Global

Threat
Intelligence
Report
July-September 2023

Q3
INTRODUCTION
Organizations large and small are increasingly
looking to leverage good threat intelligence to
update their cybersecurity infrastructures in
real time and maximize protection of their
businesses’ communications, people, and data.

Mimecast generates threat intelligence through its

analysis of more than a billion emails per day on
behalf of more than 42,000 customers. Because
email is the channel through which most cyber
threats launch, Mimecast sees many new threats
before they become widely known.

This report distills insights from the intelligence

Mimecast generated throughout the third quarter of
2023 and combines it with external intelligence from the
cybersecurity community at large. It includes an analysis of
threat activity, a series of top-line statistics that shaped that
activity, and recommendations for what small businesses
and large enterprises alike can do to mitigate the risk those
threats pose.

We invite you to explore our Q3 2023 threat intelligence

report and look forward to sharing more insights in
the future.
EXECUTIVE
SUMMARY
Attackers attempting to infiltrate businesses
Mimecast Threat
focused on a handful of significant zero-day
vulnerabilities in the third quarter of 2023, even Intelligence team
as they ramped up impersonation attacks. Our
research shows that two-thirds of firms have Mimecast’s threat intelligence team
suffered a ransomware attack in the past year, is comprised of a globally distributed
nearly all (97%) have been targeted by email-based set of engineers, scientists, analysts,
phishing attacks, and the vast majority (76%) of and threat researchers that aid the
security teams at organizations worldwide expect Mimecast Security Operations Center
to have an attack with serious consequences (MSOC). Threats are continuously
using email as a vector. monitored across more than a billion
emails per day, and Mimecast’s
cybersecurity experts analyze,
investigate attacks, and test efficacy
to develop sophisticated and timely
2/3 97% threat intelligence that applies the latest
protection across Mimecast’s
firms have suffered a ransomware have been targeted by
attack in the past year email-based phishing attacks security solutions.
KEY
FINDINGS
Impersonation increased, becoming
more sophisticated as opportunistic
cybercriminal groups used it to gain initial
access to targeted organizations.

Zero-day exploitation of vulnerabilities

became a greater threat, with attackers
targeting flaws in MOVEit, multiple
zero-day vulnerabilities in Microsoft
software, and browsers and apps using
the open-source libvpx and libwebp image
libraries, among other issues.

Human resource firms, information

technology software and services, and
financial services (especially banking) saw
the most threats per user. Consistently
high levels of threat activity were also
detected against the manufacturing,
Mimecast recommends that security
professionals and risk managers
review their service-level agreements to
set minimum levels of data security and
cybersecurity and find ways to monitor
suppliers more closely. Acquisition targets
should be subject to extra cybersecurity
scrutiny.

Organizations should configure their

email infrastructure to block the
auto-loading of images, as we expect
attackers to increasingly use image
file types as carriers for malware and
malicious content, such as QR codes
leading to malicious sites.
Q
transportation, storage and delivery, and
retail and wholesale industries.
ZERO-DAYS
Other reports of new zero-day
vulnerabilities in the quarter included
Multiple zero-day threats

SURGE,
critical security weaknesses in the
emerged during the third
quarter of 2023, and threat open-source graphics libraries libvpx1
and libwebp2, which are likely to be

CLOUDS
actors added to their growing
focus on cloud platforms and incorporated into attacker tools going
applications. We also saw forward. The vulnerabilities in the two

ATTACKED several cybercriminal groups

make notable strategic shifts
in the quarter.
open-source graphics libraries could
expose Google Chrome, Mozilla Firefox, and
hundreds of applications.

