RE: Thinking Email Security

When thinking about email security, a familiar story usually comes to mind: an attacker sends a malicious payload hidden in a link or attachment, and an unsuspecting recipient clicks and inadvertently downloads malware onto their device.

In reality, this kind of attack represents just the tip of the iceberg when it comes to the broader spectrum of threats that target organizations via the inbox.

Cyber-criminals are increasingly turning to more subtle forms of attacks which involve sending ‘clean’ emails containing only text and coaxing a recipient into replying, revealing sensitive information or performing an offline transaction. These methods easily bypass legacy security tools that rely on checking links and attachments against blacklists and signatures.

Moreover, they generally involve registering new ‘look-a-like’ email addresses, which not only trick the recipient but also bypass traditional defenses set on identifying blacklisted domains.

A Quick RE:ply
Solicitation attempts are proving impossible to stop with traditional email security tools, which work by analyzing emails in isolation and at a single point in time and correlating them against static rules and blacklists. While this approach catches spam, it fails to spot the weak indicators of an advanced email attack or compliance issue. 

Ransomware attacks, for example, are on the rise and increasing in sophistication, yet detecting them is a highly complex and consequential issue. What is required is a comprehensive understanding of ‘normal’ across digital traffic from both email and the wider digital business.

With every email analyzed in the wider context of the sender, the recipient, and the entire organization, seemingly harmless emails that bypass traditional security tools can be identified in seconds with a vast range of metrics, including suspicious similarities to known users, abnormal associations, and even anomalies in email content and subject line.

In a recent customer case, a cyber-criminal was caught in the act of trying to create a Gmail domain in the name of a company’s CEO. From this address, an email was sent to a member of the payroll department requesting that the employee update the CEO’s direct deposit information. Despite the email successfully mimicking the CEO’s typical writing style, it was blocked due to the business’s AI-powered security tools that detected the abnormality and autonomously blocked it.

A Bleak Outlook
Cyber-criminals are also turning to supply chains – comprised of vendors, partners and contractors – in their attempts to infiltrate an organization or establish offline communication. By hijacking the account details of a trusted contact in your supply chain, threat actors can easily gain the trust of a recipient in the network and coax them into clicking a malicious link or transferring millions out of the business. 

Legacy email defenses assume trust, which means that sophisticated account takeovers often go completely unnoticed. Attackers who have total access to a supplier’s email account are able to study previous email interactions and produce a targeted response to the latest message. The language they use will often appear benign, meaning traditional tools searching for key words or phrases indicative of phishing will fail to pick up on these attacks. With cases of credential compromise increasing 260% since 2016, this threat vector is only set to increase in the coming decade.

A business recently experienced this, whereby an attacker had taken over the account of a trusted consultancy firm. Less than two hours after a routine email exchange, the account was taken over by an attacker who sent emails to 39 users, each containing a phishing link. There was variation in the subject lines and links, pointing to highly targeted emails from a well-prepared attacker.

AI identified the full range of anomalies that are typically associated with account takeovers, including the unusual IP address, the inconsistency of the link based on its learned ‘pattern of life’, the unusual group of recipients and, in some emails, the topic anomaly.

FW: Thinking
In this instance, the attacker had taken the time to read the previous correspondence and contextualize their impersonation attempt.

Going forward, AI will be increasingly weaponized by email attackers to learn prior communication patterns between two senders and make for more legitimate-looking emails, ones which can be sent at machine-speed and scale. One of the most notorious pieces of contemporary malware – the Emotet trojan – is a prime example of a prototype-AI attack. Emotet’s main distribution mechanism is through email, usually via invoice scams.

‘Forward thinking’ attackers could easily use AI to supercharge attacks. With artificial intelligence analyzing the context of every email thread and replicating the language used, these email attacks could become highly tailored to individuals.

An AI-powered Emotet trojan could create entirely customized, highly realistic emails and send them out at scale, allowing cyber-criminals to increase the yield of their operations exponentially.

This possibility gives rise to a new chapter in email security, one in which a holistic ‘immune system’ platform is necessary. Legacy security tools that are confined to the email gateway or inbox are no longer sufficient to stop this vast range of sophisticated attacks; AI must be leveraged to protect email users not only from traditional phishing attacks, but from every threatening email seeking to cause harm.

What’s Hot on Infosecurity Magazine?