The Australian government is warning businesses to harden their cyber security controls in the wake of the evolving Emotet malware.

Emotet exposes infected computers to a host of attacks including ransomware and data theft, and can spread to a victim’s friends and contacts using their email account.

The Australian Cyber Security Centre (ACSC) says it knows of dozens of victims the malware has claimed in recent weeks, including critical infrastructure providers and government agencies.

This victim count is small relative to the hundreds of victims claimed by conventional phishing cyberattacks over the same time, but could rise if Emotet’s popularity rebounds to former levels.

The malware’s most popular feature – raiding a victim’s bank accounts – meant that it was used in 75 percent of banking crime campaigns in the last year.

Emotet spreads through phishing emails. The contents of these vary, but researchers have seen often poorly written emails requesting readers open Word documents that request the macro feature be activated in Microsoft Office.

There is little preventing Emotet’s phishing emails, and those linked to other cyber attacks, from being convincing and fluent.

“Emotet malware is spread when unsuspecting email users click on links or open files containing malicious code,” the ACSC warned. “This campaign uses targeted and untargeted phishing emails to spread the virus.”

Recent versions of Microsoft Word warn users of the threat of activating macros. Macros, an automation feature, are a decades-old favourite for delivering malware, and continue to be so in the face of Microsoft’s much-improved technical and user defences.

Emotet, like most cyberattacks, is best fought through the rapid application of software updates (patching), and use of current operating systems like Windows 10 which contains significant defences and in-built antivirus.

Organisations of all sizes should ensure they are creating regular backups as a priority and confirm they have business continuity plans in place, and review the Australian Signals Directorate’s Essential Eight security controls to limit the impact of cyber security incidents.