While email attacks are becoming more and more sophisticated, the majority of email security tools still rely on signatures to identify malicious mails. As a result, companies are increasingly vulnerable to novel techniques that criminals are using to evade automatic detection and fool the time-pressed user.
The purchasing of thousands of email domains in order to send out malicious emails en masse is a tried-and-tested technique that exploits a fundamental limitation in most security tools. But in recent years, developments in artificial intelligence (AI) have enabled an understanding of "normal" email traffic the subtle indicators of threat that deviate from this norm.
Detecting Malicious Emails: The Binary Approach
Legacy email security tools were designed to counter spam emails by comparing incoming mail with a list of "known bad" email addresses. Like a bouncer at the door of a nightclub, these tools look for known entities with bad reputations and don't let them in.
They do this by analyzing metadata, such as the sender's IP address, the email domain, embedded links, and attachments. This data is analyzed at face value, and the binary approach asks of each piece of data: Is this malicious?
But this analysis fails to identify more sophisticated attacks, particularly those that employ new email domains that aren't obviously suspicious. A new email domain – which usually costs just a few cents to buy – has no reputation at all, and so an attacker using one is almost guaranteed to get through spam filters and traditional controls. Such was the case in May, when Norwegian state-owned investment fund Norfund was targeted with convincing malicious emails from a leasing company in Cambodia. The attack cost Norfund $10 million.
From the attacker's perspective, all that's needed is one email to be successfully delivered and clicked on in order to infiltrate a target organization. From there, the attacker can move laterally within the network and sniff around for more valuable data.
AI in Action for Email Security
Businesses can better protect themselves from costly new-wave attacks with the help of artificial intelligence (AI), which can spot nuances that legacy tools cannot.
AI is better equipped to stop advanced malicious emails due to its ability to pull together hundreds of metrics and spot anomalous activity. Rather than comparing these indicators to past attacks, AI establishes whether the behavior is expected or "normal" for the user and organization in question.
For each and every email, AI asks hundreds of questions in rapid succession, such as:
- Does this domain look visually similar to another domain?
- Is this the first time we've seen an inbound email from this user?
- Does the domain have a previous relationship with the recipient – or with the business as a whole?
In answering these questions, AI forms a deep understanding of the humans behind email communications, as well as their peers and the wider organization.
With AI, every email is analyzed in context and then continuously reanalyzed in light of evolving evidence. Where legacy defenses require many "patient zeros" before acting to block a certain domain, AI prevents the malicious emails from being delivered in the first place.
AI vs AI: A Battle of Algorithms
Keep in mind, though, that as attackers continue to innovate, they're also turning to AI for malicious purposes. "Offensive AI" will supercharge email attacks, enabling criminals to deliver customized attacks to individual users at scale and at speed.
The good news is that AI has been responsible for catching malicious emails that impersonate senior financial personnel, mass campaigns that played on a workforce's uncertainties during the pandemic, and fraudulent supplier invoices demanding tens of thousands of dollars.
Now is the time to move email security from a backward-looking guessing game to an advanced approach that protects the workforce from some of the best fakes out there.
Based in New York, Dan Fein is the director of email security products for the Americas. He joined Darktrace's technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace's Cyber AI Platform and products. Fein has a particular focus on Antigena Email, ensuring it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.