We posted earlier in the year about the uptick in email attacks relating to the impending US tax deadline. Throughout tax season, we have continued to monitor tax-themed attacks in the form of bulk-phishing, spearphishing, and malicious payloads. As the filing deadline quickly approaches, we are seeing a large volume tax related messages attempting to dupe users into divulging personal information. Several of the current email campaigns utilize PDF attachments claiming to contain pertinent tax info. These attachments contain links to an active phishing page where attacks lay in wait to collect consumers’ personal data.

The first comes with a very vague message and claims to contain W2 information.

The second email campaign takes a more aggressive approach and tries to startle the user into opening the attachment with the threat of a tax penalty.

Both campaigns are being quarantined currently for our SecureTide™ customers. However, if you are not a customer and you did receive one of these– then there are a few obvious red flags that should prevent you from falling victim. Firstly, in the second message, we should all notice first that the “IRS” is sending an unsolicited message to us regarding important tax documents. This is not how they operate. Secondly, they will never send and attachment in an unsolicited email. Thirdly, the message states that they shared the document with the consumer via Dropbox (even though the file is directly attached). We think it’s safe to assume that this is also not IRS standard operating procedure. And lastly, though the attackers did insert the IRS into the friendly “from” section, the actual sending domain is not irs.gov.

What else can you do?

There’s no silver bullet when it comes to blocking phishing in general. Attackers are constantly testing new methods and finding what works and what gets to the user’s inbox. But there are some steps an organization can take to try to combat them.

  • Use encrypted email – Have it be company policy that certain bits of sensitive data should always be encrypted when sent via email. Ideally no information would ever be sent externally, but by following this protocol, the data would still ideally remain secured and unusable by the third-party.
  • Look at the recipient address when replying – A quick glance to the “To:” address when replying could potentially stop many of the spearphishing attacks. Attackers like to use freemail accounts (Outlook, Gmail, Yahoo, etc.) in the “Reply To:” field in a message when phishing. This is only visible to most users once they go to reply. If they are willing to spend a few dollars, they even register domain names very similar to the victims domain.
  • Have 2-factor verification – Having a company policy where it’s acceptable to transfer $50k with a single email request is a bit loose with the coffers. It’s best for everyone if there is a second verification in place such as a quick office visit or phone call. Same with sending around something like all employees W-2 files.
  • Hover over links in messages – Sometimes spearphishing is aimed at just that single email communication to get through to a user and doesn’t need the back and forth. Such as providing a phishing link looking for their email login, linking all the information to do a wire transfer for an external site, or even providing a link for the employee to upload sensitive company data to. Knowing where you are going online by hovering as well as glancing at URLs once you are there is a common security tactic that some people need to follow more closely.
  • Don’t be afraid of your boss – Yeah, this can be a tough one. But some of these spearphishing emails rely on using the CEO name as a strong-arm to get an employee to do something. By writing the text in a way that sounds urgent or demanding, some employees may forgo any set policy and bypass procedures in place to please their boss. After all, they think the CEO is ordering them to. Obviously questioning every order that comes down isn’t feasible or advisable, but again there are certain things like sending W-2s and wire transfers that should have set policies in place where everyone follows them no matter what. It’s better to question all wire transfers than to miss that one and send $20k to some foreign account.
  • Use an email filter – This can be the obvious one here. But many email filters have some advanced features and tests that can catch these sorts of attacks that people may not be aware of. At AppRiver, we have an advanced spearphishing test that can look for these types of low-key phishing email tactics and stop them. If you have a filter service that doesn’t have spearphishing features in it, you can even do something like block external email using your domain name in it, so that any email using your domain name, but coming from somewhere that’s not your own server, gets blocked.

Today we announced that we’re launching the first class of our new Veteran to Entrepreneur (V2E) program! V2E is a new start-up package that includes a comprehensive assistance program, including training, business counsel, marketing support, and a specialized, limited-time refund program providing additional capital to invest in veterans’ businesses. Since its inception, AppRiver has supported and hired veterans, including some senior managers who envisioned this new program.


“Many IT administrators have ambitions to open their own consulting practices, leveraging their years of experience and business contacts. Veterans trained in the information technology specialties have those same skills – and many others – that can help them transition into successful business owners,” said AppRiver channel manager Justin Gilbert, a former Navy air crewman. “Our entrepreneur start-up program provides veterans with the head-start they’ll need to go into business and succeed in the competitive technology marketplace.”


The AppRiver veteran program is designed as an “easy button” for interested and qualified veterans. Rather than simply earn a commission on their sales, veterans in the V2E program will for a limited time be refunded all the AppRiver revenue they earn. Coupled with multiple levels of training and support, the program is aimed to help veteran-entrepreneurs in the most challenging phase of a business – the critical first year.


