EXECUTIVE SUMMARY

One in every 99 em a ils is a p hishing a tta c k, using m a lic ious links a nd

a tta c hm ents a s the m a in vec tor. Of the p hishing a tta c ks w e a na lyzed , 25%
b yp a ssed Offic e 365 sec urity, a num b er tha t is likely to inc rea se a s ha c kers
d esig n new ob fusc a tion m ethod s tha t ta ke a d va nta g e of zero- d a y
vulnera b ilities on the p la tform .
CONTENTS

INTRO 1

THE RESEARCH 2

OVERVIEW 3

OFFICE 365 DEEP DIVE 4

PHISHING VECTORS 5

SPEARPHISHING 6

EXTORTION 7

CREDENTIAL HARVESTING 8

MALWARE PHISHING 9

PHISHING INDICATORS 10

BRAND IMPERSONATION 11

OBFUSCATION 12

OBFUSCATION TYPES 13

CONCLUSION 14

avan an .com
 INTRO
Phishing occurs when a n a tta cker sends a com m unica tion ? usua lly a n em a il ? to a n individua l
a ttem pting to influence them to open a n infected file or click on a m a licious link to a pa ge tha t
will request credentia ls or drop m a lwa re. Once the victim clicks, the crim ina l ca n uploa d m a lwa re
a nd enga ge in other insidious a cts tha t will ena ble prolonged a ccess to the system . (2018 Verizon
Da ta Brea ch Investiga tion Report)

Over t he p a st d ec a d e, p hishing a t t a c ks ha ve b ec om e t he m ost w id esp rea d em a il

t hrea t t o org a niza t ions a round t he g lob e. As sec urit y solut ions d esig ned t o b loc k t hese
a t t a c ks ha ve g row n m ore a d va nc ed , t he sop hist ic a t ion of t hese a t t a c ks ha ve kep t
p a c e, evolving t o eva d e d et ec t ion.

Cloud b a sed em a il, w it h a ll of it s b enefit s, ha s ushered in a new era of p hishing a t t a c ks.

The na t ure of t he c loud p rovid es even m ore vec t ors of w hic h ha c kers t a ke a d va nt a g e,
a nd even b roa d er a c c ess t o c rit ic a l d a t a w hen a p hishing a t t a c k is suc c essful.

ABOUT THIS REPORT

Ava na n ha s uniq ue insig ht int o t he c urrent p hishing la nd sc a p e d ue t o our c loud - na t ive
a rc hit ec t ure. Our soft w a re c onnec t s via API insid e of t he c loud , c rea t ing key
a d va nt a g es over c onvent iona l solut ions t o em a il sec urit y, w hic h sit out sid e (suc h a s
em a il g a t ew a ys). For t his rea son, it c a n d et ec t a nd a na lyze p hishing a t t a c ks t ha t ha ve
eva d ed Offic e 365 a nd Gm a il sec urit y. Sc a nning a ft er t he d efa ult sec urit y b ut b efore t he
inb ox, t he p la t form c a t c hes p hishing em a ils t ha t b yp a ss a ll ot her exist ing sec urit y
la yers.

As our resea rc h t ea m c onsist ent ly rea lized t ha t t his a p p roa c h offered new insig ht s int o
how a t t a c ks m a ke it t o t he inb ox, w e felt c om p elled t o c om b ine t he d a t a a nd m a ke t he
follow ing rep ort a va ila b le.

1
 THE RESEARCH

EMAILS ANALYZED

55.5 Million
INDUSTRIES

Fina nce Hea lthca re Ma nufa cturing

Construction Consulting Governm ent

Reta il Ed uca tion Technolog y

COMPANY SIZE

20 users 100,000 users

PLATFORMS

2
© 2019 Avanan. avan an .com
 OVERVIEW
For m ost org a niza t ions, p hishing is t he num b er one em a il sec urit y t hrea t ,
out ra nking b ot h m a lw a re a nd ra nsom w a re. We a na lyzed over 55 m illion em a ils t o
p rovid e a c lea r p ic t ure of t he t hrea t la nd sc a p e.

