimecast reported a 24% increase in phishing attempts from January 2020 to April 2020 alone. The Mimecast Threat Center attributed these attacks to organized crime groups with the primary motivation being financial gain, in contrast to other motivations such as intellectual property theft. The most common means of attack was to pair these phishing attempts with ransomware to allow attackers to extort payment from the owners of the systems affected.

With this shift to remote work, businesses had to quickly roll out the infrastructure to support their new remote environment and policies, procedures, and controls have not been as stringent as they would in a traditional work environment. This gave attackers a golden opportunity to launch more attacks and increase the success of the attacks they perform. In their report, Mimecast split these threats into four categories: spam, impersonation attempts, opportunistic attacks, and targeted attacks:

• Spam – We have all experienced spam, it is simply a part of owning an email address. The unwanted messages that get sent out en masse, often times in an attempt to scam or steal from the recipient. But some industries get targeted more heavily than others and Mimecast’s report declares that the five industries most affected by the increase in spam in 2020 are: Professional Services, Legal Services, Retail & Wholesale, Manufacturing and Insurance. The week of March 15th, 2020 recorded the highest amount of detections through Mimecast’s solution with 32.58 million threats blocked. This represents a 36% increase when compared to the week with the highest number of spam detections in Q4 2019.

• Impersonation Attacks – Impersonation attacks are a cyber-attack involving a malicious actor attempting to disguise themselves as a legitimate email sender in an attempt to get the email recipient to perform an actions that goes against their own best interests. This is also known as phishing when conducted through electronic means like email, but could take the form of vishing when conducted over the phone or smishing using text messaging. The top industries reported to be targeted using impersonation attacks in 2020 according to Mimecast are: Media & Publishing, Legal Services, Retail & Wholesale, Insurance, and Manufacturing. This is interesting because in previous reports, the Management & Consulting sector was the top target for phishing and the switch to Media & Publishing as the new top target with 48.4 million attempts detected represents a dramatic shift in attack targets. We explored the rise in these types of attacks on Microsoft Teams in a previous Our Thoughts On article.

• Opportunistic Attacks – Opportunistic attacks are attacks that are conducted out of convenience. The attacker identifies an opportunity to quickly and effectively target a business or system and takes action against them. These types of attacks are very common because the attackers don’t have to expend much effort to execute them successfully and they can often be carried out using off-the-shelf or commodity malware that an inexperienced attacker can download or, in some cases, buy. Mimecast states that the top industries affected by these attacks in 2020 are the Retail & Wholesale, Manufacturing, Professional Services, Transportation, Storage, & Delivery, and Insurance Providers. This also represents a shift away from previous years, as Transportation, Storage, & Delivery businesses were at the top of this list in years past.

• Targeted Attacks – Targeted Attacks are a departure from the previous categories and are carried out when attackers decide to start an attack campaign against a particular target or set of targets they choose for a variety of reasons. It could be that the target or targets have data that the attacker wants, such as financial information, or the attacker may have decided that a particular target is more likely to pay a ransom if the attacker can install ransomware on the target’s systems. During the period from January 2020 to June 2020, Mimecast uncovered 42 large-scale campaigns threat actors carried out. These campaigns show that unlike the previous three threats, attackers can also carry out well disguised, complex attacks over a period several days using multiple different attack strategies. Some of the strategies that Mimecast noted include bulk/attachment-based malware like the previous threats, but also fileless malware or malware that only executes in memory and doesn’t interact much with a file system, polymorphic malware that can disguise itself to prevent detection, and malicious URLs.

What Can You Do To Protect Yourself?

Looking at the numbers from Mimecast’s report, with 290 million malicious email detections in the first six months of 2020 alone, it’s not a matter of if an attacker attempt to act against you or your organization, it’s a matter of when. We have all been targeted in some way by malicious actors, whether that takes the form of spam emails, phishing, or something more complex. But the good news is that there are easily achievable ways of reducing the likelihood of a successful attack.

• Security Awareness Training – The most effective way to reduce the likelihood of a successful attack is through user security awareness training. Attackers take the path of least resistance to achieve their goals, and oftentimes, this is through tricking a user into doing their work for them. This is where user security awareness training comes into play. If you train your users on how to recognize a potential attack and how to respond to them, an attacker’s job suddenly becomes much harder. It is fully possible to create your own custom user security awareness training program specific to your needs, however, there are also a variety of products and services that already exist to provide end user security awareness training to your organization. In addition to their email security and archiving solutions, Mimecast also provides user security awareness training. Schneider Downs is an authorized reseller and value added partner of, we would be glad to discuss how Mimecast can assist your organization. Feel free to contact us with any questions or to setup a demonstration.

• Simulated Attacks – One method of testing how an employee would respond to spam, phishing, or other attacks is to conduct a simulated attack and note how the employee responds. There are commercial products on the market; however, there are also open-source alternatives that perform just as well if not better than some of the commercial competitors. One product is redlure, our open-source phishing campaign simulator that allows for easy scalability, the ability to run multiple, simultaneous phishing campaigns, and key metric tracking to note how users respond to an attack. The redlure code repositories are available on GitHub at www.github.com/redlure. If you are interested in learning more about redlure, would like a demo, or have any questions please contact us.

• Communicate the Importance of Security – Another important method for protecting your organization is to communicate the importance of security from the highest levels and demonstrate your commitment to keeping the organization secure. Policies and procedures are important parts of cybersecurity, but just having the policies written down is not enough. It is critical that employees at all level of the organization understand the importance of security and follow organizational policy to keep the company secure. But most importantly, this commitment to organizational security needs to come from the top-down. C-level employees, vice presidents, directors, and managers all need to demonstrate their commitment to keeping the organization secure because if you don’t show that you feel security is important, why should any of your direct reports? Schneider Downs provides a number of security awareness materials and resources on our complimentary online cybersecurity resource center.

• Update Your Remote Work Policies – The final item that applies to keeping your organization secure in the remote landscapeis to update your remote work policies. Updating all of your policies and procedures on at least an annual basis is important to ensure that your policies stay relevant and applicable to your organizational goals. But now is the best time to update your specific remote work policies by keeping what worked, eliminating what didn’t, and making any required changes that were uncovered as result of our new normal.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity.

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.