When thinking about email security, a familiar story usually comes to mind: an attacker sends a malicious payload hidden in a link or attachment, and an unsuspecting recipient clicks and inadvertently downloads malware onto their device. But in reality, this kind of attack represents just the tip of the iceberg when it comes to the broader spectrum of threats that target organizations via the inbox.

Criminals are increasingly turning to more subtle forms of attacks which involve sending ‘clean emails’ containing only text, and coaxing a recipient into replying, revealing sensitive information or performing an offline transaction. These methods easily bypass legacy security tools that rely on checking links and attachments against blacklists and signatures. Moreover, they generally involve registering new ‘look-a-like’ email addresses, which not only trick the recipient but also bypass traditional defenses set on identifying blacklisted domains.

A quick RE:ply

Solicitation attempts are impossible to stop without a comprehensive understanding of ‘normal’ across digital traffic from both email and the wider digital business. With every email analyzed in the wider context of the sender, the recipient, and the entire organization, seemingly harmless emails that bypass traditional security tools can be identified in seconds given a vast range of metrics, including suspicious similarities to known users, abnormal associations, and even anomalies in email content and subject line.

Darktrace recently discovered such an attack whereby a new Gmail domain was created in the name of the company’s CEO. From this address, an email was sent to a member of the payroll department requesting that the employee update the CEO’s direct deposit information. Since the email successfully mimicked the CEO’s typical writing style, it could have easily succeeded if Darktrace’s AI hadn’t been analyzing the organization’s mail flow in connection with the rest of the business.

Figure 1: An example of a ‘clean’ spoofing email, and Darktrace’s user interface showing Antigena’s decision to ‘Hold’ the email. The names and addresses have been anonymized to protect the customer.

A bleak outlook

Cyber-criminals are also turning to supply chains – comprised of vendors, partners and contractors – in their attacks to infiltrate an organization or establish offline communication. Having taken over a supplier’s account, attackers seek to reply to previous email exchanges in order to accomplish their goals. And with cases of credential compromise increasing 260% since 2016, this threat vector is only set to increase in the coming decade.

A customer trialing Darktrace Antigena Email recently caught an instance of this, whereby an attacker had taken over the account of a trusted consultancy firm. Darktrace recognized that the sender was well known to the company, and a number of internal users had in fact corresponded directly with them earlier that same day.

Less than two hours after a routine email exchange, the account was taken over by an attacker who sent emails to 39 users, each containing a phishing link. There was variation in the subject lines and links, suggesting highly targeted emails from a well-prepared attacker.

Figure 2: An attacker’s response to an existing email chain, seeking to contextualize and imitate previous communication between the senders.

Darktrace identified the full range of anomalies that are typically associated with account takeovers, including the unusual IP address, the inconsistency of the link based on its learned ‘pattern of life’, the unusual group of recipients, and in some emails, the topic anomaly.

FW: Thinking

In this instance, the attacker had taken the time to read the previous correspondence to contextualize their impersonation attempt. Going forward, artificial intelligence will increasingly be adopted to learn prior communication patterns between two senders to make for more legitimate-looking emails, which can be sent at machine-speed and scale. One of the most notorious pieces of contemporary malware – the Emotet trojan – is a prime example of a prototype-AI attack. Emotet’s main distribution mechanism is through email, usually via invoice scams.

‘Forward thinking’ attackers could easily use AI to supercharge attacks. With artificial intelligence analyzing the context of every email thread and replicating the language used, these email attacks could become highly tailored to individuals. This would mean that an AI-powered Emotet trojan could create entirely customized, more believable emails and, crucially, send these out at scale, allowing cyber-criminals to increase the yield of their operations enormously.

This possibility gives rise to a new chapter in email security, and one in which a holistic ‘immune system’ platform is necessary. Legacy security tools that are confined to the email gateway or inbox are no longer sufficient to stop this vast range of sophisticated attacks. By leveraging AI to learn ‘normal’ behavior across email traffic and the entire digital estate, Antigena Email is able to protect email users not only from traditional phishing attacks, but from every threatening email seeking to cause harm.

‍