Gaps in Email Threat Detection Open the Door to Cybercrime

Nearly every organization has some type of email security in place and these solutions are increasingly protecting email boxes in the cloud and/or on premise. With these email security solutions deployed, an organization may assume they are no longer vulnerable to threats that can enter their networks via email – threats that can lead to financial fraud, data loss, extortion or downtime. This is a bad assumption.

Operations may continue as normal under a false sense of security, but the time may come when the organization experiences a targeted attack and gets hit with a threat such as ransomware. As security personnel are struggling to remediate the issue, executives will be attempting to explain the crisis to their boards, public relations departments will be frantically preparing damage-control statements and releases, and finance departments will be trying to figure out how to turn dollars into Bitcoin.

Identifying the issue is no simple task. Security teams will be up to their eyeballs in data and searching desperately for security gaps. The organization has next generation firewalls (NGFW), secure email gateways (SEGs) and up-to-date endpoint antivirus, so what went wrong?

After the dust has settled and the postmortems are complete, the cause of the ransomware attack is finally identified: A single spear phishing email that appeared to have come from the CEO had tricked the CFO into opening a weaponized attachment. Figure 1 shows how a standard spear phishing attack works.

Figure 1. How Successful Spear Phishing Emails Are Made and Used

As this organization learned, traditional email security solutions in place today are generally not optimized for automated, real-time detection and prevention of spear phishing messages used in targeted attacks. This leaves a vast attack landscape for threat actors to leverage.

Cyber criminals know how to design counterfeit messages that bypass security gates by falsifying sender information, domain data, embedded HTML forms and, of course, attachments. They also know that to successfully carry out their crimes, they must target the people who have the power and privileges to take certain actions. Threat actors will study the behavior of those people and will go to work developing an email that truly seems legitimate.

While training programs that teach employees to stop clicking links and opening attachments are worthwhile investments, reliance on training alone will not prevent a breach. There will always be crafty attackers that know how to exploit basic human trust. To help ensure organizations stay safe, automated, highly effective detection and prevention technology will provide that much-needed increase in protection.

A Solution to Malware Attachments, Typosquatting and Credential Phishing

A store and forward email analysis solution such as FireEye Email Security blocks phishing emails and the types of ransomware attacks discussed previously. FireEye’s controlled live-mode analysis detects attacks that span multiple phases, involve encrypted malware, and evade sandbox and emulation technologies.

FireEye Email Security also detects URLs contained within email messages that appear correct yet are actually malicious (typosquatting), thus protecting end users from clicking on malicious links. Additionally, FireEye’s credential phishing solution protects end users from sharing their credentials on websites that were compromised by attackers to appear as if they represent a trusted web source.

At the core of FireEye Email Security is the MVX engine. The MVX engine analyzes objects, correlates data without relying on signatures, and detects and stops previously unknown attacks at a speed that stops them before they ever enter mailboxes.

Traditional SEGs Are Missing the Mark

It’s worth remembering that SEGs were originally designed to protect email channels from unwanted bulk email, not to stop advanced targeted attacks. We looked at a 30-day snapshot of FireEye customer traffic from March 15 to April 15 of this year (Figure 2) and observed that a leading SEG, typically deployed inline before our email security, missed a significant number of malicious email attachments that were detected and blocked by FireEye’s Email Security product.

On one day in particular, more than 185,000 malicious email attachments were deemed harmless by said SEG, but were shut down by FireEye Email Security.

Figure 2. Market Leading SEG False Negative on Malicious Attachments

To further illustrate the risk, note that if the SEG was able to catch up and stop the campaign a few hours later, customers still would have been left unprotected – especially since ransomware can lock files within minutes while remaining undetected. Furthermore, according to the 2015 Verizon Data Breach Investigation Report, 50 percent of people will open a spear phishing email within the first hour of receipt. Had these customers not had a FireEye Email Security solution, altogether they could have unknowingly activated about 90,000 spear phishing emails in a single day. That’s a lot of risk.

Cloud Email Services Don’t Always Provide Protection

Looking at a separate 30-day span, FireEye Email Threat Prevention Cloud (ETP) detected and blocked a significant amount of malware that was missed by a leading cloud email provider. This is surprising considering that these are well known and highly destructive malware families (Figure 3) that weren’t being detected by a built-in cloud email security solution – a solution that comes from a company with a reputation for providing very safe cloud email services. Fortunately our FireEye ETP customers were automatically protected from these malware threats, which often install backdoors and command and control infrastructure that enables ransomware infections.Figure 3. Known Malware Detected by FireEye but Missed by Cloud Email Service

Effective Email Security

Cyber criminals are always improving their tools and tactics and now FireEye is seeing them take steps to protect their malware, all while adding enhancements to increase its effectiveness. For example, we have seen Locky ransomware shift from using simple encoding to disguise its network traffic to applying complex encryption algorithms using hardware instructions that are very tough to crack.

The speed of innovation of these covert, criminal operators requires cyber security solutions that are fast and effective, and that innovate just as quickly. We believe that the first and best hope for a comprehensive approach to preventing a breach is an email security solution that is designed from inception to match the moves of cyber criminals (Figure 4).

Figure 4. An Effective Email Security Solution

In sum, you should be looking for the following features in an email security solution to help prevent your email traffic from becoming a superhighway for cybercrime:

  • Real-time detection of malicious attachments and URLs.
  • Analysis of a broad range of file types.
  • Up-to-the-minute intelligence about threats, threat actors and their targets.
  • Analysis of senders, domains, embedded HTML code and links to identify and stop criminal intent.
  • Flexible deployment options to help assure protection in any architecture.

To learn more about FireEye Email Security, visit