How Phish Are Evading Your Customers’ Email Security

Most of your customers may think that their native email security or secure email gateways (SEGs) are preventing phishing emails from reaching users’ inboxes. Unfortunately, threat actors are adapting quickly and changing their tactics, often staying a step ahead of security teams. They are increasingly launching more sophisticated attacks, leveraging platforms like social media to mine data and fine-tune their messaging to get phishing emails into inboxes.

While attacks by these crafty threat actors come in several flavors, a common one that has been observed and is increasingly prevalent is an offer to share a document or, similarly, an urgent directive to act on a document.

The user is presented with a legitimate-looking login page for a trusted brand such as Microsoft Office 365. These templates can be perfect facsimiles. A trained user will spot a problem with the URL – that it does not match the brand. But many users are moving too fast or are distracted. The phish works.

Why are today’s credential harvesting attacks regularly evading costly controls? Threat actors either mimic brands by creating fake pages, or they create accounts on these legitimate services.

This approach is often effective because of the way SEGs work. For one thing, SEGs filter based on whether a URL has been flagged or placed on a deny list.  Other reasons why phish stump controls include the fact that SEGs sample from active, ongoing attacks while phishing attackers wage campaigns quickly, and are ended before they can be profiled. Also, SEGs guard against high-volume, spammy messages, while phish are lower volume and often more targeted. SEGs are particularly challenged when attackers spoof legitimate businesses. 

SEGs perform well enough for known threats but they start to struggle with unknown threats and newly stood-up campaigns that may be as short-lived as a few minutes. And, if a URL is not on a known-threat list, a SEG will typically deliver it.

What’s really needed is the ability to examine the URL from a technology standpoint. 

SEGs also struggle with business email compromise (BEC) attacks. These attacks often contain no flagged keywords, instead using regular language. SEGs can’t stop these if the keyword or other filters don’t alert. A human may notice the request from a fellow employee is coming from a non-work domain, for example, but SEGs aren’t designed to catch this.

What is needed to detect BEC with technology is the ability to read the content of an email and understand it. Characteristics such as the brand impersonation details must be discerned, as well as the email address and name, and the information within the header and email body.

For example, users viewing an email will not visually detect the presence of embedded code. But when the code behind that message is examined, we can detect specialized HTML and CSS styles that can hide words that normally trigger a SEG alarm – words such as ”Password” and “Expiring.” Obviously designed to bypass SEGs, MSPs need additional technology to prevent users from being exposed to malicious emails.

Last, threat actors may insert a CAPTCHA in between the initial email and another redirect to a login page. Can a traditional SEG identify the photographs with the traffic lights? And the ones with the train? No. But by using computer vision and AI, specialized technology can emulate human response to investigate CAPTCHA challenges. AI complements SEG technology by affording more data points to determine if an email is a phish.

MSPs can take heart. Modern anti-phishing technology that uses visual AI to detect and learn from real-world phishing attacks can stop what native email security and SEGs usually can’t. Contact our team to learn more about Cofense Protect MSP. Book a demo to see how you can provide advanced phishing protection to keep your clients safe from today’s most sophisticated phishing attacks. 


Rich Keith is senior product marketing manager at Cofense. Read more Cofense guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.

Return Home

2 Comments

Comments

    Al Wissinger:

    I’m quite sure using AI would be an improvement to SEG’s however nothing is ever perfect and requires that human training to help catch these events.
    Recently we had a client that received a BEC that was flagged as spam by MS and put into the spam bucket. The client however had two bolt on email packages that essentially grabbed the email out of the spam bucket because it had a spoofed valid internal email address (CEO). These two packages moved the email around and ultimately added the CEO signature and sent it to the internal Accounts Payable team. Thankfully an astute trained employee caught the fake invoice and didn’t pay it.
    Lesson learned – know how your email programs impact each other especially when it’s originally flagged as spam.

    Rich Keith:

    @alwissinger: That is a valid concern. You’re correct: AI and ML alone are not the answer; neither is human training by itself the answer. That customer email package you described, the one that pulled the malicious emails, repackaged them and sent them on is really scary. Protect uses AI and computer vision tech to scan emails within seconds of arrival, detecting phish and isolating them from the user. One of the best features of Cofense Protect is once a malicious email is detected, any URLs in the message or embedded links in an attachment (if there is one) are deactivated, rendering the phishing attack dead. And yes, Protect does work with other email security already in use by MSPs. Thanks for your comments! – The author

Leave a Reply

Your email address will not be published.