Quarterly Threat Summary Q1 Callout

Quarterly Threat Summary: January-March 2016

The Proofpoint Quarterly Threat Summary captures threats, trends and transformations we see within our customer base and in the wider security marketplace. Each day, we analyze more than 1 billion email messages, hundreds of millions of social media posts, and more than 150 million malware samples to protect people, data, and brands from advanced threats.

Analyzing how these threats shift each quarter allows us to spot larger trends and equip readers with intelligence they can act on and advice for managing their security posture.

We continue to see advanced threats across three key vectors: email, social media, and mobile.

Banking Trojans and ransomware dominated the email malware landscape in the first quarter, and impostor phishing (also known as business email compromise, or BEC) gained speed. The massive email message volumes of the Dridex banking Trojan malware gave way to the newly discovered Locky ransomware.

Social media content from top brands increased, further exposing them through social channels. Meanwhile, risky mobile apps continued to expose sensitive data, especially on Android devices. Below are key first-quarter takeaways.

Threats via Email


  • Ransomware is back in a big way with new variants and techniques emerging regularly. The emerging threat vaulted into the top ranks of malware used by cyber criminals. 24% of email attacks based on attached document files featured the new Locky ransomware. Dridex was the only malware payload used more frequently.
  • Impostor email threats (also known as business email compromise) are growing more mature and specialized. About 75% of impostor email phishing attacks rely on “reply-to” spoofing to trick users into thinking messages are from someone in authority.
  • Email continues to be the top threat vector. Malicious message volume rose 66% over the previous quarter—and more than 800% over the year-ago quarter. Dridex accounted for 74% of total attachment-based malicious email volume.
  • Java and Flash Player vulnerabilities continue to pay dividends for cyber criminals. Angler was the most used exploit kit, accounting for 60% of total exploit kit traffic. Neutrino and RIG exploit kit use was also up; volumes rose 86% and 136% over the previous quarter, respectively.

    Download the full report

Threats via Social Media

Social Media

Every major brand we examined increased its social media[1] content by at least 30%. As the volume of fan- and brand-generated content increases, higher risk follows. Businesses are constantly challenged to protect their brand reputation and stop spam, pornography, and adult language from diluting their message.

Download the full report


Threats via Mobile


98% of all malicious mobile apps we examined targeted Android devices. This remains true despite the high-profile discovery of an iOS Trojan and the continuing presence of risky iOS apps and rogue app stores.

Download the full report


[1] The top five English-language Twitter and Facebook brands as tracked by Socialbakers.