Email has long been a preferred attack vector for cybercriminals, and the methods being used to breach our email defences are constantly evolving. One game-changing method today is the payloadless attack, commonly used in business email compromise (BEC) or email account compromise (EAC).
Payloadless attacks lack a technical element (for example, a malicious attachment or link), making them particularly difficult to identify with traditional email security rules. Instead, payloadless attacks use deception and social engineering to manipulate the victim into taking a specific action.
In this blog, we’ll investigate why payloadless attacks are so difficult to identify and how organizations can protect their people from falling foul to them.
What are payloadless attacks?
Payloadless attacks are phishing or spear-phishing attempts that rely solely on the content and specific messaging of an email to achieve their goals. Instead of embedding malware, malicious links, or attachments, these attacks use carefully crafted messages to exploit the victim. A common type is impersonation of an authoritative figure, such as a CEO, CFO, or vendor; the email requests an action from the victim, such as transferring funds, providing information, or approving a fraudulent transaction. Sometimes these attacks are multi-staged where information gained from a victim is used to craft a more targeted attack to increase likelihood of success.
How to identify payloadless attacks:
- No malicious attachments or links: There’s no technical payload to scan or block, thus failing traditional email filters.
- Impersonation: Attackers will often impersonate high-ranking individuals or trusted entities.
- Sense of urgency: The email creates a time-sensitive scenario, pressuring the recipient to act quickly without questioning the legitimacy of the request.
- Direct action requests: Victims are faced with a specific request, such as transferring money, sharing credentials, or updating account information.
- Change of channels: While email is closely monitored, attackers try to persuade the victim to communicate via other (unmonitored) channels, such as instant messaging, to prevent detection.
Why payloadless attacks are difficult to block
Traditional email security solutions, such as Secure Email Gateways (SEGs), rely on scanning for known signatures, malicious URLs, or suspicious attachments. Since payloadless attacks contain none of these elements, they can pass through filters unnoticed, landing in the victim’s inbox and relying solely on the individual to notice something suspicious and act. Their reliance on social engineering rather than technical exploits places the onus on human judgment, which can be inconsistent and error-prone.
Due to the proliferation of AI (for example, WormGPT), the language used in these attacks often mimics legitimate business communication, making it harder to flag. By impersonating internal or external trusted figures, attackers are able to exploit established relationships.
Examples of payloadless attacks
1. CEO fraud: A finance team member receives an email purportedly from the company’s CEO, requesting an immediate wire transfer to close a “confidential” deal. The email carries no links or attachments but uses tone and urgency to coerce action.2. Vendor impersonation: An attacker poses as a known vendor, informing the accounts payable team of a “change” in banking details. The team is asked to update the payment information for upcoming invoices.
3.Credential harvesting requests: The attacker impersonates IT or HR personnel and requests sensitive information such as account passwords, bank details, or multi-factor authentication codes.
How to defend against payloadless attacks
Traditional email security tools, such as M365 or Secure Email Gateways, can fall short at detecting and blocking BEC attacks. However, through a combination of technology and employee awareness, organizations can take action to mitigate the risks whilst improving their security posture. Here’s how:
Advanced email threat protection
Modern Email Threat Protection (ETP) solutions leverage artificial intelligence (AI) with advanced machine learning models to analyse signals such as context and intent of emails, detecting anomalies that indicate malicious behaviour. However, standard tools are often inflexible and unreliable allowing more advanced threats (including payloadless attacks) through defences. They are also time-consuming and rely on manual intervention.
Intuitive IT leaders are realizing the benefits of advanced ETP solutions. These allow IT teams to leverage hundreds of threat detection rules, providing a flexible and tailorable approach to inbound threat security. Advanced ETP tools can identify when an email address or name is spoofed, and detect the tone, urgency, and language patterns of an email message, providing a clear overview of detected threats.
Employee awareness and training
Employee awareness is critical for protecting an organization from malicious attacks. While cyber security training is effective in fostering overall cyber resilience, payloadless attacks are often very difficult to identify meaning traditional approaches to training can fall short. Employees often forget what they have learned, or the training itself fails to resonate with realistic day-to-day workflows.
Instead, it’s time to leverage AI to fight back – turning real threats into learning opportunities. Providing employees with in-the-moment training, aligned with existing workflows, is a far more intuitive and impactful approach to employee awareness.
Implement strong internal policies
In a recent survey of over 2000 employees and 400 IT decisions makers, we learned that, a huge 60% of employees admit to using workarounds to bypass security policies. In fact, while 73% of employees are aware of email security policies, only 52% adhere to them. Clearly, something isn’t working here.
The issue lies in the implementation of policies. Rather than expecting employees to employ controls to protect sensitive data, it is simpler and easier to enforce automated security controls wherever possible. Security functionality must be embedded into existing workflows; otherwise, if they are unclear, confusing or clunky, employees will seek alternative (often less secure) ways of managing sensitive data.
Get basic email protocols right
Email standards like DMARC, DKIM, and SPF can help prevent email spoofing by verifying the authenticity of senders. Your email domain is a lucrative target for cyber criminals and therefore it must be protected. Domain-based Message Authentication, Reporting and Conformance (DMARC) is an essential email authentication standard that verifies email senders as the true sender, effectively preventing domain impersonation and phishing attacks.
DMARC reports also provide IT leaders with insights on how many emails are sent using email domains and validates if these reach the inbox of the recipient – providing more clarity and control over the organization’s email usage.
Next steps to prevent payloadless attacks
GenAI has levelled up the email security game; relying on standard email security offered by M365 and Gmail, for instance, will only get you so far. Learn how IT leaders are taking steps to protect their organization in our latest research or explore our customer stories to find out how we can help.
