#ThreatThursday - Emotet

On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE. We share the emulation plan so the community can also emulate the Emotet campaign to test and improve people, process, and technology. Lastly, we discuss how to defend against Emotet, in this case, we cover training the end users by performing phishing simulations. We hope you enjoy it.

Cyber Threat Intelligence

This week, our Cyber Threat Intelligence comes from a company that is at the forefront of email security, ProofPoint. We interview Sherrod DeGrippo who wrote the article emotet returns after a 5 month hiatus to understand what Emotet is, how they operate, and how we can improve security. Here is this week’s interview:

We found a number of additional resources related to the latest Emotet campaign to pull out the Cyber Threat Intelligence:

An excellent resource to see replays of what occurs when someone falls for the phishing email and opens the emotet document is the site any.run. Here are a few for emotet:

Emotet has been around for a number of years and is tracked by MITRE ATT&CK. We can see the TTPs via the ATT&CK Navigator Layer created from the JSON in the SCYTHE Community Github.

Adversary Emulation Plan

Emotet works by spamming targets with business-related emails containing malicious Office documents that are either attached to the email or with a link to download the malicious file. If someone falls for the phishing email, opens the document, and enables macros, the Emotet malware will execute.

As usual, below is the adversary emulation profile for Emotet. The emulation plan can be downloaded from the SCYTHE Community Threats Github and imported to your SCYTHE instance.





Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector.


Banking Trojan - steal banking information and PII

Initial Access

T1566 - Phishing

T1566.001 - Spearphishing Attachment

T1566.002 - Spearphishing Link

Command and Control

T1573 - Encrypted Channel

T1573.002 - Asymmetric Cryptography

T1571 - Non-Standard Port


T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1059.005 - Visual Basic

T1053 - Scheduled Task/Job

T1053.005 - Scheduled Task

T1204 - User Execution

T1204.001 - Malicious Link

T1204.002 - Malicious File

T1047 - Windows Management Instrumentation

Defense Evasion

T1027 - Obfuscated Files or Information

T1027.002 - Software Packing

T1055 - Process Injection

T1055.001 - Dynamic-link Library Injection

T1078 - Valid Accounts

T1078.003 - Local Accounts


T1087 - Account Discovery

T1087.003 - Email Account

T1057 - Process Discovery

Credential Access

T1110 - Brute Force

T1110.001 - Password Guessing

T1555 - Credentials from Password Stores

T1555.003 - Credentials from Web Browsers

T1040 - Network Sniffing

T1003 - OS Credential Dumping

T1003.001 - LSASS Memory

T1552 - Unsecured Credentials

T1552.001 - Credentials In Files


T1560 - Archive Collected Data

T1114 - Email Collection

T1114.001 - Local Email Collection


T1547 - Boot or Logon Autostart Execution

T1547.001 - Registry Run Keys / Startup Folder

T1543 - Create or Modify System Process

T1543.003 - Windows Service

Lateral Movement

T1210 - Exploitation of Remote Services

T1021 - Remote Services

T1021.002 - SMB/Windows Admin Shares


T1041 - Exfiltration Over C2 Channel

Defend against Emotet

Defending against emotet and other phishing campaigns can be broken up by people, process, and technology. ProofPoint is an excellent technology solution to cut down and stop phishing and malicious emails from getting to users. 

From a people and process perspective, user awareness training is one of the best defenses against phishing attacks like emotet campaigns. Creating a phishing simulation program involves coordination with a number of internal teams but at a high level:

  • Create an email template that is used against the target organization
  • Create a unique link per email address
  • Send the emails to the target addresses
  • Metrics: Clicked email (failed test); Reported email (passed test)
  • If someone clicks on the email, they should get a message immediately informing them this was a test and with best practices of what to do next time
  • People reporting the phishing email should have some sort of positive reinforcement


Emotet campaigns are back and ProofPoint was quick to catch it. We had a chat with Sherrod DeGrippo from ProofPoint and discussed the new campaign, phishing as a whole, emulating emotet, and how to defend against it. We created an adversary emulation plan and shared it on our Github. Lastly, we covered how to defend against phishing attacks by focusing on people, process, and technology. We hope you enjoyed it.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.

Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024
Threat Thursday Buzz
November 16,2023