EMAILS PHISHING PERCENTAGE

ANALYZED EMAILS PHISHING

52,379,886 54 6,24 7 1.04 %

3,120,114 15,700 0.5%

TOTAL 55,500,000 561,94 7 1.01%

On e in ev er y 99 em a ils is
a p h ish in g a t t a c k .

3
© 2019 Avanan. avan an .com
 OFFICE 365 DEEP DIVE
In our a na lysis of over 52 m illion em a ils sent t o Offic e 365, w e sc a nned every
em a il a ft er t he d efa ult sec urit y, a llow ing us t o see not only t he p hishing a t t a c ks
t ha t w ere c a ug ht , b ut a lso t hose t ha t w ere m issed . This g a ve us d eep d a t a on
every p hishing a t t a c k c a ug ht or m issed , a nd how t hey w ere c la ssified .

How p h ish in g em a ils w er e t r ea t ed b y Offic e 365 Ex c h a n g e On lin e Pr ot ec t ion (EOP)

Not d elivered to inb ox Delivered to inb ox

w hitelisted *
m a rked a s 5.3%
20.7% b y a d m in c onfig
p hishing b y EOP

m a rked a s m a rked a s
4 9% 25%
sp a m b y EOP c lea n b y EOP

30.3% of p h ish in g em a ils sen t t o or g a n iza t ion s

u sin g Offic e 365 EOP w er e d eliv er ed t o t h e in b ox .

* These a re phishing em a ils tha t a re not blocked due to a dm in configura tions set up by
the orga niza tion tha t ina dvertently whitelist em a ils tha t would otherwise get blocked.

4
© 2019 Avanan. avan an .com
 PHISHING VECTORS
Wha t t yp e of p hishing a t t a c k is m ost c om m on? We looked a t 561,947 p hishing
a t t a c ks a nd b roke t hem d ow n int o four vec t ors, ea c h illust ra t ing a d ifferent
a p p roa c h t a ken b y t he b a d a c t or.

Sp ea r p h ish in g
0.4 %

Ex t or t ion
8%

Cr ed en t ia l
4 0.9%
Ha r v est in g

Ma lw a r e
50.7%
Ph ish in g

Ov er h a lf of a ll p h ish in g
a t t a c k s c on t a in m a lw a r e.

5
© 2019 Avanan. avan an .com
LEARN THE PHISHING VECTORS
SPEARPHISHING (0.4%of p hishing a tta c ks)
Alt houg h sp ea rp hishing is fa r less c om m on t ha n t he ot her t hree vec t ors, it oft en ha s
t he la rg est im p a c t . Sp ea rp hishing a t t a c ks t a rg et hig h level em p loyees w ho ha ve
a c c ess t o eit her c om p a ny fina nc es or ot her sensit ive inform a t ion. Their g oa l is t o
est a b lish t rust a nd urg enc y t o c onvinc e t he rec ip ient t o c om p ly w it h t he a sk. These
p hishing a t t a c ks c a n a lso b e t he m ost d iffic ult t o d et ec t , g iven t he la c k of
a t t a c hm ent s or links t ha t c a n b e fla g g ed b y a nt i- p hishing t ools. They rely on soc ia l
eng ineering , ra t her t ha n t ec hnic a l b yp a ss m et hod s, t o d ec eive t a rg et s int o
surrend ering a w ea lt h of inform a t ion.

COMMON TRAITS OF
SPEARPHISHING EMAILS

Im p ersona tes or sent to a senior

em p loyee (C- level/VP/HR/Ac c ounting )

Doesn't c onta in a link or a tta c hm ent

Sense of urg enc y to c om p lete a

m a nua l ta sk.

6
 LEARN THE PHISHING VECTORS
EXTORTION (8%of p hishing a tta c ks)
The d ig it a l form of b la c km a il, ext ort ion em a ils a re a lm ost a lw a ys a re a ft er m oney.
The send er of t he p hishing em a il w ill c la im t o ha ve c om p rom ising inform a t ion a b out
t he rec ip ient . But unlike sp ea rp hishing , t hese t hrea t ening em a ils a re usua lly sent
en- m a sse, m ea ning t ha t t he c ont ent of t he m essa g e is usua lly va g ue. In ord er t o
lend a ut horit y t o t heir c la im , t he a t t a c ker t yp ic a lly list s t he vic t im 's c urrent or p a st
p a ssw ord t ha t w a s ob t a ined from a d a t a lea k a nd sold on t he d a rk w eb .

COMMON TRAITS OF EXTORTION

PHISHING EMAILS

Cryp toc urrenc y w a llet a d d ress

Threa ts to b la c km a il the rec ip ient

Conta ins rec ip ient's p a ssw ord

(ob ta ined from d a ta b a se lea k)

Im p ersona tes rec ip ient

7
© 2019 Avanan. avan an .com
 LEARN THE PHISHING VECTORS
CREDENTIAL HARVESTING (40.9%of p hishing a tta c ks)
Cred ent ia l ha rvest ing a t t a c ks lure t he vic t im int o d ivulg ing p ersona l inform a t ion t ha t
g ra nt s a c c ess t o online a c c ount s or p ersona l fina nc es. Cred ent ia ls ra ng e from em a il
p a ssw ord s t o c red it c a rd num b ers. Usua lly, c red ent ia l ha rvest ing im p ersona t e
t rust ed b ra nd s like Am a zon t o t ric k t he rec ip ient int o ent ering t heir userna m e a nd
p a ssw ord in a sp oofed log in p a g e. Wit h t hese c red ent ia ls, ha c kers t a ke over t he
vic t im 's a c c ount or sell t he inform a t ion on t he b la c k m a rket in b ulk.

COMMON TRAITS OF CREDENTIAL

HARVESTING PHISHING EMAILS

Trusted b ra nd log o

Link in the em a il b od y or a n
a tta c hm ent (.d oc x or PDF)

Ac tion item s tha t c rea te a sense of

urg enc y to c lic k on the link

Link in em a il lea d s to a log in p a g e.

8
© 2019 Avanan. avan an .com
 LEARN THE PHISHING VECTORS
MALWARE PHISHING (50.7%of p hishing a tta c ks)
This vec t or uses a p hishing em a il t o inst a ll m a lw a re on t he rec ip ient 's d evic e. These
a t t a c ks oft en b yp a ss t ra d it iona l m a lw a re sc a ns sinc e t he em a il it self is not
m a lic ious; inst ea d , t he em a il c ont a ins a link t ha t t rig g ers a d ow nloa d of m a lic ious
c ont ent (know n a s a troja n) or ha s a m a lic ious a t t a c hm ent .

COMMON TRAITS OF MALW ARE

PHISHING EMAILS

Ha s a n a tta c hm ent

Conta ins a link tha t trig g ers a

file d ow nloa d

9
© 2019 Avanan. avan an .com
 PHISHING INDICATORS
The sig ns of a p hishing a t t a c k c a n b e sub t le a nd inc onsist ent , m a king t hem ha rd t o
d et ec t . As you c a n see b elow , t here a re p lent y of rea sons w hy a leg it im a t e em a il m a y
p ossess t ra it s t ha t a re c om m on in p hishing em a ils. This is w hy it is vit a l you use a n
a nt i- p hishing solut ion, w hic h c a n a na lyze t hese sub t le t ra it s w it h a ut om a t ed p rec ision.

Leg it im a t e Phishing

Conta ins a Goog le Drive link From a b ra nd

3% 4%

97% 96%

Conta ins a shortened link Sent to und isc losed rec ip ients

5% 9%

95% 91%

Conta ins a link to a Word Press site Conta ins a c ryp tow a llet a d d ress

2%
35%

65% 98%

Ov er 1in 3 em a ils c on t a in in g a lin k

t o a W or d Pr ess sit e is p h ish in g .
10
© 2019 Avanan. avan an .com
 BRAND IMPERSONATION
We d isc overed a n a la rm ing st a t ist ic : out of every 25 b ra nd ed em a ils, it is likely
t ha t a t lea st one is a p hishing em a il. These em a ils im p ersona t e t rust ed b ra nd s t o
g et you t o c lic k a m a lic ious link or surrend er p ersona l inform a t ion on a sp oofed
la nd ing p a g e.

