Proofpoint Report Reveals Emotet Drove 61% of Malicious Payloads in Q1 2019


Proofpoint has released its Q1 2019 Threat Report, highlighting the threats and trends across Proofpoint’s global customer base and in the wider threat landscape. Notably, Proofpoint found that 61 percent of malicious payloads observed in Q1 2019 were driven by the actor distributing the Emotet botnet. Proofpoint has mapped Emotet’s increasing prevalence as it has shifted in classification from a banking Trojan to a botnet and continues to largely displace credential stealers, standalone downloaders, and RATs in the overall threat landscape.

Emotet’s popularity is reflected in the continued growth of attacks leveraging malicious URLs relative to those bearing malicious attachments. Proofpoint observed that malicious URLs in emails outnumbered malicious attachments by roughly five-to-one for Q1 2019, up 180 percent when comparing Q1 2018 and Q1 2019. Much of this traffic, both overall and in terms of the prevalence of malicious URLs in messages, was driven by the Emotet botnet.

“Australians must be cautious when clicking—and not trust that a ‘lock’ symbol next to a website address automatically means the site has been validated as trusted or legitimate,” said Crispin Kerr, Australia Country Manager for Proofpoint. “It only signifies that the data transmitted between the user’s browser and the site is encrypted and cannot be read by third parties. We continuously analyse over 350 million domains, representing virtually all domains on the web. It should be a warning to all Australians that over three times as many fraudulent domains had an SSL certificate or a ‘lock’ symbol as legitimate domains. This directly leads to a false sense of security when potential victims encounter these domains online and in email attacks.”

Every day, Proofpoint analyses more than five billion email messages, hundreds of millions of social media posts, and more than 250 million malware samples to protect organisations around the world from advanced threats, providing a unique vantage point from which to reveal and analyse the tactics, tools, and targets of today’s cyber attacks.

Additional Q1 2019 Proofpoint Threat Findings


  • Banking Trojans made up only 21 percent of malicious payloads in email during the quarter, comprised primarily of IcedID, The Trick, Qbot, and Ursnif.
  • Aside from smaller scale GandCrab campaigns, ransomware remained virtually absent in the first three months of 2019, as 82 percent of all payloads were either Emotet or current bankers.
  • “Payment” jumped to the top subject line in email fraud attacks, up six percentage points from Q4 2018.
  • In Q1 2019, the engineering, automotive, and education industries were most heavily targeted in email fraud attacks.
  • Across all industries, targeted organisations experienced an average of 47 such attacks. These numbers were lower than the record highs of Q4 2018 but may be a sign of increasingly selective targeting and seasonal variations.

Web-Based Attacks

  • Coinhive samples spiked in late January to 4.9 times the weekly average for the quarter; not surprisingly, detected events dropped to near-zero after Coinhive shut down in March. Others filled the gap in illicit coin mining, as threat actors continue to operate in this space, despite ongoing market volatility.
  • Social engineering attacks via compromised websites and malvertising were off from Q4 2018 levels by roughly 50 percent, reflecting what appears to be a seasonal trend; however, activity was still 16 times higher than the year-ago quarter.

Domain Fraud

  • Over three times as many fraudulent domains had an SSL certificate as legitimate domains in Q1 2019, lending a false sense of security to end users encountering these domains on line and in email attacks.
  • In Q1, the proportion of domains identified as potentially fraudulent that resolved to an IP address was 26 percentage points higher than for all domains across the web. The proportion generating HTTP responses was 43 percentage points higher than for all domains.
  • March registrations of lookalike domains were almost as numerous as the previous two months combined.

Steps to Improve Cybersecurity Efforts

Organisations can further protect their company and brand in the coming months by taking the following steps:

  • Assume users will click. Social engineering is increasingly the most popular way to launch email attacks and criminals continue to find new ways to exploit the human factor. Leverage a solution that identifies and quarantines both inbound email threats targeting employees and outbound threats targeting customers before they reach the inbox.
  • Build a robust email fraud defence. Highly-targeted, low volume business email compromise scams often have no payload at all and are thus difficult to detect. Invest in a solution that has dynamic classification capabilities that you can use to build quarantine and blocking policies.
  • Protect your brand reputation and customers. Fight attacks targeting your customers over social media, email, and mobile—especially fraudulent accounts that piggyback on your brand. Look for a comprehensive social media security solution that scans all social networks and reports fraudulent activity.
  • Partner with a threat intelligence vendor. Smaller, more targeted attacks call for sophisticated threat intelligence. Leverage a solution that combines static and dynamic techniques to detect new attack tools, tactics, and targets—and then learns from them.
  • Train users to spot and report malicious email: Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. The best simulations mimic real-world attack techniques. Look for solutions that tie into current trends and the latest threat intelligence.

To download the Q1 2019 Threat Report, please visit: