BSI: Emotet attacks rising

BSI In individual cases, it is in the affected by failures of the entire IT Infrastructure, critical business processes have been reduced, causing millions of dollars worth of damage.  Emotet continues to be distributed through large-scale spam campaigns, posing an acute threat to businesses, government agencies and home users.

Outlook harvesting by Emotet

Through the so-called ” Outlook Harvesting ” Emotet is able to send authentic-looking spam mails . These reads the malicious software contact relationships and has recently also email -Inhalte from the mailboxes already infected systems. This information is used by the perpetrators to further spread the malicious program in subsequent spam campaigns, so that the recipients receive fake emails from senders with whom they were recently in contact. 


The BSI therefore expects a further increase in well-made, automated social engineering in the futureAttacks of this kind, which are barely identifiable as such for the recipient. This method is also suitable for the use of highly specialized spear-phishingattacks on particularly high-quality targets.
Emotet also has the ability to reload malicious software as soon as it infects a computer. These malicious programs allow attackers to read out access data and have complete remote access to the system. BSI

How can organizations protect themselves from Emotet?

Although there can be no one hundred percent certainty, there are still a number of protective measures that can be implemented both at organizational and technical level and significantly reduce the risk of infection. These include, in particular, protective measures for the secure use of e-mails . Please discuss the feasibility of these steps in case of doubt with your IT department or IT service provider.

The following measures MUST be implemented within the IT infrastructure from the point of view of the BSI :

  • Regular information and awareness of users for the dangers of e-mail attachments or links – including the note, even with supposedly known senders (see also fake sender addresses) Attachments or links or about these downloaded files in case of doubt only after consultation with the sender open (especially no office documents). Users should immediately report any abnormalities to the IT operation and IT security officer.
  • Timely installation-provided by the manufacturers security updates for operating systems and application programs (particularly web browser , browser – plugins , e-mail – clients , office applications, PDF -Dokumentenbetrachter) – ideally automated via a central software distribution.
  • Use centrally administered AV – Software . Regularly checking that updates to AV signatures are successfully rolled out on all clients.
  • Regular execution of multi-level backups , especially offline backups . A backup always includes the planning of the restart and a test of the return of data.
  • Regular manual monitoring of log data, ideally supplemented with automated monitoring with alarms for serious anomalies.
  • Network segmentation (separation of client / server / domain controller networks and production networks, each with isolated administration) by different trust zones, application areas and / or regions.
  • Errors by internal users pose the greatest threat. All user accounts must therefore have only the minimum permissions required to complete the task.
Additional reading: