• Malware distribution has shifted from exploit kits to email attachments
  • Exploit kit activity is down ~80% since 2016. Meanwhile phishing emails accounted for 93% of breaches in 2018
  • Cybersecurity solutions have been late to adapt. The innovative technologies countering phishing have been acquired at hefty valuations
  • With phishing distribution vector here to stay, a secure solution is needed to fill the current void.
  • CDR is positioned as a leading candidate for this unmet need

For the last three years, there has been an ongoing trend cited by the big cybersecurity players Cisco, Malwarebytes and Kaspersky: Malware distribution has shifted from exploit kits to email attachments. 

This post will cover the old method of delivering malware (exploit kits), the new method (phishing/social engineering) and how cybersecurity companies have shifted defense strategies, if at all.

Use of Exploit Kits Down Since 2016

Exploit kits are a type of malicious toolkit that spreads malware by using security holes found in software applications such as Adobe Reader, Google Chrome and operating systems. These kits come with pre-written exploit code and target users running insecure or outdated versions of the software.

The exploit kit malware distribution process works like this

  1. A victim visits a website whose server has been hacked by cybercriminals
  2. The victim is redirected and lands on a rogue server hosting the exploit kit
  3. The exploit kit gathers information on the victim and determines the exploit to deliver
  4. Exploit is delivered
  5. If exploit succeeds, a malicious program is downloaded to the victim’s computer and executed

 In laymen terms, exploit kits find a chink in the armor of a system and attack the vulnerability with malware to infect the system.


Figure 1: How exploit kits are used to deliver malware to users

Since 2016, the use of exploit kids has significantly declined (see figure below). The primary reason for this decline is a result of security updates in operating systems and web browsers. Software updates patch the compromised vulnerabilities and help shield users from exploit kit compromise. 

In response to these shifts in the exploit kit marketplace, cybercriminals have turned to phishing emails as a delivery vector.

Phishing Emails Accounted for 93% of Breaches in 2018


A phishing email attempts to trick the recipient into downloading a malicious attachment or clicking a link that
would track the user’s personal information. Hackers are implementing social engineering, manipulative ways to deceive recipients, that make the phishing emails look legitimate.

Phishing emails are an evasive method of delivery because they require user interaction to download the threat and deliver malicious payload. Through human error, such as downloading malicious attachment or clicking a compromised link included in the email, these threats are able to evade existing cybersecurity solutions. 

Additionally, social engineering techniques make phishing email method cheaper and at times even more reliable than using ‘traditional’ exploits.

Cybersecurity Solutions Are Late to Adapt

Sophisticated phishing campaigns that utilize social engineering are able to evade traditional solutions like anti-viruses and sandboxes due to human error. These malicious files override existing solutions when enabled by human interaction (such as enabling a malicious macro in excel).  As a result, there were 53,000 incidents in 2018 that compromised information, even though 70% of enterprises employ at least 6 different cyber-security vendors. Existing solutions are inadequate.

Security awareness training software has been a beneficiary of phishing emails. This rather simplistic approach trains employees, through various online modules, to better spot phishing attempts. Minimizing human error, rather than completely eliminating it, is currently the defense method of choice against phishing emails.

PhishMe, an awareness training company, was acquired by a group of private equity firms by $400 million. Similarly, ProofPoint acquired Wombat for $225 million and Mimecast acquired Ataata for $25 million to add awareness training to their product portfolios.

Phishing Threats Are Here To Stay

In 2018, 81% of large enterprises used Office 365 or Google’s G Suite as their cloud providers. The dominance of these two providers indicates that phishing will continue to be the preferred method of distribution for malware. As of Q4 2018, Kaspersky reports that 70% of threats target MS Office

Figure 3: Adoption of Office 365 on The Rise, Which Makes It A Threat Vector

The reliance on this duopoly means that a breach of either Google or Microsoft would result in catastrophic damages. A solution that protects against phishing emails and completely eliminates human error would satisfy a current unmet need in the market. 

CDR Protects Against Phishing Delivered Threats

Content disarm and reconstruct (CDR) technology is a zero tolerance approach that scans the code of incoming files and disarms all potentially malicious content. CDR technology is a complementary feature that can be used in parallel with existing solutions to strengthen an enterprise’s defenses. CDR is able to protect against malicious files delivered through phishing emails by disarming the infected part of a file and delivering a clean copy so workflow remains undisrupted.

CyberQuay’s CDR product will integrate with the largest cloud providers, including Office 365, G Suite and Amazon AWS, to ensure that all files are delivered free of malicious content.