top of page
  • Admin

Stolen Email Threads Hide Valak Info-Stealing Malware

Published: August 4, 2020 on our newsletter Security Fraud News & Alerts Newsletter.

Anyone familiar with email threads, those linked chains of emails and responses, knows how cumbersome they can be. But now, there’s another reason not to like email threads: they could be hiding malware called Valak. Discovered in 2019, Valak is now targeting organizations in healthcare, manufacturing, and financial services around the globe with its new and improved malware campaign. Valak hides in stolen email threads, looking like just another email in the chain. The big difference is a ZIP email attachment that, when opened, starts the Valak download process. This information stealing malware relies on credibility to work, leaving many duped and infected by the phishing email they assumed was a trusted part of the thread.

Although the Valak campaign started earlier this year, Cisco Talos finds that 95% of the attacks occurred in May and June. Using stolen email threads gives Valak a unique path that makes it highly effective. The malware avoids detection by most system security tools by hiding in email threads and using a password protected ZIP attachment. From there, the email content references the need to open the attachment. It’s easy to think something like this is legitimate. Often, these threads can get quite long and even confusing. However, once opened, the ZIP downloads a Microsoft Word document that unleashes the Valak infection.

The stolen email threads are also used to send individual phishing messages that address the recipient by name. Personalizing the email increases its credibility, and that bogus credibility translates into highly successful Valak downloads. Knowing how to spot a phishing email is a highly effective tool for limiting Valak’s success, as well as for avoiding other types of malware hiding in attachments of any type.

One Phish, No Phish!

  • Beware of any email attachment. There was a time when only certain file types were likely hiding malware, but now, most file types (.doc, .ZIP, .exe and others) can be infected.

  • When in doubt, check it out. Any email from a co-worker or friend that requires opening an attachment should be verified first. A quick phone call to the sender can help determine if the attachment is safe.

  • Check the email date. Valak is attaching itself to both old and new email threads.

  • Any email using a sense of urgency in the subject line or text, for any reason, should always be suspect.

Remember, verify first and act second when it comes to email attachments.

Want to schedule a conversation? Please email us at


bottom of page