2.
5%

9 .7
%

4 3%
38%

Mic rosoft is b y fa r t he m ost im p ersona t ed b ra nd t hroug hout t he yea r.

During t he holid a y sea son, how ever, Am a zon surp a sses Mic rosoft .

11
© 2019 Avanan. avan an .com
 PHISHING TREND OF THE YEAR

OBFUSCATION

Ob fusc a t ion m et hod s a re t he m ost a d va nc ed p hishing

a t t a c ks, levera g ing sp ec ific vulnera b ilit ies in Offic e 365
sec urit y la yers. Ha c kers ob fusc a t e t he URL, m a king it URL OBFUSCATION EXAMPLE
unrec og niza b le t o Offic e 365 sec urit y, w hic h fa ils t o
MALICIOUS LINK
b la c klist t he m a lic ious c ont ent . Wit h t his st ra t eg y,
ha c kers c a n use URLs t ha t a re even know n t o b e <a href="http s://m a lw a re.c om ">Link</a >
m a lic ious, b ec a use Mic rosoft w on't rec og nize t he form a t
of t he URL. And b ec a use EOP a nd Ad va nc ed Threa t MALICIOUS LINK OBFUSCATED W ITH
ZERO- W IDTH SPACES
Prot ec t ion (ATP) use t he sa m e first la yer of em a il b od y
p a rsing (t houg h ATP ha s a uniq ue a t t a c hm ent p a rser), a ll <a href="http s://m a lw &# 8204a re.&# 8204c om ">Link</a >

em a il b od y ob fusc a t ion m et hod s w e t est ed effec t ively

b yp a ssed b ot h sec urit y la yers of Offic e 365.

Ob fusc a t ion m et hod s m a ke up a very sm a ll p erc ent a g e of a t t a c ks ? likely

b ec a use ha c kers int ent iona lly lim it it s usa g e in ord er not t o exp ose t he
vulnera b ilit y. Typ ic a lly, w e ob serve t hese a t t a c ks use m a lic ious log in p a g es a nd
links t o m a lic ious a t t a c hm ent s t ha t d et ona t e m a lw a re.

W h y ob fu sc a t ion is effec t iv e
These m et hod s a re d esig ned t o not only fool t he rec ip ient b ut a lso syst em a t ic a lly
b yp a ss em a il sec urit y sc a ns.

Ob fusc a t ion m et hod s ha ve b een used in som e of t he m ost not a b le a t t a c ks in t he

p a st yea r. During t ha t t im e, our sec urit y t ea m ha s unc overed severa l hig h- p rofile
ob fusc a t ion m et hod s. Most not a b ly, t he Ba seSt riker a t t a c k used <b a se> t a g s in t he
ht m l of t he em a il t o sp lit links int o m ult ip le p a rt s, m a king t hem unrec og niza b le t o
Mic rosoft Sa feLinks. Most rec ent ly, t he NoRela t ionship a t t a c k b yp a ssed Proofp oint
a nd EOP b y rem oving m a lic ious links from t he rela t ionship file t o c onfuse link
p a rsers, w hic h sc a n Offic e d oc um ent s like Pow erPoint , Word , a nd Exc el.

12
© 2019 Avanan. avan an .com
 PHISHING TREND OF THE YEAR

OBFUSCATION TYPES

At t heir c ore, ob fusc a t ion a t t a c ks rely on t he em a il b eing rend ered t o t he end - user
d ifferent ly t ha n how it a p p ea rs t o t he m a c hine- b a sed sec urit y la yer. The g enera lized
g roup s of ob fusc a t ion inc lud e:

- Ra r e / u n u sed , y et leg it im a t e em a il for m a t s t ha t a re not p rop erly p a rsed b y t he

sec urit y la yer, b ut a re p resent ed b y t he em a il c lient t o t he end user.
- Ma lfor m ed em a il b od ies a n d a t t a c h m en t s t ha t c onfuse t he sec urit y la yer p a rsing
t he ht m l, b ut a re st ill p resent ed b y t he em a il c lient a s if t he m essa g e a nd it s
c ont ent s w ere leg it im a t e a nd sa fe.
- Hid d en c h a r a c t er s in t h e em a il b od y a n d lin k s fool t he m a c hine- b a sed sec urit y
filt er t o a na lyze c ont ent d ifferent ly t ha n w ha t w ill b e p resent ed t o t he end - user.

