Spam Analysis: Markings of an Emotet Phishing Email

On January 2020 researchers have reported that the Emotet botnet is back in action after taking a Christmas break. Following this we’ve seen an increase in spam volume. One of the main attack vectors of the Emotet botnet is email spam, which means people unaware of the email threat are at risk. Analysis of current samples of the Emotet spam campaign show that there are indicative characteristics that can be used to identify Emotet spam.

Clever Phishing Method

The type of spam generated by Emotet is categorized as ‘phishing’. This is because Emotet spam has a clever way of disguising itself to make it appear legitimate. When a user is infected by the Emotet malware (usually by clicking a malicious URL or attachment in a spam message), one of the functionalities of Emotet is exfiltrating email data. Data that is stolen includes the victim’s name, email address, contact list, and past email threads.

Compared to previous Emotet campaigns, we have observed an increase in this method of utilizing past email threads. Various compromised email accounts will use the victim’s name in the ‘From’ field (the name that appears before the email address) and send spam to the victim’s contact list. In some cases, even the recipient name will appear real. The context of these spam messages are usually invoice/payment related, and will contain a malicious URL or attachment. However, Emotet is also known to take advantage of high profile news, such as the coronavirus outbreak, to trick people into getting infected.

In the context of businesses, employees may receive this phishing spam from various sources. This can include customers, contractors, business partners, even fellow co-workers (which is a huge red flag). As mentioned, the actual email address used to send the spam is usually from an unrelated compromised email account. What will be familiar is the sender’s name in the ‘From’ field. It is very possible that the victim has already dealt with being compromised (e.g. securing their email account, removing the malware from their machine/network), but it only takes that one compromise for their name to be used in countless amounts of spam.

Use of Past Email Threads

People might drop their guards when they see a real, previous email thread in the email that they are reading. If the relevant data has been exfiltrated, Emotet will add a previous message thread between the victim and the recipient of the spam. It might have been reasonable to think that emails containing past conversations with someone must be from that person (because who else would have that information). Those uneducated in Emotet can be completely caught off guard.

Unfortunately, we have seen cases where the Spammers also create a fake ‘previous message’ thread. If a company has multiple public email addresses (e.g. sales@, support@), these can and will be used as part of the Emotet campaign. It will appear like an internal company email. This is especially troublesome because it will appear like employees are being spammed by other employees despite there being no compromise, and more importantly, the security team will be forced to waste time scanning for a potential compromise on their network.

How to Spot an Emotet Phish

Rough Template of Emotet Phish

As an end user with limited technical skills, what can one watch out for to prevent falling for the Emotet phish?

1) Familiar ‘From’ name, but an unfamiliar email address. This is not usual, especially in business settings. If you feel something is amiss, cross reference the familiar person’s name with a past email. Take the extra step to question why they would send from a different email account.

2) The line “—-Original Message—-” before a past email thread. If a message contains a past email thread, it is usually not formatted in an easy to read thread like most emails are today. It will look someone just copy and pasted it.

3) Brief text, usually about funds, followed by the victim’s name and real email address as a signature. They will urge you to click a link or open an attachment, with little information of what it really is. Never click on links or attachments unless you know for sure who the email is from and the reason they would send a link/attachment.

As an email administrator, what are some things you can spot to help protect your users from Emotet phish?

1) The ‘From’ name of an email contains your company’s domain name, but the ‘From’ address does not. This is obvious name spoofing and should be dealt with accordingly.

2) Fake ‘Reply’ threads. Normal reply threads contain specific headers, so treat those without with much suspicion.

3) Employee Education. This solution is just continuing to beat the dead horse, but it remains as the most important defense for companies from malware. Up to date education on the current threats and training scenarios to identify weak points is crucial in protecting company data. A person’s natural reaction is to hide their mistakes, but this mistake is potentially so costly that the employee culture must be positively motivated to report such errors.

This entry was posted in Informative, Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply