RE: Thinking Email Security
Emails are cyber-criminals’ number one attack target, accounting for more than 90 percent of all cyber threats. But, while tales of phishing dominate the cybersecurity narrative, in actual fact there is a diverse spectrum of inbox threats, that organizations are increasingly falling victim to.
‘Clean emails’ are now criminals’ favored form of attack, and comprise of text alone. They invite unwitting recipients to reveal sensitive information, perform offline transactions, and even more insidiously, get victims to trust them before they strike. Devoid of links and attachments, this methodology easily bypasses the traditional reliance on blacklists and signatures.
Solicitation attempts like these are impossible to stop without a comprehensive understanding of ‘normal’ across an enterprise’s entire digital environment. By using Cyber AI technology to analyze every email in the wider context of the sender, the recipient, and the entire organization, seemingly harmless communication that bypasses traditional security tools can be identified in seconds; this includes suspicious similarities to known users, abnormal associations, and even anomalies in email content and subject line.
Darktrace recently discovered an example of such a solicitation attack at an electricity company. Here, a Gmail domain was created in the name of the company’s CEO. From this address, an email was sent to a member of the payroll department requesting that the employee update the CEO’s direct deposit information. Since the email successfully mimicked the CEO’s typical writing style, it could have easily succeeded. But, with Cyber AI analyzing the organization’s mail flow in connection with the rest of the business, the email was clearly anomalous, and a spoof.
The other avenue cyber-criminals are increasingly turning to is supply chain takeovers – comprising of vendors, partners, and contractors – in their attempts to infiltrate an organization or to establish offline communication. Having hijacked a supplier’s account, attackers reply to previous email exchanges in order to accomplish their goals. With cases of credential compromise increasing 260 percent since 2016, this threat vector is only set to increase in the coming decade.
Yet, while less frequent than 5 years ago, phishing attacks are not obsolete, and are still extremely effective. An academic organization in Singapore was recently subject to a carefully constructed email phishing campaign designed to trick five of their high-profile users into clicking a malicious link and downloading a malicious payload. These communications were purportedly from WeTransfer; from the header and content, there was no reason to believe otherwise.
However, these emails were illegitimate, and were assigned a 100 percent anomaly score by Darktrace Cyber AI. The indicators of attack? An anomalous IP address, an unusual link given previous communication, and the hidden nature of the payload. Given how subtle these signals are, only AI can realistically spot true deviations from ‘normal’.
But what about the email attacks of the future?
‘Forward thinking’ attackers will likely use AI to supercharge their email campaigns. In the case of supply chain takeover, phishing attacks, and compromised credentials, artificial intelligence could analyze the context of every previous email thread and replicate the language used to create highly tailored, individual messages. Not only would the emails be entirely believable, but they would be able to be created and sent at scale.
This possibility gives rise to a new chapter in email security, and one in which a holistic ‘immune system’ platform is necessary. Legacy security tools that are confined to the email gateway or inbox are no longer sufficient to stop this vast range of sophisticated attacks. By leveraging AI to learn the ‘normal’ behavior of an enterprise’s entire digital estate, email users will be protected from not only from traditional phishing attacks, but from every threatening email seeking to cause harm.