The top phishing keywords in the last 10k+ malicious emails we investigated

· 5 MIN READ · RAY PUGH AND SIMON WONG · SEP 8, 2021 · TAGS: MDR / Phishing

Did you get a chance to read our report on the top attack vectors used by bad actors in July? If not, here are two important takeaways:

  1. Phishing was the top threat in July, making up 72 percent of the incidents our security operations center (SOC) investigated.
  2. Breaking this down further, nearly 65 percent of the incidents our SOC investigated in July were business email compromise (BEC) attempts in Microsoft 365 (M365).

TL;DR: Phishing is on the rise and we expect it to stay that way. So preventing BEC and credential harvesting through phishing should be a priority for resilience efforts.

We decided to take a look at how bad actors are enticing their victims to open and engage with phishing campaigns. We analyzed the last 10 thousand malicious emails that our team investigated to determine the top keywords bad actors are using in their email subject lines.

As you’ll see below, these keywords aim to make recipients interact with the content of the email by targeting one or more of these themes:

  1. Imitating legitimate business activities
  2. Creating a sense of urgency
  3. Prompting the recipient to act

In this post, we’ll share the top keywords used in email subject lines, examples of subject lines from the malicious emails we investigated and some context around why bad actors might choose to use each keyword. Knowing how bad actors are targeting their victims can help inform your phishing strategy and education program.

Top Phishing Keywords


Real subject lines:

  2. Missing Inv ####; From [Legitimate Business Name]
  3. INV####

Context: Generic business terminology doesn’t immediately stand out as suspicious and maximizes relevance to the most potential recipients by blending in with legitimate emails, which presents challenges for security technology. Most people are also inclined to respond promptly to communications from co-workers, vendors or clients if they believe action is required, like returning an invoice.


Real subject lines:

  1. New Message from ####
  2. New Scanned Fax Doc-Delivery for ####
  3. New FaxTransmission from ####

Context: “New” is commonly used in legitimate communications and notifications, and aims to raise the recipient’s interest. People are drawn to new things in their inbox, wanting to make sure they don’t miss something important.


Real subject lines:

  1. Message From ####
  2. You have a New Message
  3. Telephone Message for ####

Context: Most people using a work account want to make sure they’re promptly responding to communications from co-workers, vendors or clients – and are inclined to read or listen to new messages quickly.


Real subject lines:

  1. Verification Required!
  2. Action Required: Expiration Notice on [business email address]
  3. [Action Required] Password Expire
  4. Attention Required. Support ID: ####

Context: Keywords that promote action or a sense of urgency are favorites among attackers because they prompt people to click without taking as much time to think. “Required” also targets employees’ sense of responsibility to urge them to quickly take action.

<Blank Subject>

Context: Blank subject lines generally evade automated security measures – security tech can’t scan for phishing or spam keywords if there aren’t any.


Real subject lines:

  1. You have a Google Drive File Shared
  2. [Name] sent you some files
  3. File- ####
  4. [Business Name] Sales Project Files and Request for Quote

Context: “File” is another generic business term used in work emails and notifications. Using this term helps these phishing emails blend in with legitimate emails — creating another challenge for security technology. Again, people are inclined to respond in a timely manner to communications from co-workers, vendors or clients.


Real subject lines:

  2. [Business Name] – W-9 Form Request
  3. Your Service Request ####
  4. Request Notification: ####

Context: Requests are sufficiently general for mass phishing campaigns, while insinuating the recipient needs to take action. Some examples include prompting the user to access a link, download a file or provide sensitive personal information.


Real subject lines:

  1. Action Required: Expiration Notice on [business email address]
  2. Action Required: [Date]
  3. Action Required: Review Message sent on [Date]
  4. [Action Required] Password Expire

Context: Promoting action and a sense of urgency increases the chances that a recipient will act immediately after reading the message without taking much time to think, rather than leaving the email for later and potentially forgetting to respond.


Real subject lines:

  1. File Document ####
  2. [Name], You have received a new document in [Company system]
  3. Attn: [Name] – You have an important [Business name] designated Document
  4. Document For [business email address]
  5. View Attached Documents
  6. [Name] shared a document with you

Context: Like “file,” “document” is regularly used in subject lines and notifications, again helping the attacker target the most recipients and blend in with legitimate emails, challenging security technology. Once again, sharing a file prompts employees to respond in a timely manner to avoid missing work-related information.


Real subject lines:

  1. Verification Required!

Context: “Verification” insinuates the recipient needs to take action, likely in a timely manner. Again, the user may be prompted to access a link, download a file or provide sensitive personal information.


Real subject lines:

  1. eFax from ID: ####
  2. eFax® message from “[phone number]” – 2 page(s), Caller-ID: +[phone number]

Context: eFaxes are still used broadly as part of normal business operations for many orgs, so users may be tempted to click the link or download the file.


Real subject lines:

  1. VM from [phone number] to Ext. ### on Tuesday, May 4, 2021
  2. VM From ****#### Received – for <[user name]> July 26, 2021
  3. ‘”””1 VMAIL RECEIVED on Monday, June 21, 2021 3:02:55 PM””

Context: Most people using a work account want to make sure they’re promptly responding to communications from co-workers, vendors or clients, and are inclined to read or listen to new messages quickly.

What to do next

Successful credential harvesting through phishing can lead to an array of problems for a business. Luckily, there are a lot of things you can do to try to stop bad actors in their tracks.

Number one – enable multi-factor authentication (MFA) for everything you can. Specifically with phish-resistant MFA (FIDO/WebAuth). Even if a bad actor manages to harvest credentials through phishing, MFA can keep them from accessing your systems and data – and give you a heads up that someone’s trying to break in.

Another important thing orgs can do to prevent successful phishing campaigns is to develop comprehensive phishing education programs. Orgs should stay up-to-date on the latest phishing trends to update their policies and educate employees when new tactics are at play. Beyond training sessions, regularly test employees with mock phishing emails (and provide feedback on what in the email was suspicious) so they continue to learn, hone their detection skills and know how to report suspicious emails in their inbox.

Encourage employees to take a closer look at emails using the above keywords to make sure they recognize the sender, that the sender’s email looks legitimate (for example, does that voicemail notification match the official voicemail email for your org?) and that they are expecting the content of the email. If not, it’s always better to double check with the supposed sender through another form of communication (we love Slack!) before clicking on any unexpected files.

When it comes to phishing, complacency is a risk. And we’ve seen that employees from orgs with strong phishing education programs are better at identifying actual malicious emails.

Beyond MFA and education, there are additional things you can do to make your email system more secure in case an attacker manages to harvest credentials from an employee. Here are some of our top resilience recommendations:

  • Disable legacy protocols like IMAP and POP3.
  • Implement extra layers of conditional access for your riskier user base and high-risk applications.
  • For O365 users, consider Azure AD Identity Protection or Microsoft Cloud App Security (MCAS).

Want to find out how we stop BEC here at Expel? Read on to learn more about Expel Workbench™ and our phishing service.