{
	"id": "7115df2a-9f71-45af-a040-d9b7baf920a4",
	"created_at": "2026-04-06T00:22:21.28808Z",
	"updated_at": "2026-04-10T13:11:32.70294Z",
	"deleted_at": null,
	"sha1_hash": "14749f9bd9c9e110b1b93e8a51b193763a423d6e",
	"title": "Stolen emails reflect Emotet's organic growth",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 357452,
	"plain_text": "Stolen emails reflect Emotet's organic growth\r\nBy Jaeson Schultz\r\nPublished: 2020-01-16 · Archived: 2026-04-05 21:31:05 UTC\r\nThursday, January 16, 2020 09:00\r\nBy Jaeson Schultz\r\nIntroduction Emotet has a penchant for stealing a victim's email, then impersonating that victim\r\nand sending copies of itself in reply. The malicious emails are delivered through a network of\r\nstolen outbound SMTP accounts. This relatively simple email-man-in-the-middle social\r\nhttps://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nPage 1 of 7\n\nengineering approach has made Emotet one of the most prolific vehicles for delivering malware\r\nthat we have seen in modern times.\r\nCisco Talos continues to monitor Emotet, constantly detonating Emotet samples inside of the ThreatGrid malware\r\nsandbox and elsewhere. We witness in real-time as email that purports to be from Emotet's victims begins to\r\nemanate through Emotet's network of outbound mail servers. Vigilant monitoring of both stolen SMTP credentials\r\nand outbound email allows Talos to extract meta-information regarding Emotet's latest victims and provides\r\ninsight into networks where Emotet is actively spreading.\r\nOne of the most cunning aspects of Emotet's propagation is the way they use social engineering of\r\npersonal/professional relationships to facilitate further malware infection. When receiving a message from a\r\ntrusted friend or colleague, it is quite natural for recipients to think, \"I can safely open this email attachment\r\nbecause it is in reply to a message I sent, or from someone I know.\" Any person or organization who has sent an\r\nemail to an Emotet victim could be targeted by Emotet's propagation messages. The more interaction with the\r\nvictim you have, the more likely you are to receive malicious email from Emotet. Like a meandering watering\r\nhole attack, this is how Emotet crosses organizational boundaries with the potential to affect entire industries or\r\neven countries.\r\nIncreased targeting of U.S. military and government Emotet continues to infect individuals and\r\norganizations all over the world, so to say that it is \"targeted\" would be a stretch. However, if a\r\nperson has substantial email ties to a particular organization, when they become infected with\r\nEmotet the effects would manifest in the form of increased outbound Emotet email directed at\r\nthat organization.\r\nOne of the most vivid illustrations of this effect can be seen in Emotet's relationship to the .mil (U.S. military) and\r\n.gov (U.S./state government) top-level domains (TLDs). When Emotet emerged from its summer vacation back in\r\nmid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs.\r\nBut sometime in the past few months, Emotet was able to successfully compromise one or more persons working\r\nfor or with the U.S. government. As a result of this, Talos saw a rapid increase in the number of infectious Emotet\r\nmessages directed at the .mil and .gov TLDs in December 2019. Now that Emotet is back from their Orthodox\r\nChristmas vacation, that trend has continued into January 2020.\r\nhttps://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nPage 2 of 7\n\nThe emails are coming from inside the house! Looking at the individual messages sometimes\r\nallows us to determine the identity of the Emotet victim and whether that victim is internal or\r\nexternal to the recipient organization. After all, Emotet wants recipients of its messages to\r\nrecognize who the message came from as part of their social engineering efforts. Unfortunately,\r\nthis doesn't work 100 percent of the time, because some of the messages sent by Emotet strips the\r\noriginal victim's personal data and drops the TLD in an attempt to impersonate only the\r\norganization. This results in the unintentionally comical reduction of domains like \"us.af.mil\" to\r\nsimply \"Us.af.\"\r\nhttps://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nPage 3 of 7\n\nHowever, more often, Emotet will leave the contact information for the individual victim inside the propagation\r\nemail. The message may also include the contents of a previous email exchange between the two recipients, just to\r\nadd extra authenticity. For example, the following message was sent by Emotet to an individual working for U.S.\r\nSen. Cory Booker. The From header and signature generated by Emotet both suggest that this message originated\r\nfrom an infected colleague at \"booker.senate.gov.\"\r\nhttps://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nPage 4 of 7\n\nAnother issue that is often overlooked is the exfiltration problem presented by Emotet. Users who have their email\r\nstolen and sent to Emotet's command and control (C2) infrastructure may have lost control over sensitive data and\r\ncommunications. For now, Emotet is content using this data to enhance its social engineering approach, but they\r\ncould just as easily be reading/parsing the contents of these messages and acting/trading on the information\r\ncontained therein.\r\nhttps://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nPage 5 of 7\n\nConclusion If an organization in close proximity to yours becomes infected with Emotet, you can\r\nexpect to receive an increased volume of infectious email messages addressed to your users. If\r\nEmotet infects any of the users inside your domain, then the volume of Emotet email destined for\r\nyour network will increase. Many of these email messages arrive via hijacked email threads, so\r\nthere is no simple pattern that anti-spam systems can use to identify and eliminate these messages.\r\nMore advanced anti-spam systems, such as IPAS, will still be able to successfully filter Emotet\r\nmessages. However, all technical systems no matter how robust must always be supplemented by\r\neducational efforts and awareness training for your users.\r\nCoverage Additional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nPage 6 of 7\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSource: https://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nhttps://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html"
	],
	"report_names": [
		"stolen-emails-reflect-emotets-organic.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14749f9bd9c9e110b1b93e8a51b193763a423d6e.pdf",
		"text": "https://archive.orkl.eu/14749f9bd9c9e110b1b93e8a51b193763a423d6e.txt",
		"img": "https://archive.orkl.eu/14749f9bd9c9e110b1b93e8a51b193763a423d6e.jpg"
	}
}