A new method for spreading malware online has been discovered, and it involves taking advantage of email threads to deploy malware loaders.

Email threads can quickly build, especially if there are more than two participants. As such, it can be difficult to keep up with who is saying what and, crucially, who is attaching files to the thread. Accordingly, this creates the perfect scenario for threat actors to get involved and turn the situation to their advantage. And, as a result of a vulnerability in Microsoft Exchange servers, this is exactly what has been happening.

If you work in any modern organization, the chances are that you use email on, at least, an hourly basis to keep up to date with the rest of the world. Therefore, this new threat is one that you need to understand.

How Email Threads are Being Hijacked

This latest campaign is particularly deceptive and relies on the presence of unpatched Microsoft Exchange servers. This email service is commonly used by businesses to synchronize email between an Exchanger server and an email client e.g. Outlook. The vulnerability offered up by these unpatched servers allows hackers to harvest login credentials; the threat actors are then presented with the opportunity to illegally access specific email accounts. Once they are logged in, the hackers can view all the email threads that the account is involved with.

By viewing the various email threads, the hacker can then decide which is best to launch their attack through. All they have to do is choose an email thread and start replying to it. More crucially, they will also attach some infected attachments. These are packaged within a ZIP archive and comprise an ISO file which contains both a DLL file and an LNK file. Once the LNK file is activated, it will run the DLL file and activate the IcedID malware loader. IcedID is a well-known banking trojan which can steal financial information, login credentials and start the installation of further malware.

Protecting Your Emails

First and foremost, it’s vital that you install new updates as soon as they are available. This will instantly minimize the chances of vulnerabilities being exploited on your network. Fail to implement these upgrades, however, and you could fall victim to attacks such as the one we have been discussing. In addition to this, it also pays to take notice of the following:

  • Verify Any Email Attachments: if, in the middle of an email thread, a suspicious file attachment suddenly appears, verify it with the person it appears to have been sent by. However, do not do this over email; if the email account has been compromised then the hacker will simply confirm it is genuine. Instead, speak in-person or over the phone to the sender to get confirmation.
  • Use Multi-Factor Authentication: one of the simplest ways to reduce the impact of stolen login credentials is by strengthening the login procedure with multi-factor authentication. This approach will provide an extra layer of security and ensure that any threat actors will struggle to navigate their way through it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


As with all aspects of modern life, everything is a target for cybercriminals, even war. And this has been demonstrated with wiper malware attacking Ukraine.

Amidst its conflict with Russian, Ukraine has also had to contend with hundreds of its computers falling victim to a strain of data wiper malware. As the name suggests, wiper malware is used to wipe hard drives clean of any data. While this sounds like ransomware, and indeed wiper malware often promises the return of data for a fee, the chances of retrieving this data from the hackers is zero. It’s a powerful and destructive cyber-attack, one which has the potential to cause significant damage not just to security, but also IT infrastructures.

It’s an attack method which could strike anywhere at any time, you don’t have to be in Ukraine. Therefore, it’s crucial that we understand how wiper malware works. And, more importantly, how to protect your data.

The Cyber-Attack on Ukraine

The wiper malware in this opportunistic attack, which comes at a time of intense internal chaos, has been identified as HermeticWiper. It followed on from an earlier attack which had targeted Ukraine’s banks through a number of co-ordinated DDoS attacks. It came several hours before Russia launched its invasion campaign but, as yet, nobody has been identified as being behind the attack. What is known is that it’s a new strain of malware which, according to its date stamp, was created towards the end of 2021. Clearly, this attack had been in the works for some time.

Once downloaded onto a PC, HermeticWiper sets about wiping all the data from its hard drive. It achieves this objective by taking advantage of existing disc and storage management software. With this software compromised, HermeticWiper turns it against the PC to corrupt any data within its grasp and then reboots the PC. But it doesn’t stop there. HermeticWiper is also keen to attack any data recover software on the machine and also interferes with the hard drive’s rebooting system.

How Do You Stop Wiper Malware?

The government of Ukraine has a significant reach and has appealed to its native hackers to assist in protecting the country’s IT infrastructures. Unfortunately, almost all organizations will struggle to raise this level of support. But there’s still plenty you can do:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More