Em a il Bod y
Ha c kers ed it t he ht m l of t he em a il b od y t o c onfuse na t ura l la ng ua g e
p roc essing or hid e URLs from d et ec t ion t ec hnolog y.

At t a c hm ent
Hid ing m a lic ious links w it hin a n ot herw ise b enig n a t t a c hm ent t o
t a ke a d va nt a g e of t he d isc onnec t b et w een em a il link sc a nning
a nd a t t a c hm ent sc a nning t ec hnolog y.

13
© 2019 Avanan. avan an .com
 CONCLUSION

Phishing a tta c ks a re b ec om ing inc rea sing ly sop histic a ted a nd d iffic ult for
hum a ns a nd m a c hines a like to d etec t. Em p loyees a re b om b a rd ed w ith
sp ea rp hishing , extortion, c red entia l ha rvesting , a nd m a lw a re a tta c ks. Yet Offic e
365 a nd Gm a il c a nnot relia b ly b loc k em a ils c onta ining m a lic ious la ng ua g e, links,
or a tta c hm ents.

Ava na n's a na lysis of 55.5 m illion em a ils in this rep ort exem p lifies how ha c kers
suc c eed a t d ec eiving org a niza tions of a ny ind ustry a nd size. At the sa m e tim e, it
a ttests to Ava na n's ric h insig hts into the p hishing la nd sc a p e, a nd how Ava na n
c a n id entify the evolving m ethod s ha c kers use to eva d e d etec tion.

As p hishing a tta c ks c ontinue to w rea k ha voc a c ross the g lob e, Ava na n is uniq uely
p ositioned to p rotec t c om p a nies from the threa ts tha t Offic e 365 a nd Goog le
m iss. Unlike other em a il sec urity solutions, Ava na n sits insid e the em a il p rovid er's
c loud , stop p ing threa ts a fter the em a il p rovid er ha s sc a nned b ut b efore they
rea c h the inb ox.

Ava na n is the fina l line of d efense for g lob a l c om p a nies looking to sec ure their
em a il from the unrelenting efforts of ha c kers.

ABOUT AVANAN
Ava na n a ug m ents the sec urity of c loud - b a sed em a il, m essa g ing , a nd file- sha ring
a c ross enterp rise p la tform s inc lud ing Offic e 365? , G- Suite? , a nd Sla c k? . It d ep loys
in m inutes via API to b loc k p hishing , m a lw a re, d a ta lea ka g e, a c c ount ta keover,
a nd sha d ow IT. The c loud - na tive p la tform is a c ore c om p onent of lea d ing sec urity
vend or solutions, a nd d ep loys b est- of- b reed tec hnolog ies from trusted p a rtners
inc lud ing Chec k Point, La stline, a nd FireEye.

© 2019 Avanan. All Righ t s Reserved . Th e Avanan nam e an d logo an d all ot h er n am es, logos, an d slogan s id en t ifyin g
Avanan's p rod uct s and services are t rad em arks an d service m arks or regist ered t rad em arks an d service m arks of Avanan
Trad em ark Services LLC or it s affiliat es in t h e Unit ed St at es an d /or ot h er coun t ries. All ot h er t rad em arks an d service
m arks are t h e p rop ert y of t h eir resp ect ive ow n ers. 04/19 14
Av a n a n is a c lou d - n a t iv e sec u r it y p la t for m for c om m u n ic a t ion s a n d c olla b or a t ion .

Lea rn m ore a t a va na n.c om