Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Email Attacks Using Cloud Services are Increasing

An analysis of more than 2.2 billion emails between April and June (Q2) 2019 exposes the current tactics, techniques and targets of contemporary attackers. 

An analysis of more than 2.2 billion emails between April and June (Q2) 2019 exposes the current tactics, techniques and targets of contemporary attackers. 

FireEye’s latest email threat update highlights three specific themes: attackers are following business in making greater use of the cloud; Microsoft is by far the most abused brand in phishing attacks; and, according to FireEye’s VP & GM of email security, Michael Hulton, “Attackers follow the money, leading to a shakeup in the most targeted vertical industries.”

In the last instance, financial services as a target has taken top spot, pushing entertainment/media/hospitality down to second position compared to Q1 2019. These two verticals alone account for almost half (26% and 23% respectively) of all detected malicious campaigns. Big risers in the top ten most attacked sectors include manufacturing (up from fifth to third) and Telecom (up from seventh to fifth). “Increased targeting of Insurance and Healthcare,” says Hulton, “made both industries new additions to the top 10” (at eighth and tenth respectively).

Email attacks have increased over time. Eighty-six percent of them in Q2 can be described as ‘malwareless’, comprising, for example, impersonation attacks, CEO/BEC fraud, and spear-phishing. The remaining 14% contain malware. 

The BEC and CEO fraud variants have increased by 25% between Q1 and Q2. Unsurprisingly, given the work-based nature of these frauds, there is a higher frequency of them on workdays. Similarly, they peak on Thursdays and Fridays, and especially at end of a month (when targets are most likely to be harassed with work and especially financial deadlines).

It is expected that BEC attacks will be boosted in the future by the arrival of deepfake videos and audios. It was reported in September 2019 that the CEO of an unnamed UK-based energy firm was persuaded by the apparent voice of the CEO of the German parent company to wire a little under $250,000 to a Hungarian bank account. Although this was BEC vishing rather than BEC phishing, the combination of deepfake video with deepfake audio will undoubtedly increase. The delivery of these videos might vary, but the incidence of BEC attacks will grow.

Many phishing attempts seek to send the target to an URL hosting malicious content, with the ultimate aim of credential or credit card harvesting. These URL-based attacks increased by 167% between Q1 and Q2 2019. Within that figure, the increasing use of Microsoft- or 0365-based phishing attacks (up by 12%) means that the Microsoft brand is now used in 68% of all phishing detections.

The cloud is increasingly being used to host the malicious URLs. The Office 365 cloud-based service and the Microsoft Azure platform and services are favorites. Page hosting platforms such as wixsite(.)com3, 000webhostapp(.)com4 and others are used. File preview links are used to direct users to pages hosted on file sharing services such as OneDrive, Drive, Dropbox and Box.

FireEye describes five sophisticated methods by which the attackers evade detection in order to get their malicious URLs past defenses and in front of users. These include impersonation behind spoofed emails; increasing use of captcha-based evasions in both phishing and macro-based attacks; hosting malicious content that requires legitimate credentials for access on Sharepoint; including multiple URLs in an email to mask the malicious URL; and nesting email phishing techniques with email msg attachments that contain phishing URLs.

As malware detection improves with AI-based anti-virus, and the growing scarcity of new zero-day exploits, criminals are turning to email social engineering to by-pass technology defenses. A good example of the type of techniques described by FireEye was reported last week by Prevailion in its MasterMana disclosure. Here the attackers deliver a weaponized Microsoft document with a Bitly link to a public service (such as Pastebin or Blogspot).

The one thing that is clear from the FireEye statistics and the MasterMana example is that email-based attacks are growing and will continue to grow for the foreseeable future.

Related: Attackers Are Landing Email Inboxes Without the Need to Phish 

Related: Hackers Access Microsoft Email Services Accounts 

Related: Business Email Compromise Still Reigns 

Related: 2020 U.S. Presidential Candidates Vulnerable to Email Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.