How to Tackle Evolving Email-Based Attacks 

Email continues to be key battleground in the fight against cybercrime, with malicious actors recognizing the huge value in targeting such platforms.

Despite the plethora of alternative communication methods now available, like instant messaging via MS Teams and Slack, email usage is rising exponentially.

In 2024 a record 361.6 billion email messages were sent and received per day, according to Statista.

Attackers understand this trend and as such have become more innovative in the email-based attacks they deploy, including phishing and business email compromise (BEC), in order to trick recipients and bypass common security protocols.

This means that while email attacks have long been understood as a significant threat to businesses, they are more relevant than ever before.

A study commissioned by OPSWAT in September 2024 found that 80% of critical infrastructure organisations fell victim to an email-based security breach in the previous 12 months.

In the same study, 63.3% of these organisations said they believed their email security needs improving and 48% “lacked confidence” in their existing email defences.

It is essential that all organisations stay up to date with the latest trends in email-based attacks and ensure their defences are appropriate for the threat they are facing in 2025.

Attackers have rapidly evolved their techniques and tooling to conduct email-based attacks in recent years, threatening to make commonly used security measures and training redundant.

A range of techniques used to spoof the email domains of well-known brands during phishing and other types of attacks have been developed by cybercriminals.

This enables them to bypass common email security protocols such as Domain-based Message Authentication, Reporting and Conformance (DMARC) to reach targets’ inboxes. Attackers are also able to appear more legitimate to the recipients.

In July 2024, Guardio Labs reported that cybercriminals exploited a modifiable configuration setting in Proofpoint’s email protection service, enabling them to create emails mimicking official Proofpoint email relays with authenticated Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures.

This technique, dubbed “echospoofing,” was used to spoof global brands including Disney, Nike and Coca Cola.

In another example, Check Point researchers revealed in December 2024 that cybercriminals bypassed email security measures by using Google Calendar and Drawings to send seemingly legitimate invites containing malicious links.

Threat actors impersonate individuals and organisations known to the recipient to make email attacks more tailored and targeted.

This approach is particularly effective for BEC and vendor email compromise (VEC) attacks, in which specific suppliers or senior executives are impersonated to manipulate financial transfers.

This illicit impersonation has also become prominent in phishing. A study by Egress in October 2024 found that 89% of phishing emails sent between January 1 and August 31, 2024, involved impersonation, whether of a brand, department or individual.

Around three-quarters of these emails impersonated brands connected to the recipient. HR, IT and finance were the most impersonated departments, as individuals in these areas regularly ask employees to carry out specific actions related to system use and payments.

Another prominent technique deployed by threat actors in recent years is conversation hijacking. This tactic see threat actors insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered.

It begins with a phishing attack to steal logins and hijack a corporate email accounts. The hacker then spends time reading through the emails in the compromised inbox and watching new messages come in.

During this time, they piece together a picture of business operations, payment processes, partners and customers, leveraging this information to send fake invoice and wire transfer requests to key individuals.

This technique is particularly effective for launching BEC attacks, as entering into existing conversations is far less suspicious and harder for intended targets to detect.

Generative AI tools are being used to craft more convincing phishing emails, enabling attackers to avoid spelling and grammatical errors, no matter which language they are writing in.

This makes these malicious messages much harder for targets to detect, with traditional advice around checking for obvious spelling errors no longer applicable.

In addition to improving spelling and grammar, GenAI is able to help draft messages in a particular tone and style, such as in the voice of a CEO. This can further enhance the authenticity of phishing emails.

A report by Egress in October 2023 found that AI-generated phishing emails are almost impossible to detect, with even current AI detectors struggling to do so.

Faced with advanced email-based threats, organisations must ensure their email security strategies are as up-to-date and robust as possible.

Numerous email security protocols are available, recognised in the industry as critical mechanisms for preventing malicious messages reaching their intended targets.

These include SPF and DKIM records, which are designed to prevent malicious actors from sending emails on behalf of a domain they do not own.

The DMARC protocol tells mail servers what to do when the DKIM or SPF checks fail, such as marking emails as spam, delivering them or dropping the emails altogether.

Another is the transport layer security (TLS) privacy protocol which ensures emails are encrypted in transit.

However, simply having such protocols in place is insufficient, with research showing that attackers are able to bypass these rules if improperly configured.

It is critical that organisations utilise third-party services to ensure their email security settings are up to par. In the UK, the National Cyber Security Centre (NCSC) provides an email security check service, enabling organisations to look up publicly available information on anti-spoofing standards like DMARC to check they are configured correctly.

A number of cybersecurity vendors can also provide advice and help configure DMARC in a way that presents the most effective protection for the organisation.

ADVERTISEMENT

Several cybersecurity firms offer tooling that is designed to detect malware and spam in incoming emails, ensuring they are blocked from reaching inboxes.

Organizations should ensure that any email tools they deploy can detect new threats. These include detecting malicious QR codes in emails, which are increasingly used by attackers instead of links and attachments to disguise malware.

Another consideration is AI-based tools that have a high success rate in detecting AI-crafted phishing emails. There should be significant improvements in this type of tooling over the coming years.

While identifying malicious emails has become increasingly difficult for end users, it is important that organisations train employees on modern email threats and how to detect them.

This training should emphasise that malicious emails can look professional and accurately impersonate brands and individuals.

Users must be wary of any unsolicited emails that request an action and be encouraged to check with the relevant colleague or third party supplier before authorising payment requests.

Email is set to be the primary communication method for the foreseeable future and as a result attackers will continue to evolve their techniques to target this area.

Email security therefore must be a key focus for organizations going into 2025. Ensuring that recognised email security protocols and tooling are in place and properly configured is a solid foundation for this strategy.

Email security must be continuously reviewed, understanding evolving techniques and adopting new approaches for tackling these threats.

Enjoyed this article? Make sure to share it!

Looking for something else?