After analyzing millions of emails, Cofense researchers have summarized some key patterns used during the attacks in the past year. According to them, cybercriminals are relying on both brand-specific lures as well as weaponized emails to target their victims.

Trends identified by experts

For a majority of email-based attacks, attackers imitate top-notch brands (such as Microsoft) to lure victims to steal credentials and gain access to networks. Here are some notable observations.
  • Of all the malicious email lures, 45% of credential-stealing phishing attacks were Microsoft-themed attacks.
  • These malicious email lures either contained a simple message or notification or an attached file that included a link to a fake website asking users to login with Office 365 credentials.
  • Besides brand Microsoft, attackers used lures related to various other cloud hosting services, such as Adobe, Google Forms, Dropbox, Box, DocuSign, and WeTransfer to make it past the secure email gateway controls, as well as web proxy filters.
  • Furthermore, attackers used generic emails—containing a copy of a specific brand or landing page—for phishing attacks. Almost 17% of phishing emails were related to financial transactions, using invoice-themed lures, experts found.

GuLoader - the rising star for email attacks

According to the researchers, attackers are increasingly using the GuLoader dropper as a delivery mechanism for email attacks.
  • Attackers used this malware to deliver a wide array of threats, including RATs, keyloggers, credential stealers, etc. 
  • The malware offers a wide variety of tricks such as the use of false code instructions to avoid executing in virtual or sandbox environments.
  • The operators of this malware were observed using cloud platforms such as Google Drive or Microsoft OneDrive to store their malicious payloads while staying away from security radars.


From simple techniques ranging from brand-based lures to BEC attacks and malicious methods, cybercriminals are turning over every stone to deliver threats efficiently. Therefore, organizations are recommended to take email-based phishing attacks seriously and keep making regular investments to upgrade their security defenses.

Cyware Publisher