Mimecast Quarterly Intelligence Threat Report

05 Dec 2019

The business that never sleeps is very much awake and their research teams have been burning the midnight oil analysing global attack activity on their customers between July and September 2019. In their own words, they…:

‘…uncovered a mixture of simple, low effort and low-cost attacks targeting Mimecast customers. At the same time, the data highlights complex, targeted campaigns leveraging a variety of vectors and lasting several days. These sophisticated attacks are likely carried out by organized and determined threat actors, employing obfuscation, layering, exploits, and encryption to evade detection.’

As well as providing information about the nature of attack campaigns and to observe and anticipate the evolving nature of said threats, they have provided a set of recommendations to help guide and shape your cybersecurity practices, policies and procedures.

Remember, if you live by the mindset that a cyberattack on your business is a case of when and not if, it will – should – give you the push you need to take action.


The Headline Facts


  • The Mimecast Threat Center processed 207 billion emails between July and September 2019 and rejected 99 billion
  • Impersonation attacks accounted for 26% of detections during the same period
  • The Transportation, Storage & Delivery sector experienced the most opportunistic attacks of any other industry (9%)
  • ZIP files accounted for 34% of all file compression format attacks
  • During the week ending 22nd September over 21 million threats were blocked


Overall, their efforts to modify threats to evade detection within sandboxing continues but the vicious circle of threat detection is unabated in that older forms of malware are being modified as quickly and extensively as the newer forms of malware and they continue to increase with the inclusion of malicious voicemail message (voice phishing).

The threats are evolving and are more nuanced than ever before.

The biggest threats remain malware-centric campaigns which are getting increasingly sophisticated and ‘use a diverse range of malware during the different phases of an attack, which is clearly pronounced in analysis of the most persistent attacks spanning a period of several days. Subscription-based Malware-as-a-Service models also continue to increase the availability of simple attack methods to a wider audience, simultaneously keeping older, well-known malware in circulation. The use of file-less malware is also increasing, and criminals are putting greater efforts into the increased use of impersonation attacks against businesses.’


Campaign Insights


Between July and September 2019, Mimecast’s researchers and data analysts discovered 25 ‘significant’ campaigns against a number of different business sectors incorporating:

Azorult – one of the most commonly bought and sold stealers, it’s a trojan malware that harvests and exfiltrates data from the compromised system.

HawkEye – actively marketed on various hacking forums, it targets business users aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices.

NanoCore – can provide the threat actor with information such as computer name and OS of the affected system. It also opens a backdoor that allows the threat actors to access the webcam and microphone, view the desktop and create internet message windows.

NetWire – is focused on password stealing and keylogging, but also includes remote control capabilities.

LokiBot – is a trojan-type malware designed to infiltrate systems and collect a wide range of information distributed by spam emails, private messaging and malicious websites.

Locky – is ransomware malware delivered by email (that is allegedly an invoice requiring payment) with an attached Microsoft Word document that contains malicious macros.

Remcos – is used as a remote access tool (RAT) that creates a backdoor into the victim’s system.

They all involve a combination of mass generic trojan delivery with complex, simultaneous threats either at the same time or in the subsequent days. The discovery demonstrates ‘a level of sophistication that goes beyond an opportunistic cybercriminal; in addition, due to the variety of businesses attacked, it’s highly likely the attacks were carried out by organized groups for monetary gain.’

The Emotet malware which was active appeared to stop over the summer (it’s C2 servers were shut down in May) and oddly demonstrated that even the most active attackers need a summer holiday!

As is a common thread throughout our blogs over the last few months, the most common, high-volume method of distributing malware is bulk emailing (spam) because its success relies on human error. Yet another reason why comprehensive in-house training is vital for your staff so they have the ability to identify the real from the fake.

You can read the full report here.


Not To Flog A Dead Horse Or Anything…


In the report, there are four primary threat categories – spam, impersonation attacks, opportunistic attacks and targeted attacks – and the research demonstrates that no-one is safe. They are widespread across all industry sectors and global regions and are growing year-on-year.

Are you prepared for what an attack on your business is capable of? Do you have a clear policy in place to withstand an attack on your critical business systems or cope with the fallout?

We won’t stop asking the questions until everyone is safe! Futile perhaps but we’re committed to doing everything we can to make you as safe as it’s possible to be.

Contact us today on info@koncisesolutions.com or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or what’s better, boozy brandy butter or creamy custard with your Christmas pudding…


Koncise Solutions

Go Back