Melissa, what many consider to be the first malspam campaign, emerged in 1999. Once successfully installed, the “mass-mailing” virus forwarded copies of itself to the first 50 email addresses on a victim’s contact list. While the malware wasn’t as dangerous as current variants, it could still effectively max out network resources, resulting in downtime.

It has been over two decades since Melissa came out, yet much of the payload delivery tactic hasn’t changed. An email remains a vector of choice for cybercriminals to deliver malware because people are hardwired to open messages.

Despite increased sophistication, however, malspam infections can be mitigated and even sometimes thwarted with the help of email validation tools. One such product is Email Verification API, an email validation program that checks the quality of email addresses coming in contact with your network.

Case Study: The Emotet Cybercrime Operation

Security researchers reported new activities from the once-dormant Emotet, suggesting the launch of a new campaign. In fact, the volume of Emotet-laced spam emails saw a spike in September 2019, before peaking in November of the same year. At one point, a cybersecurity solutions provider blocked up to 1 million malicious emails carrying Emotet payloads in a day. The majority of these emails targeted .gov and .mil domains, along with United Nations (UN) employees.

The U.S. Department of Homeland Security thus dubbed Emotet as “among the most costly and destructive” malware to impact state, local, tribal, and territorial (SLTT) governments and private institutions. The reason behind that is Emotet’s versatility. It also self-propagates, allowing it to spread to connected systems.

Another reason for its success is that its perpetrators typically use familiar brands by sporting their logos or spoofing their email addresses in spam. Some even go the extra mile by including email threads between users.

Warding Off Emotet with Email Validation Tools

In one particular wave of Emotet attacks, researchers observed an influx of emails containing keywords such as “invoices,” “shopping cart processing,” “account balance,” “account payable,” and “port clearance and departure” in subject headers. Other indicators of compromise (IoCs) include malicious URLs that the malware contacts and a malicious Microsoft Office file. The screenshot below shows the URLs and IP addresses of known Emotet command-and-control (C&C) servers.

Unsuspecting users who open the malware-laced Office document are then instructed to “Enable Editing,” which executes a malicious macro. The macro then downloads Emotet onto the victim’s computer. Once in, Emotet begins to exfiltrate data from the victim’s email account and computer.

Yet Emotet can only unleash its devastating effects if an email recipient takes the bait. An efficient way to prevent that is by using an email validation solution to prevent malicious emails from making it to users’ inboxes in the first place.

Email Verification API, for one, can help detect Emotet-laden emails. Take the IoC, katharinaweigelmann@4celia[.]com, which we obtained from VirusTotal, as an example. When queried on the API, you will see that while the email address is formatted correctly, it does fail in other validation tests. According to the output, the email address does not have a corresponding Domain Name System (DNS) record, nor does it have a Simple Mail Transfer Protocol (SMTP) connection. These results indicate that the email address does not have a corresponding inbox, and is probably fake.

The API also checks for other vital metrics, such as if an address is from a free or disposable email service. It also verifies if the address is a catch-all one, which means it receives messages for several accounts (i.e., no particular person owns it).

The example above demonstrates how a solution like Email Verification API can help catch anomalous email addresses that may be trying to bypass your network filters. Scanning email addresses as part of your data loss prevention (DLP) strategy can thus help your organization fend off malspam attacks.

* * *

The resurgence of Emotet is a good reminder for organizations to strengthen their defenses against the evolving threat landscape. Hackers may continually expand their tools, tactics, and procedures (TTPs), but email validation tools such as Email Verification API can still serve as an effective barrier against them.