It’s that time of the year where tax forms are filed and (unfortunately) personal information is sent around via unencrypted email. Internal email, that is email between users in a company on their own email system, can be considered as secure as the server itself for the most part (which one may interpret the degree of security as she chooses). If an attacker can’t get access to the system, he will target those who have access. Some employees may place a little too much trust in their internal email processes and can fall victim to spearphishing attacks that appear to be other internal users emailing them.

One especially trying time of year for these types of messages is during tax season. January to mid-April is the prime time for attackers to try to convince susceptible employees to hand over private company information, including: tax returns, company bank account information, and employee information including healthcare and W-2 files. Many organizations naively believe that this could never happen to them. However, a quick search online can usually show the prevalent dangers of these sorts of attacks. Companies like Snapchat, Seagate, Polycom, Advance Auto Parts and, yes, even hospitals, schools, and utility companies have all been victims of spearphishing.

At AppRiver, we have seen the spike in phishing traffic already occurring in 2017. As the beginning of the year is typically when taxpayers anticipating big returns are mostly in a rush to have their returns filed, while taxpayers who will owe usually procrastinate until the last second, we anticipate that phishing traffic will continue to dwindle until the very end of tax season, with perhaps another small push towards the deadline.


When an outside attacker is able to craft an email in such a way that it looks to be internal, some users will trust them without digging deep enough. And that’s the core component to spearphishing. An attacker doesn’t need to be a hacker or gain access to secure internal systems. If someone can send convincing, legitimate-appearing emails to users, they may just hand over that sensitive information none the wiser. There are some small details astute users can decipher to notice spearphishing emails, but more often than not they are hard to catch just reading them at face value. These same tactics are what is used in wire transfer fraud emails where attackers get employees to wire out tens of thousands of dollars from the company accounts to things like fake vendor accounts the attackers set up. The FBI refers to these as Business Email Compromise messages (BEC). The broader interpretation is any external email coming in, claiming to be from an internal user (like the CEO) wanting an employee to do something that compromises the integrity of business operations. This is a very dangerous attack vector because of how successful it is. With the damage companies face in the millions per year in losses.

What can you do?

There’s unfortunately no single fix to rule them all when it comes to blocking phishing in general. Attackers are constantly testing new methods and finding what works and what gets to the user’s inbox. But there are some steps an organization can take to try to combat them.

  • Use encrypted email – Have it be company policy that certain bits of sensitive data should always be encrypted when sent via email. Ideally no information would ever be sent externally, but by following this protocol, the data would still ideally remain secured and unusable by the third-party.
  • Look at the recipient address when replying – A quick glance to the “To”: address when replying could potentially stop many of the spearphishing attacks. Attackers like to use things like freemail accounts (Outlook, Gmail, Yahoo, etc.) in the Reply To: field in a message in when phishing. This is only visible to most users once they go to reply. If they are willing to spend a few dollars, they even register domain names very similar to the victims domain.
  • Have 2-factor verification – Having a company policy where it’s acceptable to transfer $50k with a single email request is a bit loose with the coffers. It’s best for everyone if there is a second verification in place such as a quick office visit or phone call. Same with sending around something like all employees W-2 files.
  • Hover over links in messages – Sometimes spearphishing is aimed at just that single email communication to get through to a user and doesn’t need the back and forth. Such as providing a phishing link looking for their email login, linking all the information to do a wire transfer for an external site, or even providing a link for the employee to upload sensitive company data to. Knowing where you are going online by hovering as well as glancing at URLs once you are there is a common security tactic that some people need to follow more closely.
  • Don’t be afraid of your boss – Yeah, this can be a tough one. But some of these spearphishing emails rely on using the CEO name as a strong-arm to get an employee to do something. By writing the text in a way that sounds urgent or demanding, some employees may forgo any set policy and bypass procedures in place to please their boss. After all, they think the CEO is ordering them to. Obviously questioning every order that comes down isn’t feasible or advisable, but again there are certain things like sending W-2s and wire transfers that should have set policies in place where everyone follows them no matter what. It’s better to question all wire transfers than to miss that one and send $20k to some foreign account.
  • Use an email filter – This can be the obvious one here. But many email filters have some advanced features and tests that can catch these sorts of attacks that people may not be aware of. At AppRiver, we have an advanced spearphishing test that can look for these types of low-key phishing email tactics and stop them. If you have a filter service that doesn’t have spearphishing features in it, you can even do something like block external email using your domain name in it, so that any email using your domain name, but coming from somewhere that’s not your own server, gets blocked. Or enable SPF on your own domain and verify that on any incoming messages.


Recently, we stumbled across an existing website that seems to be part of some adware that a user can inadvertently install that changes his homepage to While this site has no relation to the AppRiver Web protection platform, SecureSurf™, it does share a similar name. The culprit is likely software or adware that changes a homepage to the malicious site. If this happens to you, a quick search online will show a few helpful guides on removing that software from your computer.

There are a few variants that seem similar to this situation. Usually, the initial problem occurs with bundled software installs. Bundled installs couple software that a user deliberately installed with software the user did not select to install. Typically, this is where it will install additional software without the user knowing, often by the user being automatically opted in to the complete install and not specifying that nothing other than the original program is to be installed.