1
While Cl0p is an opportunistic criminal
Security professionals continued to face group, state-sponsored and state-linked
widespread breaches caused by a critical actors continued to take part in the
vulnerability in the MOVEit managed file- cyber component of Russia’s invasion of
transfer platform that began in Q2, at the Ukraine. Russia-affiliated groups, such as
end of May. Anonymous Sudan and Killnet, targeted
government agencies and companies
Then, the ransomware group Cl0p used affiliated with Ukraine’s allies, while Chinese
the previously undisclosed vulnerability hackers successfully stole a consumer
to compromise at least 200 — and signing key from Microsoft in July.
more likely, 400 or more — businesses.
Breach disclosures continued to trickle Both criminal and nation-backed groups
out during the third quarter. Many of continued the trend of targeting cloud
the victims provided services to client services, following the many businesses
organizations, which expanded the impact that have shifted IT operations and other
of data breaches to more than 2,300 services to the cloud.
organizations.

1. CVE-2023-5217 Detail, NIST National Vulnerability Database.

2. CVE-2023-4863 Detail, NIST National Vulnerability Database.
Credential phishing has become a major focus of email-based attacks, and
threat groups are finding ways — such as SQL-based lateral movement 76%
and consent phishing — to get around the baseline security of the major expect a serious email-based
triad of cloud services: Amazon Web Services, Google Cloud, and Microsoft compromise will impact their
Azure. In addition, cloud-based collaboration software platforms, such as company this year
Microsoft Teams and Slack, have become channels for phishing attacks and
other attempts to steal credentials, with attacks increasing through those
platforms during Q3 2023.

Meanwhile, threat groups experiencing their own challenges made shifts in

strategy. The LockBit group appeared to cease activity for a week in August
72%
anticipate a similar attack through
and may have been compromised. The Snatch Team ransomware group
their collaboration tools
shifted its strategy and began commenting on its successful breaches,
pointing out deficiencies in victims’ cyber defenses to put pressure on
companies to pay ransoms. Outing organizations’ security shortcomings
provides ammunition that insurers can use to avoid payments, as well as
fuel for potential lawsuits. In late August, a multinational operation by law
enforcement and private industry disrupted the Qakbot malware group
and its associated infrastructure — used by many ransomware gangs to
target victims — and coopted the network to distribute code to remove the
malware from affected computers.

Looking ahead, security professionals’ concern over email-based attacks remains high, with 76% expecting
that a serious email-based compromise will impact their company this year and 72% anticipating a
similar attack through their collaboration tools. Publicly traded companies may find themselves targeted
more often as ransomware groups consider whether the new Securities and Exchange Commission rules
for disclosure of breaches will make companies more likely to pay ransoms.
QUARTER THREE 2023

2
IN CHARTS
Uptick in threats Impersonation PDFs still dominate, Top targeted Attachment
for medium-sized increased Excel becomes more industries vulnerabilities
firms common

01 02 03 04 05
Small- and medium- Impersonation Attackers’ use of PDF Human resource firms, Most attackers relied
sized companies face attacks become and Microsoft Excel information technology on exploiting two
a greater number of more sophisticated formats is growing. software and services, vulnerabilities using
threats than their as opportunistic Our data shows and financial services malicious attachments:
larger counterparts. cybercriminal groups attackers’ use of (especially banking) a flaw in the equation
used it to gain initial malicious PDF files saw the most threats editor for Microsoft
access to targeted increased by 158% in per user. Consistently Office (CVE-2018-
organizations. Q3 2023 from the high levels of threat 0802) and a bypass
prior quarter, while activity were also of Microsoft Office’s
the use of various detected against security features
Excel formats the manufacturing, (CVE-2016-7262).
increased by 86%. transportation, storage
and delivery, and
retail and wholesale
industries.
01 Encounter rates: uptick in FIGURE 1 - Users at medium-sized companies saw more threats
threats for medium-sized firms Small (blue line) and medium-sized (red line) companies see more threats on
average each quarter, but in the third quarter, users at medium-sized companies
saw a significant uptick in threats.
Users at small- and medium-sized companies
face a greater number of threats than their larger
counterparts3 because opportunistic attackers tend to
see smaller companies as easier targets for phishing and
ransomware campaigns. In addition, because of their
45
smaller size, email threats targeted at specific internal
groups — such as accountants or developers — will have
an outsized impact on smaller companies.

