Malicious Email—Today’s New and Evolving ThreatsIn combination with advanced detection technologies, SilverSky’s Threat Intelligence Team delivers Targeted Attack Protection (TAP), a product within SilverSky’s Email Protection Suite (EPS). TAP detects advanced malicious email threats through static and dynamic analysis of attachments, websites, and downloads linked to inbound emails.

This article shares some meaningful malicious email detections and new threats the team has identified within the past few months. For a more complete look at detected and new threats and threat analysis and detection trends, we invite you to access and subscribe to our Malicious Email Activity Report Library.

Malicious Email Attacks of Interest

Covid-19 Agent Tesla Variants

Agent Tesla, an information-stealing malware, has been used extensively in email attack campaigns. TAP has been seeing the exploit of Agent Tesla variants widely since the outbreak of the COVID-19 virus in January 2020. This month’s detection starts with a phishing email containing a “Purchase-Order” themed attachment. Disguised as an RTF file, the payload is seen to exploit CVE-2017-11882, a stack buffer overflow, and the catalyst to delivering Agent Tesla. Using code injection in a Windows process, the injected process performs all malware activity and, subsequently, sends it to the C2 server. It has also been observed that the attachment within this email contains OLE2Link, which triggers the execution of scripts without any user interaction. The file then executes Powershell.exe to download and execute the Agent Tesla malware.

Voicemail Attacks Targeting Office 365 Users

Cybercriminals are using coronavirus-themed voicemail notifications in the latest efforts to steal credentials. The attachment consists of an audio file with a phishing URL hidden in it. When the user clicks on the file, they are directed to the Microsoft Office 365 (O365) phishing page requiring login credentials. 

Increased Abuse of Google APIs

TAP has observed a significant increase in Google APIs phishing URLs whereby hackers use Google Cloud Storage (GCS) to host phishing kits and redirect users to harmful pages on their malicious websites. According to our investigation, this campaign is a part of a mass-distributed general phishing campaign; however, there is no evidence to confirm these cases as if they are a part of a targeted attack or related to a special hacking group. Weaponizing third-party services, instead of hosting their own malicious websites, is a new trend among cybercriminals. Besides that, this method also has the capability to infect the devices of users with different kinds of malware such as ransomware.

Agent Tesla with WHO “Method” for Covid19

We noticed an email phishing campaign sent by threat actors spoofing the real address of the head of the World Health Organization (WHO), one of the premier scientific resources on Covid19, claims method/preventive measures against Covid19 disease. The malicious email attachment named “Method_COVID2019_Safety.pdf.rar” contains the Trojan agent compressed in Archive RAR file format with .pdf extension to trick users. The email came to the recipient’s inboxes allegedly from the WHO, with a sender email address of World Health Organization <who[@]>. Notice that the sender’s email address domain is “astaylojstlk[.]com” when legitimate WHO email addresses instead end with “” Once the recipient opens and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, trojan written in Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.

Phishing Campaign Installing NetSupport Manager RAT

The infection chain starts with a phishing email bearing a Microsoft Word document laced with malicious macro code. The attachment named “NortonLifeLock” is a password-protected file that tricks the user into opening the document. The password for opening the file is probably contained in the email that delivers the attachment. Upon enabling the macros, a dialog box appears asking for the password. Entering the password then triggers malicious code execution, which then leads to the deployment of NetSupport Manager RAT. Following its instruction, the attacker gains complete access to the targeted system. 

Conversation Hijacking Attacks

There has been a rise in cybercriminals using a novel phishing technique to trick employees into unwittingly installing malware, transferring money, or handing over their login credentials. In conversation-hijacking attacks, hackers infiltrate real business email threads by exploiting previously compromised credentials, which they may have purchased on dark web forums, stolen or accessed via brute force attacks, before inserting themselves into the conversation in the guise of one of the group. Once they gain access to the account, attackers will spend time reading through conversations, researching their victims, and looking for any deals or valuable conversations into which they can insert themselves. The idea is that by using the identity of a real person and mimicking the language that they use in emails, the phishing attack will be viewed as coming from a trusted colleague and is thus much more likely to be successful.

SilverSky’s Malicious Email Activity Report Library houses monthly reports offering a detailed look at detected and new threats for a given month. Additionally, each report offers monthly threat analysis and detection trends. We invite you to access and subscribe to our Malicious Email Activity Report Library and don’t hesitate to contact us if you need help strengthening your email security program.

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.


Affordable defenses for a sector under attack.


SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.


Automated Cybersecurity Examination Tool


Health Insurance Portability and Accountability Act


Payment Card Industry Data Security Standard


Federal Financial Institutions Examination Council


Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.


Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.


Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.