After the first six months, or when the veteran-owned companies have earned $5,000 in revenue from AppRiver, they will have the option to remain as referral agents and receive commissions on future sales, or, if qualified, to become resellers who get discounted pricing and handle first-tier support calls for their clients.


“For a company just getting started, AppRiver’s cybersecurity services are a good way to develop a source of recurring revenue and to establish a trusted advisor relationship with their customers,” said Niels Andersen, a Navy veteran, serial entrepreneur and CEO of VetCV, a new online platform that encourages veteran entrepreneurship and helps veterans find jobs, gain easier access to VA health services, use artificial intelligence for Veteran suicide intervention, and learn about other resources that are available to them. “Every business needs online security and we’re pleased to offer AppRiver’s services to our vendor partners and affiliated companies who serve the veteran community.”


AppRiver is opening the program to veterans who own more than a 50-percent interest in a qualifying ISV, VAR, or MSP business that is less than one year old. It is aimed at, though not limited to, veterans whose military specialties include information technology.


“The partnering opportunity, which AppRiver presents to military veterans, is an excellent path for transitioning skills perfected on active duty into a viable business,” said AppRiver partner and Navy veteran Bob David, President of Technical Software Services, Inc. (TECHSOFT), now in its 27th year of business.  “One of the biggest challenges we faced as a start-up was in making the transition into the business community and acquiring the initial customer base that would allow us to survive.  The veteran partnership program that AppRiver is offering will provide the initial stream of recurring revenue that is essential to success during the early stages of a start-up company.”


For additional information and qualifications, please visit https://www.appriver.com/partners/v2e-program/

Complex Spamming Operation

Spam and virus filtering is a complicated operation. The other week, a friend of mine contacted me about an article he was writing that would be exposing the complexity of an international spamming operation he and another researcher uncovered. As I read through the layers of data and reviewed the spammer’s tactics, it became abundantly clear that spam is big business being carried out by sophisticated organizations using extreme tactics. The articles were written by Steve Ragan of CSO Online. The first article is “Spammers expose their entire operation through bad backups” and was posted on March 6th, 2017. In it, Steve details the sordid business that was uncovered as a result of data discovered by Chris Vickery, a security researcher with Mac Keeper. His post relating to the data collected is found here.

Forms of Spam

An aside here; spam comes in two main forms (each with many subtle derivations within each form). The form that has been around the longest is what I call “scam spam.” Think stock tips that are too good to be true, Nigerian prince emails, male enhancement drugs, and various articles of worthless merchandise. The other form of spam we see is “malicious spam.” This is the stuff that is sent with the intent to do harm to the recipients, usually through malicious links or infected attachments.

The Offender

River City Media was involved in the sending message of the scam spam type, although their tactic could and are likely employed by others with more nefarious intent. The amazing part of these disclosures is the degree to which River City Media went to insure the veracity and deliverability of their unsolicited junk messages. First, this group contracted with legitimate brands, while at the same time, engaging in mass spam campaigns hawking junk.

Key Tactics

Here are some of their key tactics:

  1. Used more than 1.34 billion email addresses to send their junk
  2. Changed corporate aliases and office locations regularly
  3. Used multiple less-than-reputable domain registrars
  4. Hosted resources with unscrupulous hosters
  5. Developed zero-day exploits targeting major email providers including Yahoo, AOL, Hotmail (Outlook.com), Juno, Gmail, Apple and others
  6. Infiltrated and read user email data without permission
  7. Tested campaigns with “warm up” accounts
  8. Worked with many other unscrupulous marketing companies to cover up their activities

You can read about some of the lessons learned in a subsequent article by Steve Ragan. The rest of the fallout from this discovery is being shared with the email providers most impacted with more reporting to follow.

Are You A Victim?

With more than 1.34 billion email addresses used, its likely that one or more of your email addresses was targeted by this organization. Good news is you can find out by visiting Have I Been Pwned and researching your desired email account(s). Once you sign up with this site by providing only your email address, they will proactively notify you if your accounts incur any pwnage in the future. Here is an email they sent me regarding one of my addresses. The subject of the message: “You’re one of 393,430,309 people pwned in the River City Media Spam List data breach.”

Example of the River City Media Spam List Notification Email

So what does this have to do with spam and virus filtering services like AppRiver’s SecureTide™? Plenty!