Threats Encountered per User

Medium-sized companies specifically have seen more 30

threats per user in Q3 (see Figure 1), with Mimecast

blocking nearly 40 malicious emails for each user per
quarter, up from 33 last quarter.
15
For CISOs and security managers, this seemingly
modest number of threats can quickly overwhelm their
resources when multiplied across the entire employee
base — especially because attackers only need a
0
single success. Q2 2022 Q3 2022 Q4 2022 Q1 2023 Q2 2023 Q3 2023

This increase in threats per user (TPU) is likely due

to a combination of factors: Attackers see mid-sized
All users Medium companies Small Companies Large enterprises
companies as a profitable combination of vulnerability
and potential cash value, and they often are good third-
party launching points from which to compromise larger
partner companies.

3. As Attacks Rise, SMBs Need a Cybersecurity Playbook, Mimecast Cyber Resilience Insights Blog
02 Encounter rates:
impersonation on
the rise
On average, users saw more
non-spam, non-malware
spam
threats in Q3 2023 compared
to Q2 2023. While the
+7%
number of spam messages
encountered by the average
user increased 7% in the third
quarter from the previous
quarter, both the number
impersonation
of impersonation attempts
and malicious links sent
+12%
to each user increased by
double digits — 12% and 22%
respectively. Overall, URLs
continue to be a less frequent malicious
threat than impersonation,
which rivals spam for the links +22%
most encountered type of
email attack.
Impersonation attacks are a key tactic of state-linked
groups seeking to establish initial access into targeted FIGURE 2 - Attacks using impersonation and malicious links increase
networks, and the cyber component of Russia’s Users saw more threats using spam, impersonation, and malicious links in Q3 2023.
invasion of Ukraine likely contributed to the increase
in impersonation attacks. Traditionally, Russian tactics
target a specific adversary or region; but because other
countries are aiding in Ukraine’s defense, the attacks
20
now appear to be embracing broader targets. In fact,
attacks targeting organizations outside of Ukraine
outnumber those against Ukrainian targets. The result
is a spilling over of malicious email attacks to other 15

regions — 116 cyberconflict-related attacks targeted

Ukraine in Q2, compared to 489 attacks targeting
organizations in other countries, such as Poland, 10
Germany, and France. That resembles the widespread
spillover impact of NotPetya in 2017.

Threats Encountered Per User

Opportunistic cybercriminal groups are also adopting 5

impersonation as a core technique to gain initial access

to targeted networks.

Mimecast technology filters dangerous emails as they Q2 2022 Q3 2022 Q4 2022 Q1 2023 Q2 2023 Q3 2023

are detected. For example, impersonation attacks

neutralized by the spam layer are never seen by the
impersonation detection layer and are therefore not Malicious links Impersonation Malicious attachments Known malware Spam

included in the red portion of each bar in Figure 2.

03 Attachments: PDFs still dominate, FIGURE 3 - Malicious PDF and Excel attachments increase
Excel formats become more common Users are seeing more PDF files (red) and Excel formats (blue shades) as
malicious attachments (per 1,000 users).

Users see relatively few malicious attachments due to

the success of current defenses. Nonetheless, attackers’
use of PDF and Microsoft Excel formats is growing.
Part of the reason for the low encounter rates for 40

attachments is that attackers typically use them against

specific targets in spear phishing or business email
compromise (BEC) attacks, focusing on executives and
30
accounting departments.

Our data shows attackers’ use of malicious PDF files

increased by 158% in Q3 2023 from the prior quarter, 20

while the use of various Excel formats increased by

Encounters per 1,000 Users

86%. Microsoft Word documents used in malicious
attacks declined 46%.
10

Overall, Mimecast sees attackers reducing their reliance

on malware sent as attached files in favor of links that
can be dynamically modified. Links give the attacker the 0
Q2 2022 Q3 2022 Q4 2022 Q1 2023 Q2 2023 Q3 2023
capability to change the payload on the fly and deploy
additional covert capabilities.

