Email Security

    Stopping Email Spy Trackers Can Break The Cyberattack Kill Chain

    Threat actors’ use email spy trackers to learn about potential victims before launching a full-scale attack — but these trackers can be rendered harmless.

    by Bill Camarda

    Key Points

    • Every day, hundreds of millions of emails likely contain images with potentially dangerous spy trackers.
    • Bad actors use these to fuel research for socially engineered attacks, including business email compromise.
    • Mimecast’s email security renders email trackers harmless, by default.

    A recent BBC News article noted that email trackers used to spy on recipients have become ubiquitous.[1] That’s true, and it’s important: these so-called “spy trackers” are embedded in tens of billions of emails daily, often by marketers. But there’s another urgent story to tell about email trackers. Cybercriminals are using them, too, as part of a sophisticated strategy to scam high-value targets and compromise organizations. Security teams need to understand this — and how to stop it.

    Email Trackers Aid Cyberattackers’ Reconnaissance

    In a cyberattack “kill chain,” attackers start with reconnaissance, move to weaponization and then threat delivery. If you can disrupt an attack in the early stages of the kill chain, you can either prevent later stages or make them less effective.

    Cybercriminals use email trackers to supercharge reconnaissance, so that’s the best stage to stop them. Once cybercriminals target an organization, they want to identify individual potential victims and refine their messaging to be as personal and specific as possible. So they send a potentially relevant email with a tracker to possible victims and see what happens.

    Does it get opened? That suggests interest. Does the recipient engage? 1x1 GIF “spy pixels” don’t reveal that, but some cybercriminals now embed links to .WAV files that stream silently in the background, tracking how long the message stays open. The tracker also transmits an IP address exposing the recipient’s location.

    Weaponization and Intrusion, At Scale

    All this is invaluable for weaponizing a highly personalized business email compromise (BEC) attack. The bad actor can learn, for example, if a target is traveling for business and if they care about the subject of the recon email. Combined with other research — usually in social media — the cybercriminal can follow up with frighteningly convincing socially engineered messages that evade detection by the recipient. Email security technologies may also be challenged to detect them because they carry no malicious payload. Email security must rely on lexical analysis and impersonation detection techniques, which are very good but not 100% effective and are subject to false positives. This is why web email gateways sometimes add a banner to these messages rather than blocking them altogether.

    As the email tracker communicates back to its origin server, it also sends a user agent string containing information about the recipient’s device and environment. Is the person running an unpatched OS or old email client with a specific vulnerability? Today, a large email blast that returns these user agent strings can be an efficient way to discover technical vulnerabilities that can be exploited to compromise an entire enterprise.

    Just how big a problem is all this? According to an analysis by Mimecast’s Threat Intelligence Center, 33% of emails have images, 66% of those images contain trackers and about 1% of those trackers attempt risky behaviors such as trying to ascertain user location. About 306.4 billion emails were sent and received on an average day in 2020.[2] Working through the math, that means roughly 667 million emails may contain intrusive or even dangerous trackers every day. That’s a whole lot more emails than contain malware-infected attachments.

    How to Stop Spy Trackers in Their Tracks

    There’s a way to get that number down very close to zero. Stop the email tracker from connecting to the target and communicating back to its originating server. This involves identifying an email containing a tracker link, downloading and hosting the target content associated with that tracker, and replacing the link to point at the downloaded content. So, when users open the emails, they’re completely shielded from the origin server. The tracker communicates only with safe copies of the content.

    The only communication the bad actor sees is that first download, and it typically comes from a public cloud IP address that isn’t even recognizable as a security company. All the attacker knows is that there’s been no further communication.

    By default, Mimecast stops virtually all tracking trackers, including marketing trackers. But organizations can whitelist trackers from partners, customers or anyone else they’d like.

    Identifying email trackers isn’t always easy. For example, Mimecast’s Threat Intelligence team has seen bad actors do things like host their own DNS service providers and create unique DNS hosting for each tracker. So preventing tracking requires sophisticated machine learning that can interpret URLs, attributes and how fetches are occurring.

    Other approaches to blocking email trackers tend to be less effective. Some require companies to deploy new client software. Others are limited to image blocking and ignore newer trackers, such as the silent WAVs, or can’t recognize evasion techniques such as DNS customizations. In addition, they may not address mobile devices — a pretty enormous gap. The BBC article references a consumer-grade solution that actually requires customers to change their email addresses, which is not viable for business organizations — and, in any case, this solution focuses on marketing trackers, not the problem of preventing bad actors from performing reconnaissance.

    Mimecast’s approach also identifies and prevents attacks in the reconnaissance stage, so it generates valuable security data — often, it can tell who owns a tracker, who’s created proprietary tracking technology and who’s re-conning you right now. Increasingly, over time, that information can be shared with third-party security systems via off-the-shelf integrations using open APIs — so you can anticipate more attacks and respond more quickly.

    The Bottom Line

    Email trackers are relatively benign in the hands of marketers, but are also often used by cybercriminals in the early reconnaissance stages of a cyberattack. Mimecast’s email security solutions stop spy trackers by default, enabling businesses to break cyberattack kill chains that make use of them.

    [1]Spy pixels in emails have become endemic,” BBC News

    [2]Number of sent and received e-mails per day worldwide from 2017 to 2025,” Statista

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top