Vade Phishing and Malware Report Q1 2022

After a holiday slump in December 2021, cybercriminals returned to form in Q1 2022. Malware and volumes across the globe moved in an upward trajectory in the early months of 2022.

In March 2022, Vade detected 32.9 million malware emails, the largest monthly total detected by Vade since November 2016. The March spike represented a 201 percent increase over February, while the total number of malware emails detected in Q1 2022 represent a QoQ increase of 48. percent.

Malware Chart-Q1 22

In January 2021, Vade detected 110.4 million phishing emails, a 277 percent increase from December. Phishing volumes decreased to 20.3 million in February and then increased 46 percent to 29.8 million in March.

Phishing Chart-Q1 22


Microsoft is the most impersonated brand in phishing attacks

Brand impersonation remains a top threat to businesses, with cybercriminals impersonating the most trusted brands in the world to lure users. Microsoft was the most impersonated brand in phishing attacks in Q1 2022. Microsoft represented 8.8 percent of all branded phishing pages (4,119) analyzed by Vade during the quarter, an increase of 98.9 percent.

Capture d’écran 2022-05-04 à 14.23.43Microsoft phishing with Excel form

Japanese mobile telecommunications company, Au, came in at , with .2 percent of phishing pages (2,899). Facebook, the most impersonated brand of Q4 2021, moved down two spots to 3, representing 5.9 percent of phishing pages detected by Vade (2,768), a .2 percent decrease from Q4 2021.

Following closely behind Facebook is WhatsApp, with 5.6 percent of phishing pages analyzed by Vade (2,638), and Credit Agricole, with 5.3 percent (2,482). The most significant increase in brand impersonation was Apple, previously at on the list and moving up 15 places to , with 3.8 percent of phishing pages (1,776), a 366 percent increase over Q4 2021.

Financial services impersonation continues to dominate

The financial services industry remains the most impersonated of all industries, representing 32 percent of all branded phishing pages analyzed by Vade in Q1. There were nine financial services brands among the top 25 most impersonated brands in phishing and four in the top ten, including Crédit Agricole, La Banque Postale, MTB, and PayPal.

Capture d’écran 2022-05-04 à 14.19.18


Brands in Top 25-Q1 22-2

Internet/telco companies saw significant increases in brand impersonation in Q1. Orange, previously in the 8th position, moved up two spots to 6 and saw a 106 percent increase in phishing pages. Comcast, previously at 12, moved down one spot to but saw a 40 percent increase in phishing pages. In Q1, Vade analyzed 46,960 unique phishing pages, a 32.7 percent increase over Q4 2021.

Total URLs-Q1 22

Download eBook to see the phishing statistics and trends that defined 2021

Emotet returned—again

Emotet returned to the scene after being briefly shut down in January 2021 thanks to a coordinated effort between law enforcement agencies in the US, Canada, and Europe. Vade began tracking the reemergence of Emotet in early 2021, with a burst of Emotet-weaponized emails in early March. Europe saw a substantial surge in Emotet in Q1, with 49,216 attacks detected by Vade, compared to 3,381 in the US.

In the below analysis of an Emotet attack detected by Vade in March 2021, the hacker exploited a compromised email account and delivered an Excel attachment loaded with malicious, obfuscated macros. The xlsm file attachment included five hidden sheets in a spreadsheet containing six total sheets.

report 4

xl folder content

report 5

Workbook.xml content

The hidden sheet Lafasbor1 contains obfuscated malicious strings, while the sheet itself stores information, formulas, and references in several sheets to evade antivirus protection.

Capture d’écran 2022-05-04 à 14.27.46Obfuscation based on formulas

The file sharedStrings.xml contains hardcoded strings, including URLs, used to download malware. The obfuscated code in the below screenshot of the file intlsheet1.xml in the folder macrosheets conceals the payload.

Capture d’écran 2022-05-04 à 14.28.31

Obfuscated code in intlsheet1.xml

In this attack, the QakBot loader was potentially used to drop Emotet. The sophistication of Emotet makes it one of the most dangerous malware viruses in circulation. Emotet rarely functions on its own, but is typically a combination of several malware viruses, each having its own unique purpose and carrying out separate events in an attack chain.

Current-event themed attacks


 Always prepared to capitalize on bad news, cybercriminals quickly exploited the war in Ukraine to lure users. In Q1 in Europe, 10.8 percent of Ukraine-themed emails detected by Vade were phishing attacks, while 14.3 percent were classified as scams. Most emails promised humanitarian aid and other support efforts to Ukraine, and many featured links to Bitcoin wallets for prompt payment.

Capture d’écran 2022-05-04 à 14.30.07

Capture d’écran 2022-05-04 à 14.30.20

Tax season

Tax season in both the US and Europe inspired phishers around the world in Q1. In an analysis of more than one million Microsoft 365 mailboxes, 10 percent of tax-related emails were classified as phishing by Vade, while just under one percent were classified as malware.

Impersonating brands like Turbotax is a common tactic among phishers looking to exploit consumers, but in corporate mailboxes, attacks are more targeted. In the below screenshot, the hackers leverages a shared Microsoft Word file to capture Microsoft 365 login credentials.

Capture d’écran 2022-05-04 à 14.30.29Microsoft phishing with shared Word file

Cybercriminals also used spear phishing emails to lure users with tax-themed messages, a more direct, personal approach than brand impersonation via phishing. In the US in Q1, 12.4 percent of spear phishing emails in the US were related to taxes, while in Europe, the rate was much smaller (3.4 percent).

Protecting your business from phishing and malware

The old ways of blocking phishing and malware no longer apply. Emotet, a virus containing multiple dangerous viruses wrapped inside a single package, is just one of the many malware viruses that can change its behavior based on its environment and go dormant when it senses it is being analyzed.

Phishing has made equal strides toward extreme sophistication, with tools like phishing kits having the ability to fend off URL scanning technology and obfuscation techniques like image manipulation bypassing even the most sophisticated filters.

What both phishing and malware attacks have in common is that each displays malicious behaviors —traits that cannot be detected by simple reputation-based analysis or attachment sandboxing. To predict and respond to attacks, businesses need to move toward a behavioral-based approach to email security.

Artificial Intelligence answers this need by continuously learning from previous attacks, being trained by humans with quality data, and responding autonomously to detected threats. AI-based cybersecurity might have been nice to have only a few years ago, but today, it is a must-have to defend your business from attack.