Why Secure Email Gateways Miss Phishing Emails

Does it seem that your SEGs actually invite phishing cyberattacks?

Phishing persists as today’s No. 1 threat vector for data and financial breaches—easily the most effective tool in a threat actor’s arsenal. Phishing cyberattacks may constitute less than one percent of total Internet traffic, but they do over 95 percent of the damage. And because SEGs consistently miss phish, they are incapable of effective cloud email protection—least of all from socially-engineered attacks like Business Email Compromise (BEC), whose impact has soared by nearly half again in 2020.

Yet, despite the proven ineffectuality of SEGs, businesses continue investing heavily in these solutions, which are not engineered to recognize and thwart phishing attacks—particularly those that rely on social engineering.

SEGs have their uses—but not against new phishing campaigns

Over a recent six-month period, Area 1 Security analyzed over 1.5 billion emails and caught over 925,000 threats missed by Office 365 and SEGs. (Keep in mind that this figure is only a small representative sampling of the phish that Area 1 intercepts annually.)

Although SEGs have long reported 99.99 percent effectiveness against spam, phishing attacks keep evading detection. The reason is that SEGs optimize for spam detection, but spam is by nature a different beast from phishing.

Spam targets victims by sending out large volumes of similar, often clumsily written and easily recognizable nuisance messages, creating a productivity “sink.” (And even if very little spam makes it through to victims, the attacker still succeeds.)

To protect against these barrages of emails, spam filters rely on collection and analysis of large volumes of threat samples from active campaigns. Data extracted from the samples identifies malicious domains, IPs, and malware; it’s then used to create signatures and threat intelligence optimized for large-scale bulk email detection.

Phishing attacks work on a different principle than spam

Phishing exploits like BEC, however, handily evade spam filters as well as email authentication defenses like DMARC, SPF, and DKIM. They also regularly dodge the native defenses of Office 365 and Gmail. Attackers use polished social engineering to personalize emails and lure victims to click a link or download a file. The victim may be urged to respond to a request for information or to take an action such as transferring funds, leading to data and financial loss.

BEC, also known as CEO Fraud or Imposter Attacks is:

  • Socially Engineered: BEC ‘spoofs’ a known executive, employee, and more recently a trusted supplier to convince the recipient to wire money, attach information to an email, and more.
  • Simple: Free of links or attachments that could raise a red flag, BEC doesn’t need to take over an account or computer to cause major damage.
  • Successful: BEC messages are scrupulously crafted to look like conventional business email. They regularly evade both SEGs and ‘security aware’ employees

To close the phishing gap, spam filters have added advanced threat protection features: sandboxing of suspicious files and time-of-click link analysis are intended to help detect threats missed by reputation- and signature-based defenses.

Nevertheless, phishing attacks continue to evade detection.

Today’s attacks zero in on vulnerabilities arising from efforts to address COVID-19’s economic challenges. In a recent exploit, a threat actor impersonated the U.S. Small Business Administration to defraud businesses waiting for loans.

And in another campaign that leveraged COVID-19 fears, the attacker targets various companies by claiming to offer face masks and thermometers, while sending email attachments infected with Agent Tesla malware, an advanced Remote Access Trojan (RAT). Spoofing chemical manufacturers and import/export businesses to make the phishing message appear more legitimate, the attacker slightly modifies the Tactics, Techniques, and Procedures (TTPs) for each wave of emails to bypass SEGs and DMARC.

Early detection of phishing campaigns is key

More than ever, organizations need preemptive, integrated email security to detect phishing campaigns. Waiting until a campaign launches to start collecting and analyzing threat data is too late to defend effectively against these threats.

Protecting an organization holistically from attacks calls for earlier insight into phishing sites and campaigns, as well as protection for all attack surface areas.

Area 1 Security focuses on preemptively stopping phishing and advanced threats before they reach user inboxes. The cloud-native Area 1 Horizon™ platform stops phishing attacks on average 24 days before campaigns even go live and covers all surface areas targeted by attackers. This includes email (internal, external, and partner-sourced), web, network vectors, and cloud-storage and collaboration tools. Area 1’s preemptive, proprietary technology employs ActiveSensors™ and our Small Pattern Analytics Engine (SPARSE™) for massive scale, high-speed phish indexing and emergent campaign and attack infrastructure identification. Our technology also goes beyond content sandboxing and deconstruction, leveraging advanced AI and Machine Learning (ML) models, computer vision, Natural Language Understanding (NLU), and neural network techniques. And rather than overwhelm security teams with alerts, our comprehensive email security also includes built-in response and remediation, with our Autonomous Phish SOC reducing phish investigation time by 90%.

Find out the truth about the phish your current SEG is missing, with this free trial https://www.area1security.com/seg-tradein-program/

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.