Spam and Virus Filtering Benefits

As you can see, spammers employ sophisticated tactics. Defending against their campaigns requires a great deal of time, resources and expertise. Most businesses don’t have the time, resources or expertise needed to implement an effective defense. SecureTide Spam and Virus Filtering does all that for your and offers the following advantages:

  1. Mail volume to your users is significantly reduced saving them time and increasing productivity
  2. Malicious content is effectively removed significantly reducing the likelihood of network compromise
  3. Emails that are filtered never reach your business network improving network performance and lowering compliance costs
  4. Statistics and logs are easily tracked through the control panel
  5. Delivery rules can be managed by administrators
  6. Only messages addressed to actual users in your organization are processed and delivered
  7. You can limit inbound connectivity to only AppRiver servers, thus increasing the security of your network

And you can have all this for a few dollars per user per month. Most out there will spend more than that on an overpriced cup of coffee! So next time you thinking about the need for spam filtering, you have some info that can help you make an informed decision.



We don’t need to tell you that Office 365 margins are slim and being profitable is incredibly difficult. That’s why trying to compete with a high-volume, low-touch volume doesn’t work. When you’re looking for the best practices to set you apart, consider these opportunities:

  1. Bundled Services: The most obvious solution is to upsell complementary services that protect your customers’ inboxes. The breadth of the services you want to offer is ultimately up to your comfort level, but a good starting point is to analyze the verticals you serve–or wish to serve–and move from there. We’ve listed some categories below that range from basic, “everyone needs ’em” type solutions, to compliance and industry-specific solutions.
    • Standard Security Solutions:
      • Email spam and virus filtering
      • Web protection
      • Email continuity
    • Compliance Solutions:
      • Email archiving
      • Message encryption
    • Specialized Solutions:
      • Video and/or phone conferencing
      • Intelligent business applications (such as Dynamics 365)
  2. White Glove Customer Support: Everyone hates the abyss of touch tone prompts by a virtual receptionist followed by a purgatory on hold when they need customer support. Making customer support simple for your Office 365 customers (as well as other services you may offer) can be the difference between a customer  getting Office 365 directly from Microsoft or from you. There are a couple of ways to tackle this.
    • Leverage some of the many training tools available to become competent in supporting Office 365. Where you get this training from Microsoft or from a CSP (AppRiver offers our own Office 365 support training for partners), having the ability to support your own customers is a powerful tool.
    • If you don’t have the resources (or virtue of patience) to support your customers’ Office 365 issues, find a CSP that has a partner tier that will assume the responsibility of supporting Office 365, like AppRiver’s Advisor Plus Program.
  3. Efficient Billing and Management Portals: In order to be able to manage and bill your customers timely and accurately, you need an intuitive, user-friendly partner portal. Whether you’re purchasing/building your own management portal, or leveraging your CSP’s, here are some key functionalities you should look for:
    • Simple license management
    • Easy Office 365 provisioning (as well as other services)
    • Consolidated billing
    • Ability to order additional and even third-party apps through a single portal
    • Microsoft Partner Number (MPN) entry (to enable proper credit for Microsoft services sold)
  4. Healthy Margins: All of the above are great, but if you aren’t being paid fairly to do them, there’s a problem. It’s important to partner with a CSP that understands that a profitable partner is a stable one. That’s why AppRiver’s reseller margins begin at 20 percent and our referral margins begin at 10 percent.
  5. Partner Resources: The ability of being knowledgeable about a service and being able to market it are nearly as important as the service itself. That’s why AppRiver’s partners may access AppRiver University, AppRiver’s online training portal, as well as appMailer, AppRiver’s email marketing solution, from within our Partner Portal. Both are offered for free to our partners.




It’s incredibly frustrating when your server is bogged down with unwanted mail. Naturally, spam accounts for most such messages, but what about other messages that aren’t spam? We’ve written before about how AppRiver helps you divert bulkmail, but there are still other messages that are addressed to users whose names are misspelled or even users who just don’t exist at your domain.

Don’t worry, though, AppRiver has this covered as well.

With our SecureTide™ Spam and Virus protection, admins have the option to put their domain in either open mode or closed mode. Open mode processes all messages regardless of who they are addressed to, sending all valid mail to your server. This is desirable for new accounts that want to make sure that they don’t miss any addresses. Closed mode, however, processes messages for addresses listed on your Customer Portal interface.

What happens to the messages addressed to unlisted addresses? Well, that’s up to you. With the hold action, they are held in the admin quarantine for view and release. But with the delete action, they are permanently deleted. This won’t bounce the messages or let spammers detect valid addresses.

Open mode is always suggested until you’re confident all your users are listed. We recommend our LDAP (Lightweight Directory Access Protocol) tool for that. LDAP keeps all your user addresses, alias addresses, and email groups in sync. As for Hosted Exchange customers, we already take care of that for you!

Learn more about these options and how else SecureTide can work for you.