New Abnormal Research Shows Brute Force Attacks Rise 671%

August 30, 2021

There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure, landing in inboxes where unsuspecting employees fall victim to their schemes.

Cybercriminals steal billions each year. In fact, the FBI reported that $4.2 billion was lost last year alone—increasing the five-year total to $13.3 billion. It appears that not much will change in 2021.

Looking for the Keys to the Kingdom

In new research published today, Abnormal discovered a significant increase in both credential phishing and brute force attacks—both of which are attempts to gain access to email accounts. Once accessed, those accounts can be leveraged to send additional attacks on coworkers, partners, and vendors, and provide the credentials necessary to infiltrate other parts of the organization.

In a typical week, we observe brute force attacks targeting about 10% of companies. However, starting in May and ending in mid-June, the percentage of attacks increased by 160% to the highest-ever recorded weekly average of 26%. This means that a quarter of all companies were being targeted by brute force attacks on a weekly basis as cybercriminals attempted to take over their email accounts.

Perhaps most interestingly, during the peak of activity in the week of June 6, 2021, the rate of those attacks rose 671% over the previous weekly average as threat actors targeted 32.5% of all organizations with brute force attacks.

percentage of companies targeted by brute force attacks by week

But that isn’t all. Over the course of the second quarter, we also saw an increase in credential phishing, moving from 66% of advanced attacks in Q4 2020 to over 73% of attacks in Q2 2021. While we can’t be certain, this is likely due to the fact that once criminals have access to an internal email account, they can use that account to launch more dangerous and more targeted emails.

Vendor Email Compromise Rises to Highest Level Yet

Credential phishing may have increased in large part due to the prevalence of vendor email compromise—which rose for the fourth consecutive quarter. In order to commit vendor email compromise, threat actors must first gain access to a vendor account. From there, they can hijack existing conversations to send fraudulent invoices or update bank details.

When it comes to company size, vendor email compromise tends to target larger organizations, with those over 20,000 employees having the highest probability of receiving a VEC attack. Organizations under 5,000 employees experience VEC attacks only once every five weeks, but that number shoots up to nearly every other week for organizations over 20,000 employees. This could be because these larger organizations have more vendors and thus more opportunities for compromise.

chances of vendor email compromise by org size

And let’s not forget the main event—business email compromise. This attack type grew by an additional 22% over the last half. After a relatively slow start to the year with a median of only .2 campaigns per 1,000 mailboxes, we saw a significant rise in attacks as threat actors came back from their winter holiday. It picked up in the spring, before spiking in mid-June, doubling in attack numbers and hitting its peak of .41 campaigns.

The success of BEC has much to do with the impersonation of known individuals—typically a trusted executive, colleague, or vendor. In fact, not much has changed over the past three quarters when it comes to employee and VIP impersonation, as cybercriminals continue to take advantage of unsuspecting employees.

That said, we’ve seen a significant decrease in the number of attacks that are impersonating random individuals, as those attacks dropped from 45% to 34% of all BEC attacks over the past two quarters. Where we did see the biggest increase is in impersonation of official brands and internal automated systems.

There was a 46% increase in spoofs of automated systems, with emails typically coming from aliases like IT Support or IT Help Desk. These generic emails encourage people to download additional software, click on a link, or enter information into an external website. Each method creates an opportunity for cybercriminals to gain access to internal accounts or organizational systems, from which they can launch further attacks.

A New Type of Email Security is Needed

All of the data points to continued increases in all types of advanced attacks—particularly those that can’t be detected by traditional security infrastructure. Because they typically lack traditional indicators of compromise, these attacks are difficult to detect and even harder to prevent. Once they reach inboxes, the last line of defense is your employees, who are prone to error when confronted with a socially-engineered email designed to take advantage of their emotions. And when attackers gain access to full email accounts through brute force attacks, they have the keys to the entire cloud kingdom in their hands.

While we anticipate that these attacks will continue to increase, both in volume and in repercussions, they can be stopped. With the right solution—one focused on understanding the normal to prevent the abnormal—you can ensure that your employees, and your entire organization, are protected from the most dangerous email threats.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More