{"id":5754,"date":"2020-11-30T14:20:12","date_gmt":"2020-11-30T22:20:12","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5754"},"modified":"2022-11-08T15:54:44","modified_gmt":"2022-11-08T23:54:44","slug":"tools-of-the-trade-distilling-campaigns-in-spam","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/","title":{"rendered":"Tools of the Trade (Distilling Campaigns in Spam)"},"content":{"rendered":"<p>Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of the Trade series. These algorithms allow us to more easily and accurately identify malicious activity and secure our customer\u2019s networks.<\/p>\n<p>Malicious spam, often referred to as <b>malspam<\/b>, uses file attachments or embedded hyperlinks (URLs) to infect victims. The email recipient must either open the file or click on the URL, and often may need to enable macros or editing on their machine for the attack to continue. Threat actors prey on people\u2019s hopes and fears, as well as inexperience with computer security, with a variety of lures, including spoofed documentation, promises of financial gain or threats of blackmail to trick victims into taking these steps. They gain access to the user\u2019s machine and often their private information and the consequences can be quite significant. One such example is the December 2019 Emotet attack that brought Frankfurt, Germany to a halt [1].\u00a0 Organized thieves also leverage crises like the Coronavirus pandemic [2] or Black Lives Matter protests [3] as a means to manipulate victims and steal their financial information.\u00a0<\/p>\n<p>Email spam is therefore a rich source of data for threat hunting and research. However, the massive volume of spam, the staged approach of the threat actors and their constant adaptation to avoid detection make it difficult to isolate malicious indicators. Traditional approaches leverage algorithms, both heuristic and machine learning, to identify suspicious code or content in websites. In some cases, automation is able to definitively determine whether a given attachment or URL is malicious, but more often it will lead to large quantities of generically suspicious emails requiring manual review. There are not enough human resources to manually evaluate all of these results.<\/p>\n<p>As we discuss further in the paper, we use graphs constructed from email header data and algorithms to distill all of the spam into likely campaigns. In Figure 1, we show one such example, highlighting how different emails are clustered together. Figure 2 shows a portion of this same graph, isolating an Emotet campaign. These approaches reduce the amount of data requiring manual analysis by up to 90 percent. Read all about it in <a href=\"https:\/\/www.infoblox.com\/resources\/whitepaper\/tools-of-the-trade-distilling-malicious-campaigns-in-spam\" target=\"_blank\" rel=\"noopener\">Distilling Campaigns in Spam<\/a>.\u00a0<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5755\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/malgraph-1.png\" alt=\"\" width=\"1024\" height=\"1024\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-1.png 1024w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-1-300x300.png 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-1-150x150.png 150w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-1-768x768.png 768w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-1-75x75.png 75w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 1. A bipartite graph derived from email headers and colored by connected components.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5756\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/malgraph-2.png\" alt=\"\" width=\"1024\" height=\"1024\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-2.png 1024w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-2-300x300.png 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-2-150x150.png 150w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-2-768x768.png 768w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/malgraph-2-75x75.png 75w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 2. A subgraph of that shown in figure 1 limited to an Emotet campaign.<\/p>\n<p>&nbsp;<\/p>\n<p>[1] Kaspersky ICS-CERT, <i>German cities under attack by Emotet botnet<\/i>, 24 December 2019, <a href=\"https:\/\/ics-cert.kaspersky.com\/news\/2019\/12\/24\/emotet-attacks-german-cities\/\">https:\/\/ics-cert.kaspersky.com\/news\/2019\/12\/24\/emotet-attacks-german-cities\/<\/a><\/p>\n<p>[2] US Center for Disease Control, <i>COVID-19-Related Phone Scams and Phishing Techniques<\/i>, 3 April 2020, <a href=\"https:\/\/www.cdc.gov\/media\/phishing.html\">https:\/\/www.cdc.gov\/media\/phishing.html<\/a><\/p>\n<p>[3] E. Patterson,<i> BLM Themed Malspam Delivers Trickbot Trojan<\/i>, 1 July 2020, <a href=\"https:\/\/insights.infoblox.com\/threat-intelligence-reports\/threat-intelligence--77\">https:\/\/insights.infoblox.com\/threat-intelligence-reports\/threat-intelligence&#8211;77<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of [&hellip;]<\/p>\n","protected":false},"author":338,"featured_media":5666,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[294,366],"class_list":{"0":"post-5754","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-malspam","9":"tag-spam","10":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Tools of the Trade (Distilling Campaigns in Spam)<\/title>\n<meta name=\"description\" content=\"Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of the Trade series. These algorithms allow us to more easily and accurately identify malicious activity and secure our customer\u2019s networks. Malicious spam, often referred to as malspam, uses file attachments or embedded hyperlinks (URLs) to infect victims. The email recipient must either open the file or click on the URL, and often may need to enable macros or editing on their machine for the attack to continue. Threat actors prey on people\u2019s hopes and fears, as well as inexperience with computer security, with a variety of lures, including spoofed documentation, promises of financial gain or threats of blackmail to trick victims into taking these steps. They gain access to the user\u2019s machine and often their private information and the consequences can be quite significant. One such example is the December 2019 Emotet attack that brought Frankfurt, Germany to a halt [1]. Organized thieves also leverage crises like the Coronavirus pandemic [2] or Black Lives Matter protests [3] as a means to manipulate victims and steal their financial information.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tools of the Trade (Distilling Campaigns in Spam)\" \/>\n<meta property=\"og:description\" content=\"Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of the Trade series. These algorithms allow us to more easily and accurately identify malicious activity and secure our customer\u2019s networks. Malicious spam, often referred to as malspam, uses file attachments or embedded hyperlinks (URLs) to infect victims. The email recipient must either open the file or click on the URL, and often may need to enable macros or editing on their machine for the attack to continue. Threat actors prey on people\u2019s hopes and fears, as well as inexperience with computer security, with a variety of lures, including spoofed documentation, promises of financial gain or threats of blackmail to trick victims into taking these steps. They gain access to the user\u2019s machine and often their private information and the consequences can be quite significant. One such example is the December 2019 Emotet attack that brought Frankfurt, Germany to a halt [1]. Organized thieves also leverage crises like the Coronavirus pandemic [2] or Black Lives Matter protests [3] as a means to manipulate victims and steal their financial information.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-11-30T22:20:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-08T23:54:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-education-services-banner.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"322\" \/>\n\t<meta property=\"og:image:height\" content=\"228\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ren\u00e9e Burton\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ren\u00e9e Burton\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/\"},\"author\":{\"name\":\"Ren\u00e9e Burton\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/d18b8543afa21fac6c03151b6f31f981\"},\"headline\":\"Tools of the Trade (Distilling Campaigns in Spam)\",\"datePublished\":\"2020-11-30T22:20:12+00:00\",\"dateModified\":\"2022-11-08T23:54:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/\"},\"wordCount\":488,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-education-services-banner.jpg\",\"keywords\":[\"Malspam\",\"spam\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/\",\"name\":\"Tools of the Trade (Distilling Campaigns in Spam)\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-education-services-banner.jpg\",\"datePublished\":\"2020-11-30T22:20:12+00:00\",\"dateModified\":\"2022-11-08T23:54:44+00:00\",\"description\":\"Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of the Trade series. These algorithms allow us to more easily and accurately identify malicious activity and secure our customer\u2019s networks. Malicious spam, often referred to as malspam, uses file attachments or embedded hyperlinks (URLs) to infect victims. The email recipient must either open the file or click on the URL, and often may need to enable macros or editing on their machine for the attack to continue. Threat actors prey on people\u2019s hopes and fears, as well as inexperience with computer security, with a variety of lures, including spoofed documentation, promises of financial gain or threats of blackmail to trick victims into taking these steps. They gain access to the user\u2019s machine and often their private information and the consequences can be quite significant. One such example is the December 2019 Emotet attack that brought Frankfurt, Germany to a halt [1]. Organized thieves also leverage crises like the Coronavirus pandemic [2] or Black Lives Matter protests [3] as a means to manipulate victims and steal their financial information.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-education-services-banner.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-education-services-banner.jpg\",\"width\":322,\"height\":228},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/tools-of-the-trade-distilling-campaigns-in-spam\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Tools of the Trade (Distilling Campaigns in Spam)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/d18b8543afa21fac6c03151b6f31f981\",\"name\":\"Ren\u00e9e Burton\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_338_1592324402-96x96.jpg\",\"caption\":\"Ren\u00e9e Burton\"},\"description\":\"Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/renee-burton\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Tools of the Trade (Distilling Campaigns in Spam)","description":"Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of the Trade series. These algorithms allow us to more easily and accurately identify malicious activity and secure our customer\u2019s networks. Malicious spam, often referred to as malspam, uses file attachments or embedded hyperlinks (URLs) to infect victims. The email recipient must either open the file or click on the URL, and often may need to enable macros or editing on their machine for the attack to continue. Threat actors prey on people\u2019s hopes and fears, as well as inexperience with computer security, with a variety of lures, including spoofed documentation, promises of financial gain or threats of blackmail to trick victims into taking these steps. They gain access to the user\u2019s machine and often their private information and the consequences can be quite significant. One such example is the December 2019 Emotet attack that brought Frankfurt, Germany to a halt [1]. Organized thieves also leverage crises like the Coronavirus pandemic [2] or Black Lives Matter protests [3] as a means to manipulate victims and steal their financial information.