Researchers at cybersecurity firm Proofpoint have observed that the prolific botnet Emotet has returned to the email threat landscape after a hiatus at the end of 2019. The Trojan-turned-botnet is being distributed by threat group TA542, using attachments and malicious links containing the botnet payload. So far in 2020, Proofpoint has observed Emotet targeting pharmaceutical companies in the US, Mexico, Germany, Japan and Australia amongst other regions and sectors.

Emotet is quite difficult to mitigate against with any one security control because of the various techniques and methods it employs.
While it is important to have technical controls in place, many of the social engineering techniques can bypass technical controls. Therefore, it\’s vital that organisations invest in providing security awareness and training to employees so that they can be better equipped to identify and report any suspicious activity.
Emotet is one of the world’s most disruptive threats and organizations worldwide should take its return seriously. They have a massive sending infrastructure—nobody hits volumes like they do.
TA542’s recent uptick in activity shows that threat actors work smarter not harder. They took 150 days off in 2019 and even with breaks, they’re incredibly effective. When TA542 returned in September 2019 from a summer hiatus, they accounted for over 11% of all malicious attachments we saw globally for the entire third quarter of that year despite being active for only two weeks during that three month period.
It’s important security teams continue to secure their email channel and educate users regarding the increased risks associated with email attachments.