DOCX ZIP XLSM XLSX PDF

The data on attachment-based attacks comes from
Mimecast’s third level of protection, Attachment
Protect, which stops the more sophisticated attack
attempts that escape first and second-level detections.
As a result, the number of threats per user is lower than
you might expect.
04 Industry snapshot: FIGURE 4 - Average threats per user by top industry targets
targeting business operations Companies in the HR and recruitment sector encountered seven times
as many threats per user as the average business.

Attackers returned to pre-pandemic targets in Q3

2023, focusing on the internal groups and external
services that are critical to business operations. Their
top targets were human resource firms, information
technology software and services, and financial
10
services, especially banking. 2023 Q1
9.27 2023 Q2
2023 Q3
Average users in those industries encountered
8
threats at a rate far above the average for all industry
sectors. There were 9.3 threats per user (TPUs) in
human resources and recruitment, 5.5 (TPUs) for IT
6
software and services and 4.1 (TPUs) in banking.
5.55 5.54

IT services and banking, ranked numbers two and

4 4.07
three this quarter, and saw much less activity in 3.99

previous quarters. 3.23 3.21

2.71 2.58 2.50
2.41
Threats per User

2
2.04
Mimecast has seen consistently high levels of Average TPU
1.34
malware activity sustained at volume since the 1.22 1.22 2023 Q3

pandemic commenced. This is now normalizing back

0
to the opportunistic criminal and financial targets
such as HR, banking, IT services and legal. Professional Services IT: Software Finance: Retail & Wholesale Finance: Other
HR & Recruitment & SAAS Banking Financial Services

This trend has been apparent, but gradual since

the start of 2023. The retail and wholesale industry
ranked number four for attacks against its users in
Q3 2023.
05 Vulnerability snapshot: FIGURE 5 - Top vulnerabilities encountered in email-based attacks
most common email attack Two vulnerabilities accounted for most of the malicious attachments,
both at least five years old.
uses 5-year-old flaw
Most attackers relied on exploiting two
vulnerabilities — both at least five years old
— using malicious attachments: A flaw in the CVE-2018-0802

equation editor for Microsoft Office (CVE-2018- CVE-2016-7262

0802) and a bypass of Microsoft Office’s security CVE-2017-11882

Microsoft Office
features (CVE-2016-7262). Because attachments CVE-2017-0199 Apache Log4J
are scanned only after passing other checks, such CVE-2021-44228 Microsoft Windows

as spam protections, the threat data included CVE-2018-8414

here represents the more sophisticated attacks. CVE-2009-3129

CVE-2012-1856

Data from the U.S. Cybersecurity and CVE-2014-4114

Infrastructure Security Agency (CISA) shows that CVE-2014-1761

many vulnerabilities encountered by companies 0 17,500 35,000 52,500 70,000

do not arrive in email but target appliances Encounters for the quarter

and servers.

For example, among the most exploited security

issues in 2022 were an SSL credential exposure
in Fortinet virtual private network (VPN)
appliances, three issues in Microsoft Exchange
Server, and an authentication bypass in the Zoho
ManageEngine.
 3
NATIVE
Beyond these vulnerabilities, Microsoft represents the
lion’s share of third-party email services. Some businesses

SECURITY
have come to rely on the native security provided by
Google Workspace and Microsoft 365; but because the
two services account for 95% of all cloud email adoption,

IS NOT attackers are constantly and actively seeking ways to

bypass their security and target their users.

ENOUGH For that reason, their native security is not enough.

Attackers have already found ways around many of their
defenses. Research conducted by a cyber insurance
firm found that companies using cloud email services —
such as Microsoft 365 or Google Workspace — see fewer
attacks than those using on-premises email servers, but
that companies using third-party email security solutions
improved performance even further.

Companies recognize the need to close gaps in

native security services, with 94% of security
leaders seeking better security protections
than those that come with their cloud email
services. Mimecast was the best performing
email security solution, with its users
submitting 22% fewer claims to the insurer
than the average organization.
Attackers move faster FIGURE 6 - Microsoft dominates brand impersonation, even more so in Q3
than platforms Email attacks impersonating the Microsoft brand dominated phishing and BEC lures.

Cybercriminals are exploiting known

90%
vulnerabilities to launch attacks far 2023 Q3
faster than most organizations can 2023 Q2
2023 Q1
patch their systems. The Known
Exploited Vulnerabilities (KEV)
Catalog, for example, documents
which vulnerabilities attackers 60%

have already exploited, with 188

vulnerabilities from 2021, 120 from
2022, and 78 from 2023 exploited by
attackers to date. Only a handful of
vulnerabilities, however, account for
30%
most email attacks, making threat
Q3 - Microsoft Q1 - Google
intelligence a key to knowing which Q1 - Docusign
Q1 - Adobe
Q1 - Microsoft Q2 - Okta
Q2 - Google Q1 - Hubspot
exploits are most common and to Q2 - Microsoft Q3 - Adobe
Q2 - Adobe
Q3 - DHL Q2 - Amazon
helping harden the network and Q3 - Booking
Q3 - Facebook
users against them.
0%

Keeping up with which vulnerabilities Rank of Brand for Quarter

have been exploited, how to defend

against the attacks, and which
exploits are currently being used Email service providers typically do not have the intense focus on security to process
to infect users is not only a difficult the necessary intelligence and provide protection for their customers. To minimize
and increasingly complex task, but is email-based risks, companies should follow the best practice of layered security for the
often one that security teams do not top attack vector — email.
have time to do properly.
Third-party security services FIGURE 7 - Attacks impersonating Microsoft’s domains
bring focus and expertise Mimecast sees thousands of attacks using Microsoft 365 accounts on a daily basis.

Attackers are increasingly using major providers’ cloud

9000
services to launch attacks, with an increasing amount
of spam and phishing coming from public domains, 7500

such as gmail.com and outlook.com. 6000

4500
Mimecast blocks thousands of malicious email
messages targeting Microsoft 365 accounts every day 3000

Attack Count
utilizing their own services, such as Microsoft Dynamics 1500

365 Customer Voice (see Figure 7 and 8). These attacks

— along with those from other public services, such 7/1/23 7/9/23 7/16/23 7/23/23 7/30/23 8/6/23 8/13/23 8/20/23 8/27/23 9/3/23 9/10/23 9/17/23 9/24/23

as gmail.com and yahoo.com — can be difficult for

the average worker to differentiate in a sophisticated
phishing attack.
FIGURE 8 - Microsoft 365 Dynamics customer voice phishing page
In July, Mimecast saw a large spike in emails originating
from compromised O365 accounts that contained .eml
attachments. While this is not a new technique, threat
actors continue to use these methods to circumvent
security solutions. To increase their chances of success,
attackers often make use of several layers within these
campaigns, such as obfuscation within JavaScript.

Multiple variations of this threat with an embedded

.eml attachment have been seen over the past quarter,
using reputable companies and other lures to achieve
the same result.
 While individual users can — and should — be
educated on how to use email more securely,
technology backed by third-party threat intelligence
can more consistently protect users and their
companies from email-based attacks.

Companies, for example, should ensure that they are

protecting their email and collaboration channels by
using the DMARC email authentication protocol
to prevent their brands from being coopted for
use in spear phishing attacks.

In addition, opening links in sandboxed environments

can prevent a successful credential phishing attack.

In the end, email-service providers, such as Microsoft

365 and Google Workspace, do a great job delivering
email and even reducing spam. However, managing
the security of your users requires more:

A security provider focused on protecting

businesses and workers from
ever-evolving threats.
 THREAT
ASSESSMENT

4
Threat actors continue to focus on expanding the ways they
can gain initial access into companies, including adopting
collaboration software — such as Microsoft Teams — and
expanding their Living off the Land (LotL) techniques to
include a greater variety of programs. The underground
economy continues to produce more advanced tools —
the third quarter saw the rising popularity of a customized
phishing platform used by at least 500 threat actors.

Some notable successes Additionally, the Emotet

in thwarting threat actors group has once again paused
include the Qakbot botnet its operations, but whether
takedown by a multinational this can be considered
group of law enforcement a success for defenders
and private-sector firms, is unclear, as the group
and the fact that pressure has previously shuttered
on cybercriminal actors operations only to
to decrease ransoms has appear again.
become so strong that at
least one group (LockBit) is
considering putting limits
on its affiliates to negotiate
ransom amounts.
1 JUL

BlackCat Advertising
3 JUL

Emotet
13 JUL

TeamTNT Phishes
MAJOR EVENTS
Campaign Hibernates? for Credentials
2023 Q3
Analysis finds BlackCat Emotet operation TeamTNT targets cloud
ransomware gang using appears to enter dormant credentials and kicks off
“malvertising” to gain
period again, according to cryptocurrency mining
initial access to business
several sources. However, campaign.
networks.
Mimecast has detected Read article
Read article
ongoing operations by
the group.
Read article

2 AUG 3 AUG 17 AUG

Phishing Through Living Off the Land QR Codes in

Microsoft Teams Grows More Popular Phishing Campaigns

Midnight Blizzard group Hackers are finding Attackers use QR codes

uses compromised M365 more ways to use the to bypass email-security
tenants to send malicious executable files present solutions and redirect
Teams messages and on targeted systems — victims to phishing
target credentials. including Microsoft Office sites, focusing on
Read article programs — to download companies in the energy,
malicious code. manufacturing, and
Read article insurance sectors.
Read article
25 AUG 5 SEP 6 SEP 12 SEP

Qakbot Threat Group Targeting BEC Phishing Kit More Phishing Through
Takedown Okta Super Admins Uncovered Microsoft Teams

A multinational effort Attackers targeted at Researchers uncover Storm-0324 (aka, TA543

between law enforcement least four Okta customers W3LL threat actor, which and Sagrid), a distributor
and technology providers with social-engineering has been selling a custom of cybercriminal tools,
resulted in the disruption campaigns that aimed phishing kit customized has widely adopted
of the Qakbot malware to bypass two-factor for BEC attacks and phishing lures sent
and botnet and the authentication security bypassing MFA to through Microsoft Teams.
dissemination of protecting the accounts. more than 500 other Read article
an uninstall file to Mimecast began threat actors.
affected systems. detecting the attacks Read article
Read article in May.
Read article

12 SEP 18 SEP 26 SEP

WebP Vulnerabilities Cybercriminal Affiliates ZeroFont Technique

Threatens Mass Attacks Low-Balling Ransoms? Sees Resurgence

Two vulnerabilities in the WebP Worried that too many “affiliates” The phishing tactic of embedded zero-
open-source image library used by are discounting ransoms, the LockBit font-sized text has undergone some
browsers, email clients, and other ransomware group discusses the refinements and now attempts to make
applications are found to have imposition of a minimum ransom emails look more reputable by using
already been exploited by nation- set at 3% of the victim company’s zero-font text at the beginning of the
state actors, attacks that presage annual revenue. message — text which often shows
potential compromises for months, Read article up in the message list of popular
if not years, as consumers patch. email clients.
Read article Read article
Top 6 JULY [NCSC] Active Cyber Defense (ACD) – The Sixth Year Report

The number of malicious sites taken down by the UK government fell in 2022 to 1.8 million campaigns and 2.4 million
Advisories URLs, from 2.7 million campaigns and 3.1 million URLs in 2021. While the frequency of attacks has remained stable, the
servers behind extortion emails and cryptocurrency investment scams have short uptimes (1 hour to 1 day, on average),
Government sources issued resulting in the attacks ending before they could be taken down.
many advisories focused Reference
on email security during
12 JULY [CISA] Enhanced Monitoring to Detect APT Activity Targeting Outlook Online
the quarter, including
warnings of an increase in The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned
attacks on Outlook Online critical infrastructure agencies that advanced persistent threat (APT) groups had begun targeting Outlook Online with
attacks using a Microsoft account (MSA) consumer key to forge tokens.
and descriptions of fast-
Reference
turnaround extortion and
cryptocurrency scams.
30 AUG [CISA, FBI] Identification and Disruption of QakBot Infrastructure

