Only 1% of malicious emails that reach inboxes deliver malware

99% of email threats reaching corporate user inboxes in 2024 were response-based social engineering attacks or contained phishing links, according to Fortra. Only 1% of malicious emails that reached user inboxes delivered malware.

This shows that while common pre-delivery email defenses are effective at stopping malware, they are far less capable of blocking high risk threats like business email compromise and credential phishing.

49% of the Q4 attacks targeted Microsoft 365 credentials as they can provide access to a wide range of organizational data and services. They also enable account takeover (ATO) attacks where malicious communications are sent from the account of a trusted internal user.

Social engineering dominate corporate email threats

40% of email threats that reached corporate user inboxes in Q4 were social engineering attacks. These attacks lack malicious links or attachments and rely solely on social engineering to convince victims to take actions such as disclosing sensitive information, transferring funds, or engaging in other fraudulent activity.

Adversaries are using simple emails that contain phone numbers and QR codes to lure victims into less secure environments where they can be more easily exploited. These multichannel attacks are difficult to detect because emails are very basic and lack content typically flagged by filters. The most common multichannel threat in 2024 was hybrid vishing, which begins with a phishing email that tricks the victim to call a phone number where the scam is executed.

Another multichannel threat trend was delivering malicious URLs via QR codes in message body content or attachments. This method allowed cybercriminals to slip malicious URLs past email filters lacking the ability to extract and analyze content stored in QR codes.

The volume of personal information available on open sources and the dark web is immense, with more than 1 billion records breached in 2024 alone. Cybercriminal data brokers aggregate and organize stolen data into bulk packages to anyone willing to pay the price. Email addresses are associated with a wide range of stolen information such as government identification numbers, employers, and service providers.

Fortra expects cybercriminals to use this data to personalize attacks even further, utilizing information about individuals, their families, their co-workers, etc. Cybercriminals who specialize in whaling will use the data to profile high value victims and find weaknesses to exploit. Email threats of all kinds will become more personalized, making them harder to ignore and more convincing.

Tools for development, email, business services, etc., provide cybercriminals with infrastructure at zero cost. These services are typically “freemium” versions that have basic features compared to the full premium versions. However, basic is all cybercriminals need to launch attacks.

Cybercriminals exploit e-signature services

E-signature platforms were the most abused kind of legitimate service, with DocuSign being the most heavily abused e-signature service in 2024. A high volume of email threats using DocuSign were used to send malicious email and attachments.

For cybercriminals, abusing legitimate services delivers efficiency gains and trusted infrastructure. The benefits are too attractive to not take advantage of them. Companies that offer free services are reluctant to introduce stronger verification measures prior to usage. Doing so would introduce friction and get in the way of the instant gratification customers want.

Instead, they rely on abuse reports and other reactive measures to clean up abuse after it happens. Absent stronger regulatory or market incentives to encourage proactive anti-abuse measures by legitimate service providers, the abuse is likely to persist and grow. Cybercriminals will seek to exploit as much trusted infrastructure as they can, using that infrastructure to bypass security controls and present victims with more convincing phishing attacks.

In 2025, social engineering and vishing attacks will become more sophisticated with the use of generative AI to create error-free dialogue. Language will be less of a barrier, opening the door to more clever and convincing lures.

“The incorporation of AI and trusted tools, paired with an unimaginable amount of stolen personal data, means today’s phishing campaigns are more likely than ever to compromise users,” said Matt Reck, CEO of Fortra.