Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly

How Many Layers Does Your Email Security Need?

At least one more layer than the attacker can defeat. Here's how to improve your odds by turning on little-used or newer capabilities to block email-targeted malware.

Most IT people find email gateways justifiably boring. They’ve been around almost as long as email, after all. Everybody has one. You probably only notice them when they miss obvious spam or block legitimate mail.  For everything else, you probably figure email gateways are all pretty much the same, and as long as you checked the box, you are free to think about something else. Out of sight, out of mind, right?

The only problem is, that’s likely completely wrong.

If your email gateway rarely catches your attention, it’s likely because it is so easily and completely fooled by targeted threats that it never lets out a whimper. Ask yourself this: how would you know if your email gateway was missing new custom malware?

Consider the current state of the threat environment your email gateway faces. In addition to phishing and mass malware attacks distributed via botnets -- which are pretty easy to see and interdict at the gateway -- we have targeted attacks using new malware. According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks. Targeted attacks have adapted precisely to evade traditional methods most email gateways use to try to block unknown malware, such as the following techniques:

● AV engines may miss attacks because they use new or highly obfuscated malware, for which no signature exists.

●  Spam filters may miss attacks because they are one-off, low volume, or they have few suspicious traits to analyze.

● Sender reputation filters often miss attacks that come from newly created or spoofed email addresses, or from IP addresses with no "bad" history.

● Blanket policy rules that block all unusual and risky email attachment types (such as .EXE and .LNK) cannot be used on the malicious .DOC, .PDF, .XLS, and .PPT files favored by targeted attacks, as these are common business documents.

● URL filters may miss attacks because the malicious URL is hidden inside a PDF file, or within macros hidden inside document files.

● Web scanners are sometimes evaded by sending a harmless URL, but then placing malicious code behind the URL later after it has already passed the gateway.

Even newer methods such as sandboxes are limited in their protection against targeted malware. Unfortunately, targeted malware often contains countermeasures that delay execution or prevent discovery in a virtual machine environment. 

Let’s return to the earlier question, “How would you know if your email gateway was missing new malware?” There are several methods of varying efficacy. You might have endpoint whitelisting that spots something unusual. An Endpoint Detection and Response (EDR) solution is another method growing in popularity. Perhaps you get breached and conduct a forensic investigation back to the patient-zero compromised user account, time and date.

The news isn’t all bad. There are some advanced techniques that secure email gateways can use to block obfuscated, targeted PDF and Microsoft Office docs. No single technique is completely effective, but the more of these you can leverage, the better your chances.

First off, techniques like Sender Protection Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) are designed to validate the identity of the sender, protecting against spoofed emails that appear to come from a friendly sender. However, very few organizations bother to turn these capabilities on. Be sure to use the same technologies when sending your own email.

Secondly, your gateway needs to extract and explode all the elements of an email attachment to be able to deeply analyze it for malicious intent. There could be executables and macros hidden inside office documents. There may be buffer overflow exploits hidden inside PDFs, or JavaScript inside a .ZIP file. Deep analysis rules can be applied to score all the traits of a file for risk. Risk points can be assigned for hundreds of reasons, including the presence of obfuscation techniques, encryption, known exploits, and buffer overflows. This can create a statistical picture of a file’s malicious intent and block never-before-seen malware. In many ways, this is more robust than sandboxes because it’s not dependent on a fragile environment or finicky timing of file execution. Also, the very techniques used to evade or obfuscate end up exposing the malware to deep analysis rules.

Finally, it is essential to ensure URLs are scanned at time of click. In practical terms, this means that URLs contained in emails must be rewritten with pointers that force them to go through a cloud-based web gateway whenever they are clicked upon. This ensures security scans at any time, and on any device the recipient uses to read email, including mobile devices. 

So, how many layers does your email security need?

Email is a hotbed of hacking innovation. Traditional or incompletely implemented secure email gateways make you vulnerable to targeted attacks. Organizations can improve their odds markedly by turning on little-used or newer capabilities to block targeted malware.  

You always need at least one more layer of email security than the attacker can defeat.

Related content:


Chris Harget is a 20-year veteran in the IT security industry as a product manager and product marketing manager for leading innovators such as Trustwave, Blue Coat, Citrix and McAfee. He has trained thousands of technology professionals on desktop, network, email, web and ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/6/2016 | 3:33:47 PM
Re: Could you send that email again? I never got it.
Lots of useful tactics in your comment.

Blocking all attachments goes too far, for most users we talk to.

Too much of their business (with insiders and outsiders) uses email to send docs. Add in the risk of email account takeover of a trusted business partner, and they really need a way to deeply scan office docs and PDFs for new, one-off, targeted malware. 
User Rank: Ninja
6/6/2016 | 1:55:39 PM
Could you send that email again? I never got it.
Here's just a few things your email gateway should include...






Challenge / Response

Reject All File Attachments

Strip HTML

Strip URLs

Spoof Filtering

Reverse DNS Mismatch Check


GeoIP Filtering

Word based filtering

SPF Filtering


Heuristic Filtering

Bayesian Filtering

MX Lookup Verification

Mime Header Check

IP Reputation Check

Open Relay Check


Signature Matching

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/6/2016 | 12:03:45 PM
The spam industry
"According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks."

I wouldn't say that that's the only -- or even the most significant -- cause.  I think it has more to do with how the spamming industry has changed dramatically over the past six years, being whittled to a shadow of its former self by in-fighting and better enforcement.  Brian Krebs has written on this in depth in his book, Spam Nation.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.