Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Email Security Tools Try to Keep Up with Threats

Email has long been a prime vector for cyberattacks, and hackers are only getting sneakier. Can email platforms and security tools keep up?

No matter how many messaging and collaboration apps clutter the enterprise space, most (if not all) employees will continue to use email. Cybercriminals know this, and they're increasingly leveraging this reliance to their advantage, finding new ways to bypass protective measures.

Bob Adams, cybersecurity expert at Mimecast, explains how email-based threats have evolved. "It's important to understand the history of these attacks to understand where they're going," he says. Older phishing scams were easy to detect, with poor spelling and grammatical mistakes. The people who fell for them were likely to give attackers what they wanted.

"One of the reasons it was so successful is it was targeted in a way that intelligent people wouldn't respond," he says. Today's threat actors have resources to make their attacks credible to a broad range of victims. Now, the people who could recognize obvious phishing scams are getting hit with spearphishing attempts and business email compromise (BEC) attacks.

In its Email Security Risk Assessment (ESRA), Mimecast passively scanned 95.9 million emails that went through email security systems and were received by a business email management portal. The ESRA caught 14.2 million spam messages (5.1 million rejected; 9.1 million quarantined), nearly 10,000 dangerous file types, 12,500 malware attachments, and 23,000 impersonation attacks.

Spam is annoying, sure, but most people know what it looks like and it isn't lethal. Impersonation attacks, on the other hand, are sneaky. "What's making these attacks even easier and have higher ROI is the sheer amount of information publicly available on every company and individual within its top ranks," says Wickr CEO Joel Wallenstrom.

"All attackers need to do is pick a target; tailor messaging based on data gleaned from Facebook, LinkedIn, obscure data brokers, and exposed PII databases; and voilà, the scam works as intended," he adds. Business email compromise has become a hugely profitable industry, with $5 billion in profit and categorization as a separate crime type by the FBI starting in 2017.

"What we're seeing more and more is spearphishing attacks, hearing much more of attackers using social engineering in a variety of different ways to get people to give up their account credentials," says Reena Nadkarni, group product manager at Google.

BEC attacks rely on simplicity, credibility, psychology, and urgency to convince victims to act, Adams points out. They won't use too many details: "It was great talking to you the other day" is more likely to convince a target than "It was great meeting you at Starbucks last Wednesday." Attackers may capitalize on employees' hesitation to question managers. "I can't talk right now, but I need you to do this immediately" is another line they may send a BEC target.

Of the 12,500 malware attachments that bypassed email security systems in the ESRA test, 11,653 contained known malware and 849 contained unknown malware. Failing to detect unknown malware in an email can be hugely detrimental because most common antivirus systems won't notice it, and an attacker can gain or extend their presence on the network.

Can Email Security Keep Up?
Major email providers Microsoft and Google have been stepping up to build stronger security into their platforms. Nadkarni explains how the evolution of cyberattacks has made email security a challenge; now, attackers are spoofing websites and creating lookalike domains.

"What's interesting about some of these emails is they don't have an attachment," she says. "Many of the traditional methods of being able to catch these just don't work."

Google recently added a few new Gmail security features as part of a broader redesign. Users can protect sensitive content by creating expiration dates for their messages or revoking sent messages before or after they're viewed. Recipients may be required to provide additional info view messages, a measure intended to protect data even if the receiving account was hacked.

Microsoft, to its credit, has also added new security features to its email platform. However, some security experts note there's much more to be done on the data security front. Gmail's confidential computing is "a step in the right direction," says Wallenstrom. Users must know to implement data expiration settings for each email, but only on the recipient's end. He points out that it would add helpful protection to minimize data on the sender's account also.

Adams says "it's a little bit late and it's also, in my mind, a little bit lacking," with respect to the recent Gmail updates, specifically referring to enterprise security. It might be good for smaller businesses, he says, but for major corporations "I don't see it being secure and effective enough at this time."

Eitan Bremler, vice president of product at Safe-T, points out how Exchange is still limited by the size of files (unless you send via OneDrive) and there is no integration with data loos prevention (DLP) and antivirus (AV) software. With Gmail, he's concerned about a lack of advanced security functions like file encryption and DLP or AV integration.

"While hackers have grown more sophisticated and created more nuanced ways of getting into emails, email technologies themselves have not evolved much from a technology perspective over the last 20 years," Bremler says.

What Businesses Can Do in the Meantime
To improve email security, Wallenstrom advises businesses to make security and data minimization a default, "something that employees don't have to opt into each time they communicate," he says. Further, enforcing a business-wide policy that bans sending valuable data — financial information, business intelligence — via email would also help build security hygiene.

"What surprises me is even today, a large number of administrative accounts don't have two-factor authentication," says Nadkarni. "If you have admin accounts in any system and that's compromised, that's a huge deal."

She also advises businesses to look into security keys. "That makes such a huge difference," she explains, noting that even multifactor authentication codes can be phished. "To introduce an element of physical security, that changes the game quite a bit."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
5/10/2018 | 4:04:36 PM
We made email the vulnerability it is today
Thanks for the article on BEC.  

As mentioned, attachments were a principle source of compromise; but no longer necessary, because of other features added for our convenience.  We still refer to these communications as email (electronic mail); though the reference to letters exchanged by post retains little relevance. 

Each letter was an item traveling from one address to another; each email is packet-ized and the packets disseminated to countless waypoints to be copied and forwarded to countless more; in a process that only ends when the addressee (an IP address node device, not a person), informs the internet that at least one copy of each packet in the parcel has arrived at its destination - effectively, emails are broadcast.  Thinking of email, in terms of postal mail (with all our assumptions and experience with that), was a misconception from the get-go.  Maybe "pradio" (personal radio transmitter/receiver), would have given us a clearer picture of what we would be dealing with. 

Postal mail attachments were harmless (unless dipped in poison), at least until any forms were filled out and returned.  Email attachments can carry malware, but imbedded  images (blocks of binary we take to be interpreted as a picture), can serve just as well.  Yes, we can be warned that "images were prevented... "; but legit senders want us to see them, and we want to see what "they" sent - so we revert to the postal mail assumptions that the sender is who they say they are, and download the images. 

What would today's email be without hyperlinks - a lot less of a vulnerability.  With a single click, we can be whisked away to who knows where, or agree to who knows what.   

Maybe the way to make email safer is to make it less 21st century.  At least with business emails, treat the process of sending and accepting them more as we would have with business letters:  Be a little more formal.  Always include specifics in the subject line.  Be more sparing in how many emails you send (pretend it cost you postage and the pay of a secretary to take dictation, correct your grammar, and type it on to your company's stationary).  Offer to send attachments - if they request them in a reply. 

If we keep in mind that email is not mail; yet treat it a little more as if it were, we'd all have less to worry about. 
User Rank: Apprentice
5/29/2018 | 2:06:36 PM
The challenge is human behavior - not the technology
Ultimately there's not much that technology can do when people are going to click through to malicious websites, go into spam to open russian bride offers, or wire someone money without using MFA. 

The tools are really powerful, filter in the 99.9%+ of spam or even emails that are questionable.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Cross Site Scripting (XSS) vulnerability in gnuboard5 <=v5.3.2.8 via the url parameter to bbs/login.php.
PUBLISHED: 2021-06-24
CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
PUBLISHED: 2021-06-24
In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php.
PUBLISHED: 2021-06-24
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.
PUBLISHED: 2021-06-24
An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases.