The use of mobile messaging apps and social media has dramatically increased in popularity and completely reshaped the way we communicate in our personal lives. Yet when it comes to the workplace, email continues to be the preferred method of communication. Today’s professionals easily spend a maximum of their work hours sending and receiving emails. Corporate employees typically begin their day by checking their emails and end it with email updates for tasks for the next day. Emails not only facilitate work – but have become a productive workload in itself.
The way email communication is used continues to expand and evolve – from being used at the workplace for business transactions, to delivering marketing and promotional messages. One targeted email is all it takes to breach a company’s network. According to FireEye, one in every 101 emails sent contains a malicious link or attachment. Most of these sophisticated, malevolent emails trick users into clicking links, downloading attachments, sharing credentials or taking some action that activates ransomware, installs malware or gives cyber criminals access to business networks.
Emails are the most common vector and continue to be the most vulnerable entry point for most cyber risks. In order to be successful, cyber criminals constantly modify their email attack methods, try new tactics and tweak proven ones in attempts to bypass email security defenses.
For instance, malicious URLs embedded within the text can be difficult for most email security solutions to detect, and URLs can be weaponized after passing as clean to further avoid detection. Content-less emails have also proven to be effective because they contain very little or zero text except for the URL. These emails can bypass email filters and play on the recipient’s curiosity to click the link. Non-clickable URLs are not live links and therefore, can also bypass many security filters. They are activated when the user copies and pastes the link into their browser. The hard-to-detect nature of these methods makes it easy for such malicious emails to reach an inbox, leading to a number of severe consequences.
Attackers are on the constant look-out for the easiest way to trick users into doing what they want; whether that’s revealing their credentials, unwittingly giving away corporate assets, or transferring money. The most successful attacks are sophisticated, multi-stage strikes that use several attack steps. They may begin with spear-phishing emails and incorporate an infected attachment, a link to a phishing site and an outside command-and-control (CnC) server.
Phishing and spear-phishing attacks
Phishing has been the most potent tool in the adversaries’ toolbox, who try to evade detection by using nested email phishing techniques with message attachments that contain phishing URLs. A phishing campaign may blanket an entire database of email addresses, but spear-phishing is a customized and targeted delivery method. It targets specific individuals within a specific organization for a specific purpose. The attackers segment their victims, personalize the emails and impersonate specific senders. Their goal is to trick targets into clicking a link, opening an attachment or taking an unauthorized action. Today’s high-impact email threats tend to hide in carefully designed phishing emails wrapped in impersonation packages.
Impersonation techniques allow attackers to hide behind spoofed emails that lead to phishing sites. Once clicked, the linked phishing site can lead to malware payloads or credential harvesting sites, making it a more efficient tactic for attacks. This is a great example of how attacks can be morphed to become more efficient and effective. Still relatively new, impersonation attacks, tend to use the same “formula” to trick users into transferring money or giving away company information.
CEO fraud or business email compromise (BEC) attacks
According to recent FireEye Email Threat Reports, impersonation attacks such as CEO fraud or business email compromise (BEC), have steadily increased in Q1 2019 and Q2 2019. Criminals impersonate executives, senior managers and supply chain partners to dupe employees into taking action by authorizing fraudulent wire transfers or providing confidential information. The attacks appear to come from a trusted source and imply urgency. These impersonation attacks are typically malware-less, lacking any traditional phishing or attack indicators, thus making it difficult to recognize their inauthenticity.
The unwitting users tend to click on seemingly harmless email messages that can compromise the corporate credentials, and then be used for malicious activities. The consequence of any malicious or suspicious email can be severe brand reputation damage and significant financial loss not just for the business, but the employees, customers and suppliers as well.
As email threats have evolved, cloud-based email subscription services have seen widespread adoption. As companies migrate to the cloud, we see more attackers exploiting cloud services to deploy and accomplish phishing attacks. When coupled with impersonation attacks, CEO fraud and reputational blackmail attacks, enterprises need to arm themselves with the intelligence and solutions to mitigate their risk of exposure.
Legacy, signature-based intelligence feeds can’t evolve quickly enough to thwart today’s new, sophisticated email-borne threats. This calls for a superior email security that detects and blocks every kind of unwanted email, especially targeted advanced attacks. Such a full stack email solutions will be able to:
- Rapidly detect and block unknown threats
- Filter and block spam emails as soon as new campaign are found
- Inspect URLs for links to credential-phishing sites and rewrite URLs
- Easily deploy, configure, and integrate with cloud-based email systems
- Retroactively analyze, detect and alert on URLs that go live after email delivery
- Integrate signature, analytics, and machine learning plugins to detect URL-based email phishing attacks
- Detect and protect against credential harvesting, malware-less impersonation attacks
- Auto remediate and remove emails from user’s inbox that become malicious after delivery
- Gather contextual intelligence on adversaries, and quarantine malicious emails
Effective email security should have the dynamic defense to detect and block the most dangerous cyber threats, including malware laden attachments and URLs, credential phishing sites and impersonation attacks hidden among millions of messages. It’s also imperative for the IT professionals to enhance visibility into the company’s login sources to detect unauthorized activity, refer to real-world threats that the IT team has blocked, and run regular user awareness training sessions.
Today’s sophisticated cyber attackers and dynamic threat landscape necessitate that organizations understand their threat profile. This involves knowing what assets are at risk, focusing on fast threat detection and response, and resolving incidents quickly. To stay focused on their missions and to minimize risk, organizations need email security focused on detecting and blocking email-borne threats from the first time they are seen. This includes security technologies and cyber threat intelligence gained from first-hand investigations of the cyber attacks that matter.
By Shrikant Shitole, Senior Director and Country Head for India, FireEye