Whereas spam emails are simple unsolicited emails, malspam (or malicious spam) are spam emails that contain malicious payloads, usually in the form of infected documents or malicious URLs that redirect unknowing users to websites hosting malware.

Though it has a relatively low success rate, malspam distribution endures as one of the most popular methods to distribute malware because it can be employed on a massive scale. Malspam is used to deliver a wide range of malware families, including Trojans, ransomware, crypto miners, keyloggers, and more.

How Malspam Works

The exact techniques that malware distributors use to employ malspam in propagating their malicious payloads vary widely. These techniques, moreover, not only range in scope and complexity, but are also in constant flux. For instance, more successful malspam campaigns rely on social engineering to entice would-be victims into opening seemingly benign, plausible, or otherwise attractive email messaging, and divulging sensitive information.

In the early days of the COVID-19 pandemic, for example, many malspam campaigns impersonated parcel delivery services that claimed to be experiencing difficulties in delivering important packages due to COVID-19. This often involved sending fabricated invoices laden with malicious attachments, as was the case with the Emotet family. Even more insidiously, many malspam campaigns also impersonated government health organizations, luring victims to download infected files purporting to contain critical public health information.

Thankfully, for those who know to look out for them, many of these malspam campaigns are relatively easy to spot and may feature telltale signs of illegitimacy, such as phony addresses for well-known organizations or suspicious spelling and grammar mistakes throughout the message.

However, some malspam campaigns are more sophisticated and can dupe even those on the lookout for malspam. One recent example of a more sophisticated effort featured a malspam campaign that targeted customers of a Polish bank with a bogus Google reCAPTCHA to establish a false sense of legitimacy before asking customers to download a malicious payload.