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/","og_locale":"en_US","og_type":"article","og_title":"Tools of the Trade (Distilling Campaigns in Spam)","og_description":"Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of the Trade series. These algorithms allow us to more easily and accurately identify malicious activity and secure our customer\u2019s networks. Malicious spam, often referred to as malspam, uses file attachments or embedded hyperlinks (URLs) to infect victims. The email recipient must either open the file or click on the URL, and often may need to enable macros or editing on their machine for the attack to continue. Threat actors prey on people\u2019s hopes and fears, as well as inexperience with computer security, with a variety of lures, including spoofed documentation, promises of financial gain or threats of blackmail to trick victims into taking these steps. They gain access to the user\u2019s machine and often their private information and the consequences can be quite significant. One such example is the December 2019 Emotet attack that brought Frankfurt, Germany to a halt [1]. Organized thieves also leverage crises like the Coronavirus pandemic [2] or Black Lives Matter protests [3] as a means to manipulate victims and steal their financial information.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/","og_site_name":"Infoblox Blog","article_published_time":"2020-11-30T22:20:12+00:00","article_modified_time":"2022-11-08T23:54:44+00:00","og_image":[{"width":322,"height":228,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-education-services-banner.jpg","type":"image\/jpeg"}],"author":"Ren\u00e9e Burton","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ren\u00e9e Burton","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/"},"author":{"name":"Ren\u00e9e Burton","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/d18b8543afa21fac6c03151b6f31f981"},"headline":"Tools of the Trade (Distilling Campaigns in Spam)","datePublished":"2020-11-30T22:20:12+00:00","dateModified":"2022-11-08T23:54:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/"},"wordCount":488,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-education-services-banner.jpg","keywords":["Malspam","spam"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/","name":"Tools of the Trade (Distilling Campaigns in Spam)","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-education-services-banner.jpg","datePublished":"2020-11-30T22:20:12+00:00","dateModified":"2022-11-08T23:54:44+00:00","description":"Infoblox threat intelligence is derived from a large number of sources, using a wide range of techniques, to offer our customers the best security possible. We have just released a white paper describing a graphing technique we use to identify malicious campaigns from email spam. This paper is the first in a new Tools of the Trade series. These algorithms allow us to more easily and accurately identify malicious activity and secure our customer\u2019s networks. Malicious spam, often referred to as malspam, uses file attachments or embedded hyperlinks (URLs) to infect victims. The email recipient must either open the file or click on the URL, and often may need to enable macros or editing on their machine for the attack to continue. Threat actors prey on people\u2019s hopes and fears, as well as inexperience with computer security, with a variety of lures, including spoofed documentation, promises of financial gain or threats of blackmail to trick victims into taking these steps. They gain access to the user\u2019s machine and often their private information and the consequences can be quite significant. One such example is the December 2019 Emotet attack that brought Frankfurt, Germany to a halt [1]. Organized thieves also leverage crises like the Coronavirus pandemic [2] or Black Lives Matter protests [3] as a means to manipulate victims and steal their financial information.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-education-services-banner.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-education-services-banner.jpg","width":322,"height":228},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/tools-of-the-trade-distilling-campaigns-in-spam\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Tools of the Trade (Distilling Campaigns in Spam)"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/d18b8543afa21fac6c03151b6f31f981","name":"Ren\u00e9e Burton","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_338_1592324402-96x96.jpg","caption":"Ren\u00e9e Burton"},"description":"Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.","url":"https:\/\/www.infoblox.com\/blog\/author\/renee-burton\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/338"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=5754"}],"version-history":[{"count":4,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5754\/revisions"}],"predecessor-version":[{"id":8238,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5754\/revisions\/8238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/5666"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=5754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=5754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=5754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}