The term “payload” traditionally refers to the load carried by a vehicle — for example, the passengers in an aircraft or the cargo in a truck. But, in computing, “payload” refers to the content of a message.

When you send an email, you’re transmitting several pieces of data, including a header, some metadata, and the message itself. In this scenario, the message is the payload — it’s whatever content you want the recipient to receive. The term “malicious payload” comes into play when we talk about cybersecurity specifically.

How is a malicious payload delivered?

Malicious payloads first need to find their way onto a target’s device. How? There are a couple of methods hackers use to do this.

1. Social engineering attacks
2. DNS hijacking

The most common way to deliver a malicious payload is via social engineering attacks like phishing, spear phishing, CEO Fraud, and other types of advanced impersonation attacks. Here’s how a typical phishing attack typically starts.

Suppose your office has ordered some printer ink. You get an email from someone claiming to be “FedEx” that says: “click here to track your order.” Since you are – in fact – expecting a delivery, you click the link. The link appears to lead to FedEx’s order-tracking page, but the page causes a file to download onto your computer. This file is the malicious payload.

While email is the most common delivery vector for malicious payloads, they can also appear via vishing (via phone or VoIP) and smishing (via SMS) attacks.Another way to deliver a malicious payload is via DNS hijacking. Here, the attacker forces the target’s browser to redirect to a website where it will download the payload in the form of a malware file.

Types of malicious payloads

Malicious payloads can take a number of forms. The examples below are all types of “malware” (malicious software).

• Virus: A type of malware that can replicate itself and insert its code into other programs.
• Ransomware: Encrypts data on the target computer, rendering it unusable, and then demands a ransom to restore access.
• Spyware: A program that tracks user activity on a device — including which websites the user visits, which applications they use, and which keys they press (and, therefore, the user’s passwords).
• Trojan: Any file which appears to be innocent but performs malicious actions when executed.
• Adware: Hijacks the target computer and displays annoying pop-up ads, affecting performance.

But a payload doesn’t need to come in the form of a file. “Fileless malware” uses your computer’s memory and existing system tools to carry out malicious actions — without the need for you to download any files. Fileless malware is notoriously hard to detect.

Malicious payload vs. zero payload

Not all phishing attacks rely on a malicious payload. Some attacks simply persuade the victim to action a request. Keep reading for examples. Suppose someone claiming to be a regular supplier sends you an email. The email claims that there’s been a problem with your recent payment. With a malicious payload attack, the email might contain an attachment disguised as your latest invoice.

With a zero payload attack, the email may encourage you to simply initiate a wire transfer or manually update account details to divert the payment from the genuine supplier to the hacker. Zero payload attacks can be just as devastating as malicious payload attacks, and traditional antivirus and anti-phishing software struggles to detect them.

Case study: KONNI Malware, August 2020

Let’s look at a real-world example of a malicious payload attack. This example demonstrates how easy it can be to fall victim to a malicious payload.On August 14, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that:

“cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware”

So, in this example, the malicious payload is a .doc file, delivered via a spear phishing email. The .doc file contains the “KONNI” malware.When the target opens the malicious payload, the KONNI malware is activated. It uses a “macro” (simple computer code used to automate tasks in Microsoft Office) to contact a server and download further files onto the target computer.

The KONNI malware can perform different attacks, including:

• Logging the user’s keystrokes
• Taking screenshots
• Stealing credentials from web browsers
• Deleting files

These actions would allow cybercriminals to steal crucial information — such as passwords and payment card details — and to cause critical damage to your device.

How to stop malicious payloads

You should take every reasonable step to ensure malicious payloads do not make their way onto your devices. Email security is a crucial means of achieving this.Why? Because email is the threat vector security and IT leaders are most concerned about. It’s also the most common medium for phishing attacks and a key entry-point for malicious payloads.

If you want to learn more about preventing phishing, spear phishing, and other types of inbound attacks that carry malicious payloads, check out these resources:

1. Must-Know Phishing Statistics: Updated 2021
2. How to Identify and Prevent Phishing Attacks
3. What is Spear Phishing?
4. How to Identify a Malicious Website
5. What Does a Spear Phishing Email Look Like?

And, if you want to stay-up-to-date with cybersecurity news, trends, and get the latest insights (and invites to events!) before anyone else, subscribe to our newsletter.