1. Homepage
  2. Equities
  3. United States
  4. Nasdaq
  5. Mimecast
  6. News
  7. Summary
    MIME   GB00BYT5JK65


SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Mimecast : Detecting and Preventing a TA551 Email Spam Strike

02/02/2021 | 10:26am EDT
TA551 email spam attacks are devious and very difficult to detect. Only in-depth analysis of the emails plus enhanced AV software has been able to defeat them.

Key Points:

  • Like a chameleon, a TA551 attack blends in with its surroundings, making it extremely difficult to spot without advanced analytics.
  • The malware-laden emails use a variety of techniques, such as stolen content and SMTP credentials, to appear legitimate and deceive their intended victims.
  • Mimecast's data scientists have closely analyzed the threat (see the recent whitepaper TA551/Shathak Threat Researchfor more details) and have developed a two-pronged strategy to defeat it.

The ongoing wave of TA551 email spam attacks - also known as the Shathak threat campaign - has posed some particularly nasty challenges for email security providers.

TA551 is an email-based malware distribution scheme that targets English speakers in particular, but also those who speak Japanese, Italian, German and some other languages. First observed in late 2019, a TA551 attack seeks to implant multiple types of malware, including Ursnif, IcedID and Valak. These are trojans and malware loaders used to extract banking information, and much of the TA551 perpetrators' activity is concentrated in the financial sector.

Typical of these types of campaigns, the threat level dropped somewhat in January as business activity declined at the start of the new year. Throughout December, the Mimecast Threat Center was detecting between 2,000 and 7,000 emails a day that matched the characteristics associated with TA551 incursions. While the attackers' identity and the full extent of their motives is unknown, the sharply focused and consistent nature of the spoofing appears to be the work of professional spammers that no doubt have extensive resources at their disposal.

Why the TA551 Threat Is So Insidious

What makes this email spam campaign so insidious is the chameleon-like nature of the threat. No two attacks are identical and the emails are assembled out of stolen content, making them appear both relevant and legitimate to their intended victims.

Here's how it works:

  • An email with a Zip file attachment is sent out by the spammers. The file consists of an MS Word document, or something similar, and is infected with malware in the form of macros. Once opened by the recipient, the macros execute and infect the user's device.
  • The Zip files are password protected, which makes it much more difficult to scan them using antivirus software. The passwords are randomized and differ from email to email.

The recipient receives the password in the body of the email. Here's a real-life example of how one reads: 'Hello. Here's the important information for you. See the attachment to the email. Password 1636721.'

  • Many of the attached files are named after the target company. So, for example, for XYZ Co., the filename would be 'XYZ.zip.' This makes the email appear more credible to the receiver.
  • The spammers use stolen SMTP credentials to send the email, so it appears to come from a legitimate source. This also makes detection based on infrastructure parameters quite difficult since all the emails appear to be coming from legitimate providers.
  • Given the vast resources that appear to be at their disposal, the perpetrators never have to reuse anything - which would make the emails easier to spot. They appear to have the capacity to continually use a new set of credentials, a new email address, new content and so forth.
  • The emails are context-aware. Their subject lines, content and that of the attached files all correspond with the recipient's company, job function and professional contacts. They may also reference recent projects in which the intended victim is involved.

When you add all this up - the use of compromised credentials; the piggy-backing off the names and credibility of the target companies; the context-aware emails that are assembled out of stolen information - it becomes clear why the employees at so many companies have been duped into opening these malware-laden attachments. There is nothing about the emails or their contents to alert the recipient that something is amiss, making it very easy to fall into the spammers' trap.

Mimecast's Strategy to Defeat TA551

Mimecast's data scientists have now closely analyzed the TA551 campaign (for a deeper dive into what we found please see our recent whitepaper, TA551/Shathak Threat Research) and have developed a two-pronged strategy to defeat it using a combination of detection techniques at our anti-virus and anti-spam layers.

The Bottom Line

TA551/Shathak is an insidious email-based spam campaign to compromise corporate networks. The emails and their malware-laden attachments can withstand close inspection and are exceedingly difficult to spot. In response, Mimecast has closely analyzed this threat, which has allowed us to develop antivirus software and advanced detection capabilities that are able to defeat it.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Thanks forSubscribing

You will receive an email shortly

Take me back to the article please


Mimecast Limited published this content on 02 February 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 02 February 2021 15:25:01 UTC.

© Publicnow 2021
All news about MIMECAST
05/23MIMECAST : Permira Completes Acquisition of Mimecast - Form 8-K
05/23MIMECAST LTD : Entry into a Material Definitive Agreement, Termination of a Material Defin..
05/23Berenberg Bank Terminates Coverage on Mimecast Following the Completion of its Acquisit..
05/19Mimecast Finalizes Take-Private Sale to Permira, No Longer Trades on Public Markets
05/19Permira Completes Acquisition of Mimecast
05/19Permira completed the acquisition of Mimecast Limited.
05/19MIMECAST LIMITED(NASDAQGS : MIME) dropped from S&P Global BMI Index
05/19MIMECAST LIMITED(NASDAQGS : MIME) dropped from S&P Software & Services Select Industry Ind..
05/19MIMECAST LIMITED(NASDAQGS : MIME) dropped from S&P 400
More news
Analyst Recommendations on MIMECAST
More recommendations
Financials (USD)
Sales 2021 501 M - -
Net income 2021 29,7 M - -
Net cash 2021 43,1 M - -
P/E ratio 2021 89,4x
Yield 2021 -
Capitalization 5 350 M 5 350 M -
EV / Sales 2020 5,30x
EV / Sales 2021 5,08x
Nbr of Employees 1 765
Free-Float -
Duration : Period :
Mimecast Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends MIMECAST
Short TermMid-TermLong Term
Income Statement Evolution
Managers and Directors
Peter Cyril Bauer Chairman & Chief Executive Officer
Rafeal Edgar Brown Chief Financial & Accounting Officer
Nathaniel Borenstein Chief Scientist
John J. Walsh Senior VP-Engineering & Technical Operations
Shahriar Rafimayeri Chief Information Officer