Email Blind Spots Are Haunting Security Teams
▼ Summary
– Email remains the primary attack vector with malware, scams, and phishing increasing significantly, driving operational impacts like account compromise and business disruption.
– Attackers are exploiting overlooked file types like TXT and legacy DOC files and using evasion techniques such as forged headers to bypass security filters and initiate multi-step intrusions.
– Ransomware has resurged as a major threat, with a higher percentage of organizations reporting incidents, though fewer are paying ransoms, while defenses like immutable backups and disaster recovery plans are improving.
– AI is both increasing threats through automated attacks and deepfakes and being used for defense, but governance lags behind adoption, raising risks of data leakage and misinformation.
– Identity vulnerabilities persist with attackers bypassing MFA via session token theft, and SaaS platforms and browser extensions have become key attack surfaces, requiring stronger controls and monitoring.
Security teams are currently grappling with a troubling surge in email-based threats, as attackers refine their methods to bypass conventional defenses. A recent cybersecurity analysis of over 70 billion emails reveals a sharp escalation in automated, AI-driven social engineering and sophisticated evasion tactics. This shift is compelling chief information security officers to reassess long-held assumptions about digital risk.
Email continues to serve as the main gateway for security breaches. Over the past year, malware distributed via email jumped by more than 130%, while scams climbed over 30% and phishing attempts rose by more than 20%. These attack types remain responsible for the bulk of organizational damage, leading to compromised accounts and significant operational disruption.
Attackers are increasingly leveraging file formats that many security teams no longer classify as high-risk. For instance, malicious use of TXT files surged by over 180%, and legacy DOC files grew by more than 118%. ZIP archives are still widely used, though HTML and RAR attachments have become less common. This trend highlights a deliberate strategy to exploit overlooked gaps in email filtering and inspection systems.
To evade detection, threat actors are adopting forged headers, obscure domain names, URL shorteners, and HTML tricks designed to confuse security filters without alerting recipients. Their objective is straightforward: slip past defensive measures undetected and initiate complex, multi-stage intrusion campaigns.
Ransomware has reemerged as a dominant threat after a temporary lull. Nearly one quarter of organizations experienced a ransomware incident, up from 18% the previous year. Although only 13% of affected entities paid a ransom, the frequency and persistence of these attacks have grown substantially.
Security leaders report that AI-generated phishing and automated reconnaissance are placing unprecedented strain on defensive operations. Attackers are blending credential theft, endpoint exploitation, and supply chain attacks rather than relying exclusively on email. Endpoints accounted for more than a quarter of all infections, and incidents involving stolen credentials also increased.
On a positive note, 62% of organizations have implemented immutable backups and over 80% maintain a formal disaster recovery plan. These measures reduce the leverage attackers hold during extortion attempts. At the same time, cyber insurance adoption has dipped, while policy premiums continue to climb.
Artificial intelligence is playing a dual role, both escalating threats and empowering defenses. Many security executives believe AI has heightened ransomware risks, prompting more than two-thirds of organizations to invest in AI-powered detection and analytics tools.
However, governance frameworks are struggling to keep up with the rapid adoption of AI. Employees frequently use public AI tools without fully grasping the compliance and security implications. CISOs note low awareness among staff and inconsistent understanding at the leadership level, creating conditions ripe for data leaks and misinformation.
Emerging AI-fueled threats include deepfake impersonations, model poisoning, synthetic identity fraud, and the misuse of AI services to harvest credentials. These developments point to a rapidly expanding attack surface linked directly to unregulated AI usage.
One industry leader observed, “AI functions as both a tool and a target, with attack vectors multiplying faster than many anticipate. We’re witnessing an arms race where machine learning is deployed on both sides, to deceive and to defend. Attackers are harnessing generative AI and automation to pinpoint vulnerabilities, create highly persuasive phishing lures, and execute multi-stage intrusions with very little human involvement.”
Identity management remains a critical weak point. Attack-in-the-middle techniques now circumvent many multi-factor authentication (MFA) systems by stealing session tokens in real time. Modern phishing kits can even manage MFA prompts, forwarding user credentials to legitimate sites while capturing tokens for malicious use.
Phishing-resistant MFA solutions, such as hardware security keys, certificate-based authentication, Windows Hello for Business, and passkeys, deliver robust protection. Unfortunately, adoption remains uneven. Passkeys, in particular, face challenges due to fragmented user experiences across platforms and limitations involving syncable versus non-syncable keys in corporate environments.
Credential recovery procedures also present vulnerabilities. Several significant breaches resulted from helpdesk personnel being deceived into resetting privileged accounts. Security leaders are urged to implement stricter in-person verification for administrative identity recovery and tighter controls throughout the identity lifecycle.
Software-as-a-Service (SaaS) platforms and cloud integrations have become prime targets, offering attackers direct access to vital data and workflows. OAuth token theft is especially concerning, since revoking tokens is often the only way to stop ongoing abuse. Recent incidents illustrate how a single compromised integration can expose numerous organizations simultaneously.
Malicious or vulnerable browser extensions represent another serious risk, capable of bypassing internal security controls and harvesting confidential information. Security teams should monitor extension usage and restrict high-risk categories through centralized policy management.
High-profile incidents across the technology, aviation, manufacturing, and cloud sectors demonstrate that attackers are increasingly focusing on suppliers and infrastructure providers. These supply chain attacks effectively bypass traditional perimeter defenses, creating cascading consequences for all connected organizations.
(Source: HelpNet Security)
