Email Attack Timeline

SMTP had no sender validation; any server could claim any envelope sender

Open relays were the norm; SMTP assumed trusted network

Concept virus, Melissa, ILOVEYOU; macros enabled by default

MAPS RBL and other blacklists pressure admins to close relays

Macro warnings introduced; social engineering required

Storm Worm, Srizbi, Rustock dominate; billions of spam emails daily

SPF deployed but header spoofing trivial; users deceived by From header

SPF adoption grows; major providers start checking records

Open relays rare; instantly blacklisted when found

Reply-To widely abused; no authentication or validation

SPF adoption grows; lookup limit poorly understood

SPF adoption inconsistent; many domains misconfigured or missing records

SPF/DKIM deployed but attackers exploit alignment gaps and lack of policy

Protected View introduced; macros disabled from internet

Cutwail, Grum reach massive scale; takedown operations begin

Credential stuffing attacks provide endless supply of compromised accounts

Mobile email clients truncate addresses, show only display names

DKIM adoption grows; major providers sign outbound mail

DMARC deployed but p=none common; attackers ignore unenforced policies

DMARC published; major providers implement; enforcement grows

CEO fraud emerges; wire transfer scams net millions

DMARC adoption helps; some clients warn on mismatch

Awareness increases; flattening services emerge

Best practices spread; major providers enforce SPF

Major botnets disrupted; spam shifts to compromised accounts and webmail

DMARC adoption forces attackers to lookalike domains; registrars don't police

SPF widely deployed but insufficient alone; bypasses exist

Simple password protection defeats most scanning

OAuth token theft and MFA bypass techniques emerge

BEC attacks heavily exploit display name; some clients improve

Emotet, TrickBot, Dridex dominate; "Enable Content" social engineering

URL rewriting services emerge; attackers develop counter-techniques

Explosion of GCS/S3-hosted phishing; filters not inspecting paths

FBI reports billions in losses; attacks grow more sophisticated

Major providers enforce DMARC; gaps in subdomain handling discovered

DKIM widely deployed but requires DMARC for enforcement

Emotet pioneered automated thread hijacking at scale

Homograph attacks using Unicode; automated domain generation

DMARC at p=reject is gold standard; attackers pivot to cousin domains

Technique emerges; used by nation-states (NOBELIUM)

Widespread adoption as email security improved URL reputation checking

ISO/IMG mounting exploits MOTW gap; macros still primary delivery

Technique emerges; highly effective against URL scanning

Workers abuse emerges; Cloudflare Pages adds to attack surface

QakBot, Emotet use extensively; detection improves

Still used in targeted attacks; detection improving

Complex cloud environments still exceed limits; void lookups exploited

Cloud complexity creates new misconfiguration opportunities

Sophisticated timing attacks; weaponization post-delivery common

Occasional macOS malware campaigns; most phishing still Windows-focused

Cloud providers add abuse detection; SEGs start path inspection

COVID-19 normalizes QR codes; attackers begin exploiting

QakBot, IcedID adopt technique; highly effective for malware delivery

Still

BazarCall pioneered technique; ransomware groups adopt

reCAPTCHA, hCaptcha abuse widespread; detection adapts

Primary spam delivery method; botnets largely obsolete for email

Still effective especially on mobile; DMARC doesn't address it

Subdomain takeover and alignment exploits remain viable

Widespread adoption post-macro blocks; commodity malware adopts

Continues evolving; platforms implement countermeasures; attackers diversify services

Mass adoption by phishing kits; detection plays catch-up

Still highly effective; brand monitoring services emerge

Microsoft blocks macros from internet by default; attackers pivot

Some SEGs crack common passwords; still effective with unique passwords

Massive spike in QR phishing; Microsoft/DocuSign lures common

Time-of-click scanning helps; attackers adapt with shorter windows

Microsoft blocks macros; mass pivot to ISO/IMG/LNK containers

macOS enterprise adoption increases; MetaStealer, AMOS, and other stealers emerge

Still works with rapid rotation; detection improving

Widespread use; combines email + vishing; detection difficult

Multi-stage CAPTCHAs; Cloudflare Turnstile abuse

Detection improving; still effective with obfuscation

Remains primary delivery method for banking trojans and ransomware

Microsoft patches MOTW for ISOs; attackers pivot to nested containers and new formats

Cloudflare improves detection; attackers also abuse AWS Lambda, Azure Functions

SEGs adding QR detection; attacks evolving to evade

Continued targeting of macOS; Gatekeeper bypasses and social engineering evolve