author photo
By Bruce Sussman
Thu | Jan 23, 2020 | 7:15 AM PST

Malware strains can operate like a human virus.

Sometimes, you don't hear much about a particular malware attack. And then suddenly, it seems like everyone is getting hit with a particular cyberattack.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) tracks the big picture. And right now, CISA says there's a significant outbreak of Emotet cases going after organizations.

What is the definition of Emotet malware?

CISA defines Emotet malware like this:

"Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives."

And the Australian Cyber Security Centre (ACSC), which issued an Emotet advisory, explains what organizations experience next:

"Emotet often downloads a secondary malware, called Trickbot, onto infected machines. Trickbot is a modular multi-purpose command-and-control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network."

In many cases, Emotet is the start of a data breach that then brings in other tools that help hackers carry out their objectives. In some cases, the objective has been to infect networks with ransomware.

How can you reduce the risk of an Emotet malware infection?

In the latest alert, CISA highlighted 10 things every organization and agency should focus on to reduce the risk of infection from Emotet. Many of these things help bolster your cybersecurity posture in general:

  1. Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  2. Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  3. Implement Group Policy Object and firewall rules.
  4. Implement an antivirus program and a formalized patch management process.
  5. Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  6. Adhere to the principle of least privilege.
  7. Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
  8. Segment and segregate networks and functions. 
  9. Limit unnecessary lateral communications.
  10. Read one of the following alerts for more specifics on Emotet risk mitigation:
One thing we're surprised is not on CISA's list above? Having a formalized Security Awareness Program. Most of these Emotet attacks arrive via email and target end-users. 

The Australian Cyber Security Center says some of the Emotet attempts involve bulk email malware campaigns, and others are in the form of highly targeted spearphishing emails for desirable targets.

Speaking of phishing, do not miss the SecureWorld web conference on the 2020 State of the Phish report. The live conference is January 30th, but if you register you can watch later, on-demand, if that's more convenient.


The web conference reveals the latest trends on phishing and security awareness based on millions of data points. Presenters will also look at practical ways to apply the data to help secure your organization.

Also: Another complimentary resource is The SecureWorld Sessions podcast, which is available on every major podcast platform. See recent episodes here.