Proofpoint’s 2020 Predictions: Downloaders and botnets abound while supply chains and account compromises will drive phishing

Share with your network!


Every December, Proofpoint researchers examine trends from the prior year and predict changes in the threat landscape that defenders will encounter in the year to come. This year, we began to see the results of widespread RAT and downloader distribution, significant evolution in impostor attacks, and increasingly sophisticated attacks on cloud applications, among other trends that help paint a picture of what we can expect in 2020.

Notably, email will remain the initial threat vector of choice for most actors, driving credential phishing campaigns; targeted attacks with malware to establish a beachhead within organizations; and for widespread distribution of banking Trojans, downloaders, backdoors, and more. However, cloud-based email systems like Microsoft Office 365 and GSuite will themselves also be key targets for threat actors, providing platforms for future attacks and lateral movement within targeted organizations.


Despite its near absence as a primary payload in malicious emails, ransomware continued to make headlines throughout 2019, largely in so-called “big game hunting attacks.” We expect these types of attacks – in which threat actors focus on high-ransom attacks on servers and endpoints in mission-critical environments that are most likely to pay to decrypt their files for rapid recovery – to continue in 2020. These kinds of infections, however, are generally secondary to initial infections with RATs, downloaders, and banking Trojans, making prevention of initial infections critical for organizations and defenders. In 2020, organizations will increasingly find that once they are victims of ransomware, they have already been compromised with a versatile malware strain that creates potential future vulnerabilities and exposes data and intellectual property.

Complex infection chains

2019 saw messages relying on URLs to distribute malware consistently outnumber malicious attachments to distribute malware. While most users have largely been conditioned to avoid attachments from unknown senders, the increasing prevalence of cloud applications and storage means that we are all conditioned to click through links to view, share, and interact with a variety of content. Threat actors will continue to capitalize on this in 2020, both because of its effectiveness in social engineering and because URLs can be used to mask increasingly complex infection chains that make detection more difficult than a simply linked payload. Whereas URLs frequently linked to an executable for a malicious document in the past, 2020 will see increases in the use of URL shorteners, traffic distribution systems, and other hops to hide final payloads from defenders and automated systems.

At the same time, campaigns will continue to increase in complexity and improve social engineering hooks to trick users into installing malware. We are continuing to see BEC tactics make their way into malware and phishing campaigns with threat actors using multiple points of contact like LinkedIn, thread hijacking, and multiple benign emails before ultimately delivering a malicious payload once they have established rapport with the victim. Similarly, modular malware designed to download additional capabilities or secondary malware post-infection will continue the trend of “quiet” infections that actors can exploit at a later time.

Abusing legitimate services

Along these same lines, threat actors will expand their abuse of legitimate services for hosting and distributing malicious email campaigns, malware, and phishing kits. For example, while the use of Microsoft SharePoint links to host malware has been common for some time, we are beginning to see it used for internal phishing. For example, a compromised Office 365 account will be used to send an internal phishing email linking to a phishing kit hosted on SharePoint using another compromised account. Thus, victims would never be redirected to an external phishing site and emails would appear to be coming from legitimate users at the organization. This type of attack only requires a couple of compromised accounts and is difficult to detect, both for end-users and many automated security systems. We expect this technique to become more prevalent in 2020 because of its effectiveness.

Similarly, the widespread abuse of other legitimate cloud-based hosting services for malware delivery will continue, capitalizing on our conditioning to click through links for shared content and the inability for most organizations to blacklist services like Dropbox and Box.

Finally, we have observed high levels of malvertising activity associated with the Keitaro traffic distribution system (TDS). Keitaro is a legitimate service with a range of applications, primarily in web advertising, but it is frequently abused by threat actors looking to direct victims to specific payloads based on their geography or operating system. We expect this tactic to expand and continue in 2020 based on traffic statistics in 2020 and, again, the difficulty in blacklisting IPs associated with this type of service.

Brute force attacks get smarter

As organizations continue to adopt cloud-based productivity and collaboration software, these platforms become increasingly attractive targets for threat actors. Given the prevalence of Microsoft Office 365 credential phishing campaigns, the focus remains on compromising accounts for potential use in future campaigns, lateral movement within organizations, and exploitation of related services like Microsoft SharePoint.

While traditional brute force attacks on these and other cloud services will continue in 2020, we expect these attacks to become increasingly advanced:

  • Attacks regularly jump when credential dumps become available; threat actors will rely on more automation to enhance password stuffing and algorithms substituting common variations for leaked passwords or passwords cross-referenced from multiple dumps.
  • Hijacked vulnerable network devices will continue to drive large-scale, repeated, brute force attacks that will keep leveraging legacy email protocols to avoid authentication barriers (like MFA).
  • Automation of brute-force attacks using tools like Python and Powershell will increase, as will hybrid attacks that make use of both legacy protocols and other infiltration techniques to gain unauthorized access.

It is worth noting that, while adoption of multifactor authentication is helping to mitigate risks associated with cloud attacks, vendors and organizations alike are finding that robust implementation carries its own challenges, driving organizations to look at biometrics and other potential solutions to secure their infrastructure, whether owned or purchased as a service.

Supply chains expose vertical and horizontal partners

Supply chain vulnerabilities took center stage with the breaches of major retailers in 2013 and 2014. While threat actors have continued to exploit the supply chain for everything from credit card theft to business email compromise (BEC), we expect this tactic to become even more sophisticated in 2020.

For example, many organizations allow suppliers to send emails on their behalf, whether for customer engagement, marketing, or otherwise. We have already observed the effects of compromises at these vendors, with widespread phishing campaigns able to abuse the brands on whose behalf the vendors typically send emails. Organizations are increasingly demanding that such vendors use their own email domains to better track campaigns and mitigate potential compromises.

We also expect organizations will begin looking more closely at the wide range of suppliers with which they engage. A recent look at a sampling of healthcare organizations revealed complex webs of suppliers, many of which did not apply the same types of email security as the organizations themselves, creating risks from potential compromises at the suppliers and exploitation of vulnerabilities. Knowing who these suppliers are and requiring specific types of email security in vendor contracts will be critical to limiting threat actors’ ability to hop from one supplier to another until they compromise intended targets.

Beyond headline-grabbing BEC attacks often associated with supply chains, the ability to increase the credibility of phishing attacks by impersonating suppliers or using compromised accounts at vendors will continue to drive further cloud account attacks in much the same way as internal phishing enables difficult-to-detect attacks in many organizations. These kinds of risks will also drive further adoption of DMARC as information security teams come together with procurement teams to demand standards-based approaches to vendor security.

Training takes center stage

While automated systems can prevent many threats from reaching inboxes, users remain the final line of defense, especially as threat actors turn to voice and SMS phishing and multi-channel attacks. As a result, training is a critical component of security but scarce resources demand that organizations be increasingly selective about the training they provide for their users. Thus we expect that

  • Training priorities will be driven by threat intelligence and the types of threats organizations are actually experiencing.
  • More organizations will rely on end-users to identify phishing attacks that slip through perimeter defenses. We expect to see wider adoption of in-client email reporting mechanisms including automation to avoid overwhelming IT resources.
  • Organizations will focus training on internal phishing and email account compromise as these are notoriously difficult to detect with automated systems.