The Email Threat Landscape, Q1 2023: Key Takeaways

By   Oliver Paterson
Product Expert , VIPRE | Jul 23, 2023 08:46 pm PST

One of the most pressing concerns in the digital age is the abundance of cyber threats from all directions, with a large number of those threats coming from email. Users must be aware of what threats exist, how to detect and identify them, and how to avoid falling victim to them. The first step in protecting against email threats is to understand them; fortunately, there are organizations that take email threats seriously. VIPRE has recently published a report detailing the top threat trends from Q1 of 2023, and the most important findings are summarized below.

Email Threat Trends

Almost two billion customer emails were analyzed in Q1 of 2023, yielding 228,000 malicious samples. The majority of the malicious emails were classified as spam, 60% due to email content and 37% due to links. Another 2% of malicious emails were attributed to malicious attachments. The spam emails were mostly commercial in nature, as opposed to the previous year when scam emails made up the majority. After commercial emails were phishing emails and malware-related emails.

Over three-fourths (76%) of spam emails originated in the United States, making it the top country by a wide margin, followed by Germany (11%) and Turkey (7%). The United States also made the top spot for a number of malicious IPs, likely affected by the fact that most data centers are in North America. The most targeted industries by phishing and malspam emails were financial (25%), healthcare (22%), and education (15%). Geographically, Europe was targeted particularly often, with the United Kingdom receiving the majority of phishing and malspam emails.


More than a quarter (28%) of the spam emails examined were part of phishing campaigns. Out of the phishing emails, 77% contained malicious links, a significant increase from the previous year, while the remaining 23% utilized attachments. Most of the malicious links were to compromised websites, followed by newly created URLs and cloud storage URLs. Malicious attachments were predominantly “.html” files (88%), followed by “.pdf” (7%), “.eml” (4%), and “.zip” (1%).

Microsoft was the most impersonated brand, outstripping the runners-up by a long shot, at nearly three times the number of emails as DHL, WeTransfer, and Apple. Because file sharing often includes a link, and directly sending files includes an attachment, a sufficiently sophisticated facsimile of a Microsoft email can convince the user to open a malicious link or attachment easily. Cybercriminals relied overwhelmingly on the top-level domain “.com,” followed by “.ca” and “.net” with less than one-fourteenth of traffic. Notably, phishing attempts are increasingly using country code TLDs.


In contrast with the decreased proportion of attachments in phishing emails, 97% of malspam emails utilized attachments as their primary tactic. The remaining 3% was made up of malicious links to compromised websites. The most popular type of attachment in malspam emails was “.one,” Microsoft OneNote files, at 64%. This was followed by “.doc/.docx” (17%) and ISO files (9%). Last year’s top malware family, QBot, was dethroned by AsyncRAT, with the most recent version using a .bat loader to avoid detection by AV/EDR tools. AsyncRAT was introduced in 2016 as a legitimate remote administration tool, but cybercriminals have taken advantage of it since.

Most malspam exploits were related to Remote Access Trojans (RATs), a type of malware that allows the attacker to remotely control the targeted device. After the initial malicious email successfully deceives the target into allowing the malware to embed itself, the attacker can use their new access to send commands and carry out processes including stealing passwords, logging keystrokes, and exfiltrating sensitive files.

Behavioral Detection Trends

Over 100,000 of the malicious emails detected and analyzed were discovered via behavioral detection techniques. This means they had no signatures that could be connected to known threats, and traditional signature-based email security solutions would have missed them entirely. Additionally, more than 10 million links were protected by link isolation, which can scan and rewrite malicious links or prevent access. Finally, 10,000 malicious sites previously unknown to blocklist-based detection were discovered with behavioral detection tools. All in all, behavioral detection solutions, used in conjunction with traditional signature-based threat detection, were able to catch a staggering number of threats that otherwise would have gone undetected.


As bad actors continue to adapt their tactics and tools, threat detection and prevention must also advance. Collecting and analyzing email threat data allows security teams and other users to better understand what to watch out for and how to avoid common attacks. Using traditional signature-based threat detection as well as newer behavioral-based tools catches significantly more malicious emails and allows a more in-depth analysis of current email threat trends. Tried-and-true methods of phishing and malspam are being combined with newer tactics in order to more easily deceive users, but staying in the loop on trends in the threat landscape will help those looking to protect against these attacks.