CISA and the FBI released a joint advisory following the August 25 takedown of the Qakbot botnet. The advisory
In addition, government
included a description of the takedown, which severed the connections between command-and-control servers and
researchers noted that
victims’ machines, as well as indicators of compromise. The FBI worked with industry partners to share information,
many ransomware attacks including indicators of compromise, to help defenders detect Qakbot infections and remediate compromises.
continue to rely on well- Reference
understood techniques
to monetize any initial 11 SEP [NCSC, NCA] Ransomware, extortion and the cybercrime ecosystem
compromise of an
Ransomware and wiper malware have caused massive disruptions to business operations in the past five years. Show-
organization’s network.
ing their adaptability, however, today’s cybercriminals are focused more on monetizing opportunistic data breaches
using well-understood attack techniques.
Reference

12 SEP [NIST] WebP Vulnerabilities (Chrome: CVE-2023-5217 and CVE-2023-4863; Apple: CVE-2023-41064)

Both Google and Apple fixed zero-day vulnerabilities in the libwebp library that were being exploited by nation-state
actors. The library is not just used by browsers; it’s also used by other applications, including those on mobile devices,
which may not be updated as quickly as other consumer software.
Reference
5
HOW TO
TAKE
ACTION
Cybercriminals are tailoring
threats to take advantage
of current events using all
available attack vectors
but particularly those that
can be mass delivered
such as phishing, spam,
and impersonation emails.
Organizations should seek
to maintain adequate
standards of cyber hygiene
through the appropriate use
of hardening techniques for
organizational assets.
Threat-specific countermeasures
Mandate more security from third parties Scan external network for open ports
Attacks against organizations in the Organizations should regularly scan
manufacturing, transportation, storage and their external network to ensure any
delivery, and retail and wholesale sectors publicly accessible server ports are closed
represent significant third-party risk of or adequately secured and protected.
supply-chain compromise. Organizations Mimecast has noted continuing increases
should review their service-level in attacks against remote desktop protocol
agreements to set minimum levels of data (RDP) ports that have accounted for 80%
security and cybersecurity and find ways of effective ransomware compromises.
to monitor their suppliers more closely, Attackers will continue to look for open
such as external rating services, as well as RDP ports as a way to compromise
subject acquisitions to extra scrutiny. organizations.