Sometimes, this additional software can be what is known as a Potentially Unwanted Program (PUP). This type of software markets itself as being useful to users because it tracks browsing history and shows more advertisements based on searches. While maybe not breaking any rules and being valid software to the creators, PUPs are usually an opinionated class of software that generally users would never elect to install on their own. The installs could be attributed to bundles of software packages or users being tricked in to installing it.

Having a PUP on a computer can have a few consequences sometimes. They can hijack things like Web browser search results, possibly showing users links that are more likely to make the program authors money. They can sometimes inject their own advertisements in to webpages where a user otherwise may have seen a different ad or no ad at all. Some can even go as far as tracking users’ browsing habits to gather information on them.

The bottom line: Web protection like SecureSurf can help keep malware like off of your computer.

Our annual Global Security Report, which highlights email and Web-borne malware threats from the previous year, is out on shelves. Our findings indicate that botnets are making malware and spam campaigns more accessible than ever, which likely contributed to 2016’s escalation in malware activity—which clocked in at 15.5 billion malicious emails and 30.4 billion spam emails during 2016. The report also includes metrics from Web-borne threats, reporting an average of 40 million unique threats daily throughout the second quarter.

The report notes that in addition to traditional hardware like personal computers, the Internet of Things (IoT) delivers a new catalogue of devices that can be hacked for nefarious purposes. Smart watches, mobile phones, and smart assistants offer botnets millions of more devices that can be used to deliver their malware campaigns, or even to gather data on unfortunate consumers.

The report also includes predictions for 2017, including:

  • Acts of cyber aggression will become the new front lines between nation states
  • Mobile malware will become a household name
  • IoT botnets will continue to wreak havoc
  • Ransomware will continue to be the most prolific threat on the Web
  • New legislation will be passed to give more investigative powers to law enforcement

To read the full report, visit

As many of you may already know, AppRiver offers Office 365 under the Microsoft Cloud Solution Provider (CSP) program. Under a two-tier CSP, like AppRiver, partners have the ability to sell both Office 365–and the products that secure it, like spam and virus filtering, email continuity, and Web protection.

However, the most common obstacle we hear from partners is that new or potential clients are either already signed up for Office 365 through Microsoft directly, or through another Office 365 vendor/reseller. Before CSP, moving that account away from Microsoft or another Office 365 reseller required a full data migration, which was quite the undertaking.

Now through CSP, partners can move to an AppRiver tenancy without having to go through a full data migration. Partners are able to migrate the account within just a few clicks within the Partner Portal, and have the ability to use their Microsoft MPN ID so that they receive their Microsoft partner points for Office 365 accounts held with AppRiver.

In addition to easy migration tools, AppRiver’s CSP program offers the following:

  • complete ownership of the billing cycle for resellers
  • 10% commission for the life of the account for referral agents
  • tiered partner levels so that partners can have access to the resources they need to be successful
  • Office 365 Internal Use Rights licensing
  • 100% Partner Success Guarantee
  • free, on-demand partner certification training from AppRiver University
  • appMailer, a free, proprietary email marketing solution designed by AppRiver
  • dedicated channel sales team

To learn more or to get started, please contact us at


Windows shortcut files have seen a small rise in popularity lately. The shortcut files, using the .lnk file extension, are essentially small files Windows uses to point elsewhere in the file system. Normally you may think of shortcuts to other programs like your browser or a game residing on your desktop. Well this malware is essentially operating in the same way, but taking advantage of the powerful Windows shell tool…Powershell.

The “missed parcel” tactic is a pretty common theme among malware campaigns. It’s vague enough to get most users attention in to wanting to click for more detail. The same can be seen with missed fax/voicemail/jury duty, etc campaigns. This one was pretty plain with a zip attached promising more information once opened.

Inside that zip file is a shortcut (.lnk) file. The target for this shortcut file though point to Powershell. For those not in the know, Powershell is a command line based utility in Windows. Essentially it’s capable of doing anything you would normally do inside the operating system with the added ability of supporting scripting as well as a plethora of other things. It is essentially a programming language for controlling the entire Windows OS. Most average users likely won’t be using or know of Powershell, but in the hands of a malware author it can be used for their malicious purposes.


In this case, the shortcut that point to running Powershell also passes along some command line options. These are the core of what makes this file malicious. It is fed a list of url’s to try and connect to, download the payload, and execute said payload. The files seemed to each have unique uri identifiers in them in a sub web directory of /counter/ in the server dishing out the actual payload.

Ultimately the downloaded payload in this specific case is a version of the Osiris ransomware. It spins up a process labeled a1.exe based on the file it downloads form one of the url’s passed to powershell and goes to work on the system encrypting files. Once it is completed, it changes the desktop background and you get a file pop up describing what has happened to your system.


Ransomware is going to be around a while and most follow the same tactic of encrypting, notifying you, and demanding money for the files back. One of the factors in to the success of an attack campaign is how the malware is being delivered in the first place. So .lnk files are yet another file type being abused for malware delivery and a tactic we’ll likely see more of.