Email is the gateway to most businesses for both legitimate users and cyber criminals alike. As security was never factored into emails, we have had an uphill struggle in defending our businesses from email abuse. For over two decades the ongoing battle with spam email has left us with the dire statistic that in May 2019, 85 percent of all email was spam (according to Cisco’s Talos Intelligence).
"An individual’s email credentials now opens the door to so many places, especially if cloud email services like Office 365 or Google G Suite are used"
Within this there is also the malicious email traffic, either trying to phish or infect, in order to commit extortion, theft, fraud, or repurpose our computing assets for the criminal’s gain. Whether by redirecting us to a compromised website, or legitimate file sharing service holding a malicious file, the criminals are constantly finding ways to outsmart or bypass many of our cyber defences. In fact, what many people forget is that the criminals can purchase a wide range of enterprise cyber defences and extensively test them if they want to. We never had a level playing field, it’s like the criminals are playing poker with seven cards, while we hold five.
To make matters worse, as an individual’s email credentials now opens the door to so many places, especially if cloud email services like Office 365 or Google G Suite are used, they have become a major target for the criminals. It really does not matter how good your email filters are, if your users’ passwords have been reused and lifted from a major data breach. Access to the right supplier (like a managed service provider) can lead a criminal straight in through the back door into your business or give them everything they need to trick you or your colleagues into opening a malicious email, as it’s coming from a trusted source. Compromising business emails does not necessarily involve advanced hacking skills either, it can simply be done via social engineering, using old fashioned text messages and telephone calls, either asking for the credentials or directing people to a fake website.
A core strategy for many businesses has been to filter emails before they arrive via a cloud service, which can effectively block spam and malware laden emails with a high degree of success. Solutions like DMARC help block spoofed email domains, effectively adding the missing security email always needed. Unfortunately, if your users’ credentials are being phished via other means than email, the filters cannot help. Filtering emails from compromised accounts is also extremely difficult, as all the usual identifiers of a bogus email are missing. The header is genuine, the signature is real, even the subject maybe as expected. The only clue may be the tone of the email, or the context. Here awareness training and good processes are you best defence, especially for CFO fraud, where there is a change of bank details. Multi-factor authentication can also help stop your users from being phished from emails sent from compromised accounts, either way it makes the phished credentials worthless without the missing third factor.
One of the biggest problems we face though with our email filtering gateways is that the emails are scanned on arrival only. We can add multiple filters, but the emails are still only scanned once by each filter. Any future analysis is typically done by the endpoint antivirus, if configured to do so when the email is accessed. Any malicious or fraudulent emails that made it past the email filters will just sit there waiting to be accessed by the user, like a ticking time bomb. Email hyperlink rewriters can help, but can also make matters worse, because now you have no idea really, where any email links go, and this can cause confusion among users and introduce additional delays and problems.
This is where email mailbox remediation solutions come into their own, because they can actually do something after the email has been delivered and sitting in the user’s mailbox. Here the threat knowledge acquired post-delivery is applied to the existing emails in the system. Whether a website address has been modified to host an exploit kit, or a website payment plug-in altered to steal your credit card details, a lot can happen in a short space of time, where the criminals repurpose websites that are under their control. So now, the two-dozen people that have emails containing what is now known to be a malicious link, are informed and the emails concerned quarantined. Whether this happens minutes after the email is delivered or hours later, it is still better than not happening all, which is the current mess we are in. Otherwise, the best alternative is to delay every email by two hours before going through the filters, which definitely is not going to happen any time soon.