{
	"id": "69a91adc-d706-4490-85d5-0e176a246307",
	"created_at": "2026-04-06T00:14:21.135017Z",
	"updated_at": "2026-04-10T03:21:55.878503Z",
	"deleted_at": null,
	"sha1_hash": "b8a8f215458c51d51b9150ad38f1f2550f33e035",
	"title": "New Emotet delivery method spotted during downward detection trend",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 803391,
	"plain_text": "New Emotet delivery method spotted during downward detection\r\ntrend\r\nBy David Ruiz\r\nPublished: 2020-10-27 · Archived: 2026-04-05 21:54:04 UTC\r\nEmotet, one of cybersecurity’s most-feared malware threats, got a superficial facelift this week, hiding itself\r\nwithin a fake Microsoft Office request that asks users to update Microsoft Word so that they can take advantage of\r\nnew features.\r\nThis revamped presentation could point to internal efforts by threat actors to increase Emotet’s hit rate—a\r\npossibility supported by Malwarebytes telemetry measured in the last few months.\r\nEmotet spikes amid downward trend\r\nSince August 1, Malwarebytes has detected repeated weekly spikes in Emotet detections, with an August peak of\r\nroughly 1,800 detections in just one day. Those frequent spikes betray the malware’s broader activity though—a\r\nslow and steady trend downwards, from an average of about 800 detections in early August to an average of about\r\n600 detections by mid-October.\r\nCaught by Malwarebytes on October 19, Emotet’s new delivery method attempts to trick victims into thinking that\r\nthey’ve received an update to Microsoft Word. The new template, shown below, includes the following text:\r\n“Upgrade your edition of Microsoft Word\r\nUpgrading your edition will add new features to Microsoft Word.\r\nPlease, click Enable Editing and then click Enable Content.”\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/\r\nPage 1 of 3\n\nIf users follow these dangerous instructions, they will actually enable the malicious macros that are embedded into\r\nthe “update request” itself, which will then be used as the primary vector to infect the machine with Emotet.\r\nMalwarebytes protects users from Emotet and its latest trick, as shown below.\r\nFor those without cybersecurity protection, this new delivery method may appear frightening, and in a way, yes, it\r\nis. But when compared to Emotet’s stealthy developments in recent years, this latest switch-up is rather ordinary.\r\nIn 2018, the cybersecurity industry spotted Emotet being spread through enormous volumes of email spam, in\r\nwhich potential victims received malicious email attachments supposedly containing information about\r\n“outstanding payments” and other invoices. In 2019, we spotted a botnet coming back to life to push out Emotet,\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/\r\nPage 2 of 3\n\nthis time utilizing refined spearphishing techniques. Just weeks later, we found that threat actors were luring\r\nvictims through the release of former NSA defense contractor Edward Snowden’s book. And this year, Bleeping\r\nComputer reported that threat actors had managed to train the Emotet botnet to steal legitimate email attachments\r\nand to then include those attachments amongst other, malicious attachments as a way to legitimize them.\r\nThreat actors have gone to such great lengths to deliver Emotet because of its destructive capabilities. Though the\r\nmalware began as a simple banking Trojan to steal sensitive and private information, today it is often used in\r\ntandem to deliver other banking Trojans, like TrickBot, that can steal financial information and banking logins.\r\nThis attack chain doesn’t stop here, though, as threat actors also use Emotet and Trickbot to deliver the\r\nransomware Ryuk.\r\nCompounding the danger to an organization is Emotet’s ability to spread itself through a network. Once this\r\nmalware has taken root inside a network, it has derailed countless consumers, businesses, and even entire cities. In\r\nfact, according to the US Cybersecurity and Infrastructure Security Agency, governments have paid up to $1\r\nmillion to remediate an Emotet attack.\r\nHow to protect your business from Emotet\r\nOur advice to protect against Emotet remains the same. Users should look out for phishing emails, spam emails,\r\nand anything that includes attachments—even emails that appear to come from known contacts or colleagues.\r\nFor users who do make that risky click, the best defense is a cybersecurity solution that you’ve already got\r\nrunning. Remember, the best defense to an Emotet infection is to make sure it never happens in the first place.\r\nThat requires constant protection, not just after-the-fact response.\r\nAbout the author\r\nPro-privacy, pro-security editor. Former journalist turned advocate turned cybersecurity defender. Still a little bit\r\nof each. Failing book club member.\r\nSource: https://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/"
	],
	"report_names": [
		"new-emotet-delivery-method-spotted-during-downward-detection-trend"
	],
	"threat_actors": [],
	"ts_created_at": 1775434461,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8a8f215458c51d51b9150ad38f1f2550f33e035.pdf",
		"text": "https://archive.orkl.eu/b8a8f215458c51d51b9150ad38f1f2550f33e035.txt",
		"img": "https://archive.orkl.eu/b8a8f215458c51d51b9150ad38f1f2550f33e035.jpg"
	}
}