140,000 Reasons to Reevaluate Your Secure Email Gateway

Today’s sophisticated phishing scams are outpacing and outsmarting legacy SEGs in a variety of ways, and the stakes keep escalating. The growing sophistication of phishing attacks, and the failure of SEGs to consistently detect and eliminate these malicious email threats keeps the danger level in the red zone.

Taking a Stand Where SEGs Fall Down

To secure their resources and protect their employees, companies have invested heavily in SEGs such as Cisco IronPort, Symantec, Mimecast and Proofpoint. Nevertheless, phish continue to arrive by the millions in employee inboxes; each one posing a potential disaster. The fact is that SEGs are not keeping pace with evolving threats; threat actors are exacting losses in the billions from a growing spectrum of ingenious scams.

Over a recent four-month period, the Area 1 service analyzed over 825 million emails for SEG customers and caught nearly 140,000 phishing emails missed by these well-regarded defenses. This is just a small, representative sampling of the millions of phish that Area 1 stops each year.

What are the consequences of SEG failure at this scale? A typical company of 10,000 employee inboxes would suffer over 2,000 phishing emails every month. These phish would have landed to deliver Business Email Compromise, credential harvesting, malware, ransomware, Bitcoin fraud, and other attacks that tie down security teams with incident investigation and remediation. Phishing emails pose an ongoing persistent threat to a company’s brand, confidential data, and revenue.

This conflict is the driver behind a comprehensive report from Area 1: The Story Behind 140,000 Missed Phish. In an illustrated and detailed report, we conducted a post-mortem on the SEG failures, explaining just why each type of phish would have succeeded, had Area 1 not caught it.

The conclusion that emerges from this evidence is that SEGs are not only failing to keep up with common phishing campaigns, they are actually falling behind. One reason for the frustrating success of phishing attacks is that legacy SEGs are backward-looking. They rely on knowledge of yesterday’s attack characteristics to detect tomorrow’s attack. SEGs are simply not moving fast enough to respond to continually evolving campaigns; their techniques are not a match for threat actors.

In this new report, Area 1 explores the nature of SEG failures by dissecting the actual phish in each category.

One major SEG-evader is the malicious URL. Nearly a quarter of the phish caught by Area 1 contained malicious URLs, and 6.8 percent of these phish spoofed trusted brands. They included links to credential-harvesting sites, watering holes, malvertising, and scripting attack locales, among others.

For example, one customer received an email impersonating Chase bank, requesting an update of account information. A Proofpoint SEG judged it benign. But when Area 1 scanned the email, it identified the sending domain as a spoof of the Chase brand which included a link redirecting to a fake Chase login page. This malicious detection by Area 1 prevented the user from being exposed to a well-crafted credential harvester.

The report also details the techniques used successfully by Area 1 to catch phish — detection capabilities that SEGs are unable to perform, such as following URL redirections to the final destination, expanding shortened URLs, and inspecting URLs buried in attachments using sophisticated ML classifiers and pattern analysis.

The number 140,000 sounds enormous, and the fact is that only one phish can trigger losses in the millions. And 140,000 is actually a mere fraction of the threats headed toward companies at all times. The bad news is that these vulnerable SEGs fail at protecting the companies they are supposed to be protecting. The good news is that the right technology and approach will defeat phishing.

The Story Behind 140,000 Missed Phish illustrates how that technology works in actual attacks that SEGs failed to detect—but that were stopped cold by Area 1. Area 1 can be easily deployed behind your existing SEG. Keeping your employees safe is only a few minutes away.

Dominic Yip is the director of sales engineering at Area 1.  To learn more about phishing attack trends and techniques to catch what SEGs miss, check out Area 1’s Phish of the Week webinars.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.