First Half of 2020—Leading Email Security Trends and Concerns

Email security - first half of 2020What has the cybersecurity landscape looked like so far in 2020? Alif Ahmad and I recently held an Ask an Analyst: Email Threat Detection and Intelligence webinar to speak about email security concerns and trends observed so far in 2020 as well as to offer insights about what we expect in the second half of the year.

Cybersecurity Detection Trends

For years, SilverSky has gathered malicious and suspicious email activity data allowing us to identify seasonality in cyberattacks. The summer is usually an active season for cyberattacks, as is the fourth quarter, but typically, the first half of every year is relatively quiet. We saw an expected lull in cybercriminal activity in January 2020, but February through May experienced atypically aggressive pandemic-themed attack activity. Activity plateaued somewhat in April and May, but attacks picked up again in June, which is typical based on historical data.

New in 2020 has been the increase in pandemic themed email attack campaigns and the subsequent targeting of cloud service providers for the aim of business service impersonation. While Q1 2020 attacks were directly related to the pandemic, Q2 2020 saw spoofing of cloud service providers. Because of the pandemic and corresponding work-from-home constructs, the use of cloud services has increased. Unsurprisingly, cybercriminals adapted to this new opportunity.

Q1 2020 Cyberattack Tactics

Pandemic-themed attacks were the first phishing campaigns of 2020. Beginning in February, attackers began posing as authorities from government agencies such as the Centers for Disease Control and Prevention, the World Health Organization, and other entities claiming to offer critical information on the COVID-19 pandemic that had just hit the US. Email recipients were duped into offering log in credentials and other personal information. 

As the campaigns evolved, emails began delivering URLs and attachments that downloaded malware. The attack techniques and payloads were not that novel, but attackers used the pandemic to attract the attention of email recipients during a time when the US was scared and grasping for information to understand the evolving crisis. 

Q2 2020 Cyberattack Observations

The trend of exploiting human emotion using current events to enhance the effectiveness of attacks continued in the second quarter. When the Black Lives Matter (BLM) movement rapidly gained momentum in the US toward the end of May, attackers sent emails from recently registered domains to exploit this highly emotional situation. Just as with COVID-19, attackers posed as local, state, or federal government entities.

A common cyberattack approach included using surveys to gather opinions relating to BLM. These surveys tended to look like government forms; however, when the recipient downloaded an attached survey, they were required to enable macros that eventually downloaded TrickBot malware and executed a DLL payload onto the recipient’s computer. TrickBot, an evolving banking Trojan, has been around since 2016, but the variant used in the BLM campaigns had extended functions to steal credentials from victims’ emails, browsers, and installed apps.

Digital-Workspace and Cloud Service Provider Attacks

To facilitate work-from-home productivity, companies rapidly migrated to digital workspaces, creating new targets for cybercriminals. Initial attacks targeted Microsoft impersonating O365, Sharepoint and Microsoft Teams services.  In Q2 2020, email attacks expanded to other cloud service providers including Zoom, Google, Dropbox, VoIP providers, and others.

In attacks targeting Zoom,  attacks spoofed Zoom video conferencing service to trick users into handing over their confidential details. For example, emails with attention drawing subject lines such as  “User Cancelled on XX/XX/2020” using a display name of “Zoom” were sent to victims from multiple randomly generated email addresses. The body of the message asked recipients to click on a “Reactivate Account” link. Upon clicking “Reactive Account,” customers were redirected to a compromised credential phishing website unrelated to Zoom.

Impersonating VoIP providers, attackers sent targeted emails to victims spoofing their company’s voicemail service. The emails included a link to allow the recipient to listen to the voicemail. When victims clicked on the link, they were directed to a page asking for their credentials. 

We also observed a significant increase in Google APIs phishing URLs whereby hackers used Google Cloud Storage (GCS) to host phishing kits and redirect users to harmful pages on their websites. Our investigations indicated that this campaign was part of a mass-distributed general phishing campaign; however, there is not sufficient evidence to attribute these cases to specific a hacking group. Weaponizing third-party services, instead of hosting their own malicious websites, is a new trend among cybercriminals. 

Email Attacks with Malicious Attachments

Although phishing emails with a link to a malicious site is a common approach, we are also seeing email with malicious attachments. Some of the attack techniques, like those utilized by the notorious Lazarus Group, have become even more sophisticated. 

In May 2020, we learned of attacks containing job description documents for leading defense companies like Boeing, Lockheed Martin, and BAE Systems. The companies themselves were not targeted; instead, victims were tricked into believing they had received job-posting information from these companies.  The emails contained falsified job description attachments or links to download an attachment. 

The documents automatically downloaded a malicious document template through a template-injection attack technique. This approach allows these documents to evade static analysis from typical email and AV scans. Once the message template is downloaded and executed the main malicious payload.

A recent Valak malware campaign targeted organizations in healthcare, finance,  manufacturing, and insurance industries. The emails contained a  ZIP archive attachment and provided a password to extract the archive contents. The initial infection process of this malware involves Microsoft Word documents inside the ZIP file that include embedded VBA macro function as a downloader and handles executing DLL associated with Valak.

Election-Themed Attacks 

We anticipated election-themed attacks in the second half of the year; however, we’ve seen this activity pick up earlier than expected. So far, attacks have been mostly spam-like, but we expect increasingly aggressive and more targeted phishing campaigns in the upcoming weeks and months before the election.


To learn more about the cyberattacks observed so far this year, what we anticipate for the second half of 2020, and recommendations for increasing email security, I encourage you to watch the full on-demand webinar. Also, we update our Malicious Email Attack Report Library each month with new observations and insights.

As always, if SilverSky can help you better protect your digital estate from cybersecurity threats, don’t hesitate to contact us.

Head of Product Management, Email Protection and Cloud Email , SilverSky
SilverSky offers a comprehensive suite of products and services that deliver unprecedented simplicity and expertise for compliance and cybersecurity programs.
follow me



Managed Detection and Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email and Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance and Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.


Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.


Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.


White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events & Webinars


Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion

Share This