Phishing_Secrets

By: Jane Wasson

Enterprises today face daunting array cybersecurity threats, and a growing number of solutions, most of which promise unbreachable protection. But phishing attacks—the vector for 95 percent of the harm—continue to frustrate even the largest companies’ defenses. In fact, threats and damages are soaring, which proves how stubborn, ingenious, and aggressive phishing attacks really are.

Phishing emails are the origins of spoofs, ransomware, BEC, credential harvesting, and an endless litany of other malware, swindles, and robberies. In fact, when you look for the single trigger that causes a company to lose data or funds, nine times out of ten you’ll find a phish.

A Leading Email Gateway Must Offer the Best Phishing Protection, Right? (Wrong)

Several Secure Email Gateway solutions (SEGs), including those from Cisco IronPort, Symantec, and Proofpoint, have platinum credentials of industry leadership behind them. But on closer examination, they’re all nearly as plagued by missed phish as less illustrious solutions. How could this be?

Many bring to the battle about as many advanced resources as it’s possible to amass. Some providers offer a broad security portfolio across many markets beyond email security, such as firewall/intrusion prevention systems (IPS), web security, and endpoint security. And most have in-house threat research teams that focus on analyzing active campaigns.

So why would these SEGs allow phishing emails to keep breaching customers?

SEGs Lack Insight into Early-Phase Phishing Campaigns

The single most powerful reason that SEG defenses miss phish is that they lack insight into early-phase phishing campaigns. They are not preemptive.

Effective Anti-Phishing Protection is Preemptive

Area 1 uses early visibility into phishing infrastructure and campaigns, plus innovative predictive analysis techniques to add a critical layer of security. This layer effectively detects and blocks phishing attacks that other technologies, including SEGs, simply miss. Area 1 is the only security provider that continuously and proactively hunts for phishing campaigns and infrastructure as it’s established by threat actors, discovering malicious websites, accounts, and payloads on average 24 days ahead of industry benchmarks.

The Area 1 Horizon™ anti-phishing service scans your incoming emails and uses the combination of early visibility to phishing infrastructure and payloads, plus sophisticated email analysis techniques and Machine Learning (ML) models to detect and block 99.997% of phishing emails.

For example, since we proactively scan the vast majority of the internet on a regular basis for exploit kits and other malicious content, if an email contains a URL to a compromised domain, we know that email is malicious without needing to wait for a user report or email threat signature, unlike SEGs.

Because Area 1 tracks and maps out attackers’ infrastructure, we often know that an email is malicious even before we look at the contents of that email. This allows us to stop zero day exploits that SEGs miss every time.

Area 1’s innovative technology is what it takes to catch phish before they breach. It’s exactly what Gartner recommends as part of an overall security infrastructure—and it’s why Area 1 Security stops the phishing attacks that SEGs miss.

Real World Deployments; Real World Results

Several Area 1 customers deploy our anti-phishing service behind, or as a replacement to SEGs, in order to reliably protect inboxes from phishing. Here are some recent examples of phishing emails that bypassed customer SEG defenses and were detected by Area 1:

Missed_by_Cisco

In this first case, an Area 1 Security customer received an email request for payment with a PDF file attachment. The email appeared to be authentic, and the customer’s Cisco IronPort SEG judged it benign. The email was then analyzed by the Area 1 Horizon service, using a variety of factors. An Area 1 proprietary ML file analysis model detected that the file attachment was malicious. Delivery of the email was blocked, and the end-user was protected from downloading malware to their computer.

Missed_by_Proofpoint

In another case, a customer received an email that appeared to be a payment confirmation and included a button to click and track the order. The email was scanned by the customer’s Proofpoint SEG and judged benignly. The Area 1 Horizon service then examined the email. A  proprietary ML file analysis model discovered malicious VBA code in a document linked to the order tracking button. As a result, the email was judged malicious and prevented from being delivered to the intended victim’s inbox.

Missed by SymantecLastly, a customer received an email that looked like an Apple account verification notification, requesting the recipient click a link to verify their account password. The customer’s Symantec SEG scanned the email and judged it benign. The Area 1 Horizon service then analyzed the email; detected the presence of brand images using computer vision techniques, and identified a suspicious, recently created link plus link domains NOT associated with the Apple brand. The service determined that the email was a brand imposter phish that linked to a credential harvest site. The phish was blocked before it reached the end user’s inbox, protecting the intended victim from having their credentials stolen.

Why Do SEGs Miss Phish?

Most SEG vendors collect threat data from multiple sources, but all data is collected from active campaigns; which means after phishing sites are already launched and attacking victims. Given the fact that these phishing campaigns and infrastructure often take months setting up, and then release their attacks and vanish within a matter of hours, it’s simple to see why shutting the door after the phish has escaped exposes the customer to attacks.

SEGs also require a high volume of malicious samples to analyze and derive threat data. That’s the classic spam defense, but because targeted phishing attacks are low-volume, they slide undetected past SEG threat detection. During the critical early hours of an outbreak, SEGs lack the threat data to proactively, effectively protect against newly targeted attack outbreaks.

Additionally, many SEGs offer advanced threat protection services to protect against unknown threats; they rely on dynamic analysis of attachments/files to detect new outbreaks. This can delay mail delivery, causing end-user dissatisfaction and loss of business productivity. In addition, these add-on services can be expensive. And despite them, phish can still evade detection and land in end-user inboxes.

Many SEGs also rely on sender reputation data, trusted email behavior models, and DMARC to validate senders and protect recipients from spoofing/fraud. But again, the sender-reputation data and even newer, machine learning models, are derived from active attack information and therefore miss new phishing infrastructure.

SEG Protections Are Redundant with G Suite and Office 365

Many of the security features that SEGs offer are actually the same as those included with cloud office suites like G Suite and Office 365—including anti-spam, DLP, archive, and encryption. This raises a double problem because the cloud office suites themselves fail to offer effective targeted phishing protection! They are actually no better at stopping phishing attacks than their redundant SEG solutions. Two misses equal a phish in the inbox.

Get Ahead of Phishing Attacks

Area 1 Security’s Horizon service is fast and easy to deploy, and it adds that vital layer of protection against targeted phishing attacks, closing the security gap that the cloud office suites—and SEGs—miss. It offers a unique Pay-Per-Phish performance-based pricing model—the industry’s first—that requires no upfront payment and charges a mere $10 per phish detection. We continually update our threat detection models and threat indicators as we discover new, previously unseen phishing campaigns and infrastructure. With Pay-Per-Phish, our incentives are aligned with our customers to maximize detection effectiveness. If your organization is struggling to protect inboxes from phishing email, contact Area 1 Security.