Freely subscribe to our NEWSLETTER

It was discovered by researchers at Vade Secure, the global leader in email security, which protects and monitors one billion inboxes around the world, giving it an unparalleled ability to observe emerging threats or trends.

They observed a huge surge in the number of spam emails flooding into inboxes of customers in Italy, France, Denmark and the US.

One company was hit by 300,000 spam emails in just one day, forcing it to shut down affected accounts and reset credentials. This is a costly endeavour, with each support call estimated to cost ISPs between €20 and €70.

The spam wave is unique because emails are deposited into inboxes, bypassing protection layers. Vade Security suspects the criminals are using a tool called Email Appender, which was first identified by Gemini Advisory in October 2020 and can be purchased on the Dark Web on a subscription basis.

Email Appender allows a cybercriminal to validate compromised account credentials, configure a proxy to avoid IP detection, draft a malicious email and then simply deposit the spam into compromised users’ accounts.

This tool features a user interface (UI) that allows a hacker to customize the email by changing the display name of the sender address and creating a reply-to address. Compromised account credentials are also likely to have been purchased from the dark web and validated with Email Appender to connect to the user’s account via IMAP.

Adrien Gendre, Vade Secure chief product and services officer, said: “The emergence of Email Appender as a subscription is a warning sign of what’s to come in the cybercrime-as-a-service space. Illegal services now available on the Dark Web allow low-tech criminals to pull off successful ransomware attacks. If Email Appender and other tools like it continue to prove so successful, they could go viral in the cybercriminal community.

“In the past, we’ve seen that hackers will test their techniques on the consumer market before moving to the business market. Consumers are sometimes less security-savvy than businesses, meaning they present a relatively easy target and allow criminals to master new techniques.

“If and when this threat morphs into phishing, business email compromise, or malware, a platform like Microsoft 365 is ripe for attack. Most email security solutions for Microsoft 365 are not integrated with the platform via API but sit outside the Microsoft tenant. This means that not only do they not scan internal Microsoft 365 email for insider threats, but they also cannot act on malicious emails once they have been successfully delivered.

“While this latest threat primarily features spam, we expect hackers to hone their techniques before moving on to more advanced threats, including phishing and malware. Spam is easy to produce and it’s cheap, but phishing and malware require more sophisticated methods and tools to be successful.”