A new service that allows you to verify whether an email domain or address was in an Emotet spam campaign has been introduced.

Emotet is a malware infection that spreads through malicious Word or Excel documents containing spam emails. Until opened and macros are activated, the Emotet trojan will be installed on the device of a victim.

When compromised, Emotet can steal the email of a victim and send it back to servers under the control of the attacker. As part of future spamming efforts, these emails can then be used to make the malicious spam appear legitimate.

The Emotet trojan can download and install other malware like TrickBot and QakBot on the computer of an infected user over time. It is understood that these Trojans contribute to ransomware attacks by Ryuk, Conti, and ProLock operators.

How to check if Emotet used your email?

Italian cybersecurity company TG Soft today introduced a new service named Have I Been Emotet, which enables you to verify whether a domain or email address has been used in Emotet spam campaigns as a sender or receiver.

TG Soft has said that their database consists of monitored outgoing emails generated by Emotet between August and September 23rd, 2020.

They have gathered over 2.1 million email addresses from about 700,000 outgoing emails during this time.

You can enter a domain or email address to use the app, and it will let you know the number of times it has been used.

You can only enter a domain or email address to use the service, and it will let you know how many times the email address or domain has been used as the sender or receiver of an email.

Have I Been Emotet will include the following data when returning the search result:

  • REAL SENDER: Indicates that the computer using this email account has been compromised and used to send spam emails.
  • FAKE SENDER: Indicates that your mail was stolen and used in spam campaigns.
  • RECIPIENT: Indicates that you were the recipient of an Emotet spam email.

You can see, for example, in the image below that users in the domain have been targeted 42 times in recent spam campaigns by Emotet.

Emotet emails targeting

Emotet emails targeting

This can be used as a cybersecurity intelligence platform

If a business has been hit by a cyberattack, you should check if Emotet spam campaigns have targeted them, leading to a ransomware attack.

The healthcare giant Universal Health Services (UHS) was recently targeted by Ryuk ransomware, for instance.

Using this service, we can see that in recent Emotet promotions, the UHS domain,, was used and that Emotet spam was received nine times by the organization.

Emotet emails targeting

It does not necessarily mean you have been compromised if you use this service and find that your email address or domain has been used as a recipient.

Before the malware had been mounted, a user would have had to open the email attachments and allowed macros to become infected.

On the other hand, if your domain has users identified as a ‘True’ sender, then it is possible that one of the users of your email domain has been compromised and your computers should be thoroughly examined.