The Most Malicious Threat Actors Using Email

Cyberattacks using the email vector has been the most widely used attack vector for the past few years, including this year. Threat actors are spreading ransomwares, trojans, malwares, and more with a simple email. In this blog, we will review the breakdown and the average penetration ratio per category of threats.  

During 2018, 858 worldwide organizations from various sectors mainly financial ones, including banks and insurance companies, turned to Cymulate to have their “cyberdefences” tested. We saw results across the board and want to share the statistics.


Armed Email Attacks by the Numbers

While some institutions were well-protected with less than 10% of email malware attacks slipping through, other institutions had over 70% of the malicious emails sent penetrate their organization’s parameter and bypass the email security controls.

As a Proof of Concept (POC), the organizations used Cymulate to check within minutes how vulnerable they are in case of a threat actor attacked them in the email attack vector. The platform initiated an attack consisting of dozens of emails armed with different file attachments. Seven categories of attacks were used to test which percentage in each category would breach the organization. In order to analyze the detection capabilities of the different security controls, these categories were divided to malicious and non-malicious attacks.

During the analysis, a staggering average of 59% of malicious e-mails went through. It was found that 43% of emails contained ransomware penetrated, 40% of the emails contained worms penetrated, 54% of the emails contained some kind of exploit penetrated, 51% of the emails contained code execution penetrated, 40% of the emails contained payloads penetrated, and emails which contained malicious links and Trojans penetrated with a ratio of 30% each.


Non-Malicious Code Execution

Ratio of Penetration

Exploits with a non-malicious shellcode= 54%

Pure Code execution = 51%


Malicious Code Execution by Type

Ratio of Penetration

Ransomware = 43%

Worms = 40%

Payloads = 40%

Malicious Links = 30%

Trojans = 29%


The Weapon of Choice: Common File Types

In a recent analysis done by Helsinki-based security provider F-Secure, 85% of all malicious emails sent by threat actors have a .DOC, .XLS, .PDF, .ZIP, or .7Z attached. These numbers fit quite well with the results found during the many assessments performed with Cymulate and it is well understood with these files are the weapon of choice used by malicious hackers, cyber criminals and even nation powers.

Out of the 35 different file extensions used, we saw that attacks based on .xls with a macro or OLE embedded object or .oft with an OLE embedded object attachments embedded within an email penetrated the most with 75% penetration ration each. PDF file-based attacks came in second, reaching 60% penetration ration. Altogether, attacks based on office files with macros or OLE embedded objects such as .doc, docx, .xlsx and .ppt had between 30% -34% penetration ratio each. 


The Threat Actors Spreading These Weapons of Choice

Numerous attacks such as Emotet and Hancitor which wreaked havoc during 2018 were delivered using these type of email attacks. As seen with multiple threat actors such as Cobalt Group, Lazarus group, Leviathan and other multiple APT groups (such as APT28 and APT32) have been using office file attachments like the ones above to spread their attacks.


The Breakdown 

File Type Penetrated Description of File Type
.xls  75% Microsoft Excel with a macro or OLE embedded object
.oft 75% Outlook template file with an Attachment
.vcs 68% Calendar appointment with an attachment
.pdf 60% A pdf file with an attachment
.ics 59% Calendar appointment with an attachment
.html 50% HTML file with an automatic downloader
.ppt 26% Microsoft PowerPoint with a macro or OLE embedded object
.doc 20% Microsoft Word with a macro or OLE embedded object


Results of the Analysis

  1. The main issue to be aware of is these file attachments used as payload carrying mechanisms as described above. (.DOC, .XLS, .PDF, .ZIP, or .7Z)

  2. Vendors providing secure email solutions such as SEG, Sandbox, etc. have not concentrated their capabilities on a very important attack method using the email vector where the popular and widely used files such as standard calendar files with the extension ics and vcs with a malicious attachment, had a penetration rate of 59% and 68%. This penetration technique has been used by threat actors for a couple of years as covered by SANS.

  3. Even more frightening was the fact that some organizations still allow emails containing .exe and .cmd to get inside their organization by email. Though the statistics of these successful attacks were low at around 2.5% penetration, it still happened.



By looking into the results of these assessments, an organization can configure its security controls to block any email containing specific attachments or set rules in the mail filters and sand boxes to sanitize emails containing specific attachments and prevent these sorts of attacks to penetrate the organization and land at an employee’s email box.

One last and very important thing for employees: Take a few extra seconds before clicking on an email could be all it takes to avoid a nasty ransomware, credential harvesting trojan, or cryptomining malware infection.

Want to validate if your security products will intercept these malicious emails? Cymulate enables you to validate your current security and identify possible gaps in the face of a simulated multi-vector, internal and external attacks, including the very latest vulnerabilities. 

Start Free Trial >

Filed Under: Cyber Security, online scams, Phishing, Privacy