Block images in email messages Segment the network & log

Attackers are increasing their use of internal traffic
image-based file types as a way to sneak Attackers, especially during a ransomware
in phishing lures and malicious code while attack, can quickly move laterally
evading detection. Mimecast’s analysis throughout a network. Segmenting the
has identified threat actors also using internal network and putting critical
encryption and foreign language text, assets in their own enclaves can reduce
accompanied by encryption, within images the damage caused by ransomware and
to escape notice. Companies should other attacks. Monitoring internal traffic,
configure email clients to prevent the especially communications into specific
loading of images in messages and isolate segments, can result in earlier detection of
any images that users explicitly request. threats.
General recommendations Harden user credentials
Emotet and ransomware threats exploit common passwords to infiltrate
to combat threats networks. Recent attacks highlight how weak passwords contribute to
breaches. Strengthen any network by enforcing robust passwords, especially
Maintain backups of critical systems & data for privileged users. IT security must eliminate default admin passwords.
Organizations hesitate to pay ransoms, doubting ransomware groups‘ data
recovery promises. To minimize downtime and costs after an attack, robust Implement phishing-resistant multi-factor authentication
backups, especially of critical data, and routine recovery process testing are Adopting an additional factor of authentication, especially a phishing-
vital. In a ransomware event, backups might be the sole recovery option. resistant technology, can result in a significant reduction in credential-
Cloud backups often yield better results, but organizations should opt for the based attacks, as part of a zero-trust approach to security. Companies that
most suitable backup method. add pervasive multifactor authentication to both their cloud and internal
infrastructure will reduce their risk by an order of magnitude.
Increase user awareness & training
Educating users in current phishing techniques will significantly aid Prioritize vulnerabilities & patch quickly
companies in foiling phishing attacks and credential theft. Users should be Though thousands of vulnerabilities are reported yearly, only a few are
regularly trained using examples of current attacks and be given specific exploited. To enhance security, focus on regular updates for critical software.
strategies to help determine whether an email is suspicious. In addition, Threat intelligence helps spot and prioritize actively exploited vulnerabilities
vulnerable users should have focused training in conjunction with restrictive for quicker patching. Mimecast foresees a rise in zero-day exploits due
security policies. Users also should be instructed to report suspicious email to cybercriminals adopting advanced tools like AI and machine learning.
messages to IT security to help determine when attackers are targeting Prioritize securing key internet-exposed systems and software, like VPNs and
specific individuals. remote desktop tools, as they carry higher risks.

Resources
Here is a list of resources (webinars, papers, advisories) that security groups can visit to better understand the threats and defenses.

CISA NCSC CISA CISA CISA

Known exploited Spotlight on shadow IT Review of the attacks Open source software Phishing guidance:
vulnerabilities catalog 27 July 2023 associated with Lapsus$ and security roadmap stopping the attack cycle at
Updated Weekly related threat group report 12 September 2023 phase one
10 August 2023 18 October 2023
Methodology Steps specific to If you are unsure of the effect of any of
Mimecast Customers the proposed settings, please reach out to
your Mimecast account manager, customer
The data in this report is
derived from analysis of Actionable steps to protect your users from success manager or log a call with Mimecast
the threats in the report, with medium-level support.
more than a billion emails
per day monitored by technical details.
Mimecast on behalf of its Single sign-on effective bypass for any legit mail being rejected/
42,000+ global customer It is recommended to utilize single sign-on from quarantined for DMARC failures. Read more
organizations and compiled your identity provider or leverage Mimecast’s
by the Mimecast Threat built in multi-factor authentication to reduce an Re-writing of URLs
Intelligence Center. attacker’s ability to leverage email as their attack Setting an aggressive re-writing of URLs will
vector. Read more ensure all URLs are scanned upon click, but be
Mimecast’s threat detection aware that anything that looks like a URL will be
engine proceeds from Impersonation protection re-written e.g., IP addresses and internal links.
simple to increasingly Optimize Impersonation Protection as per best Read more
practice guidelines of two hits set to tag Subject/
sophisticated filters and
Body and include a separate C-Level/VIP policy Anti-spoofing lockout
eliminates threats at each
based on name match with a hold for admin Utilize Anti-spoofing lockout, if possible, to add an
layer as they are detected.
review. In addition, create another policy for any extra layer of protection, however, ensure you are
This means that threats
detections of three hits or more with the admin aware of any entity who is spoofing your domain,
identified by the spam layer hold action. Read more as this policy will reject and not hold mail.
will be stopped there and Read more
not scanned by subsequent Safe file
layers. So, simple and Consider safe file for at risk departments who do Capture and review logs
obvious impersonation not require access to editable attachments within Regularly capture and review logs on your
threats, for example, may Attachment Protection. Read more Mimecast account to enforce security policies
be neutralized by the spam
layer and, therefore, not DNS authentication policies Third-party threat feeds
included in our data for Ensure DNS authentication policies honor DMARC Leverage bring-your-own threat intelligence to
impersonations detected. records. A second policy scoped to a policy take advantage of any third-party threat feeds for
group with the DMARC Fail action set to Ignore/ automatic rejection of matching indicators.
Managed and Permitted Senders will provide an Read more