Email still the top vector for attackers
Infection chains might change, but the initiation method remains the same
While more exotic forms of attack may make headlines, it turns out good old email is still the most popular vector of attack for malicious actors, according to research from HP Wolf Security, accounting for 79% of threats.
The figure is a single percentage point down from 2022’s figures but highlights issues facing email administrators. Web browser downloads also dropped by 1% to 12%, while other vectors, such as removable media, grew to 9%.
Researchers noted that while attack chains tended to be formulaic, there had been a move to threat actors connecting different components to create something more unique – and harder to detect.
According to researchers “32% of the QakBot infection chains analyzed by HP in Q2 were unique”.
QakBot spam activity surged in Q2 2023, with the malware distributors switching between many different file types to infect PCs.
Patrick Schläpfer, Senior Malware Analyst at HP Wolf Security, told ITPro that the team had seen continuous and rapid change across various attack vectors. He gave the example of the QakBot campaigns, which showed threat actors changing their initial vector as well as techniques within the infection chain.
RELATED RESOURCE
The state of email security 2023
Get the latest insights from 1,700 CISOs and other IT professionals as they share the steps they are taking to protect their organizations from email-based threats
He also noted the impact of Microsoft’s disabling of macros by default, which has forced a diversification of attack vectors. “During 2022, we observed attackers attempting various newer techniques such as HTML smuggling, PDF lures, and also OneNote documents – which is particularly interesting as OneNote attacks do not rely on macros,” he said
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Schläpfer noted that most attacks were wide-ranging rather than targeted as attackers attempted to gain a foothold in a system. He shared statistics with ITPro collected over the course of Q2 2023 that show over half (51.5%) of malicious email attachments were archives and almost a quarter (24.4%) were documents. PDFs accounted for 4.2% and executables 1.5%.
More on security
Attackers are also becoming more creative, according to the research. One recent campaign used multiple programming languages in an effort to avoid detection. The payload was encrypted using Go before switching to C++ in order to interact with the victim’s operating system before running .NET malware.
According to Schläpfer, attackers are becoming more knowledgeable about their target systems, making it easier to exploit gaps or vulnerabilities. He said: “By knowing which doors to push, they can navigate internal systems with ease, using relatively simple techniques in very effective ways – without sounding the alarm”.
With email remaining the top attack vector, the advice for administrators remains the same. Dr Ian Pratt, global head of security for personal systems at HP, commented that while attack chains might vary, the initiation methods tended to remain the same: “It inevitably comes down to the user clicking on something”.
“Instead of trying to second guess the infection chain, organizations should isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads.”

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITPro, CloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.
Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.
-
Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
Energy providers are flying blind thanks to unpredictable AI data center demandsNews Research from Capgemini has found that uncertainty, speed constraints, and rising system complexity are leaving firms struggling to predict future consumption
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
UK wants an AI-powered anti-hacking systemNews GCHQ is building a national cyber defence capability powered by AI – though it may take five years
-
GitHub internal repositories exfiltrated via malicious VS Code extensionNews The breach has been claimed by the TeamPCP hacking group, which said it is offering the data for sale
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online