Blog

Email

RE:Thinking Email Security

RE:Thinking Email SecurityDefault blog imageDefault blog image
08
Jan 2020
08
Jan 2020

When thinking about email security, a familiar story usually comes to mind: an attacker sends a malicious payload hidden in a link or attachment, and an unsuspecting recipient clicks and inadvertently downloads malware onto their device. But in reality, this kind of attack represents just the tip of the iceberg when it comes to the broader spectrum of threats that target organizations via the inbox.

Criminals are increasingly turning to more subtle forms of attacks which involve sending ‘clean emails’ containing only text, and coaxing a recipient into replying, revealing sensitive information or performing an offline transaction. These methods easily bypass legacy security tools that rely on checking links and attachments against blacklists and signatures. Moreover, they generally involve registering new ‘look-a-like’ email addresses, which not only trick the recipient but also bypass traditional defenses set on identifying blacklisted domains.

A quick RE:ply

Solicitation attempts are impossible to stop without a comprehensive understanding of ‘normal’ across digital traffic from both email and the wider digital business. With every email analyzed in the wider context of the sender, the recipient, and the entire organization, seemingly harmless emails that bypass traditional security tools can be identified in seconds given a vast range of metrics, including suspicious similarities to known users, abnormal associations, and even anomalies in email content and subject line.

Darktrace recently discovered such an attack whereby a new Gmail domain was created in the name of the company’s CEO. From this address, an email was sent to a member of the payroll department requesting that the employee update the CEO’s direct deposit information. Since the email successfully mimicked the CEO’s typical writing style, it could have easily succeeded if Darktrace’s AI hadn’t been analyzing the organization’s mail flow in connection with the rest of the business.

Figure 1: An example of a ‘clean’ spoofing email, and Darktrace’s user interface showing Antigena’s decision to ‘Hold’ the email. The names and addresses have been anonymized to protect the customer.

A bleak outlook

Cyber-criminals are also turning to supply chains – comprised of vendors, partners and contractors – in their attacks to infiltrate an organization or establish offline communication. Having taken over a supplier’s account, attackers seek to reply to previous email exchanges in order to accomplish their goals. And with cases of credential compromise increasing 260% since 2016, this threat vector is only set to increase in the coming decade.

A customer trialing Darktrace Antigena Email recently caught an instance of this, whereby an attacker had taken over the account of a trusted consultancy firm. Darktrace recognized that the sender was well known to the company, and a number of internal users had in fact corresponded directly with them earlier that same day.

Less than two hours after a routine email exchange, the account was taken over by an attacker who sent emails to 39 users, each containing a phishing link. There was variation in the subject lines and links, suggesting highly targeted emails from a well-prepared attacker.

Figure 2: An attacker’s response to an existing email chain, seeking to contextualize and imitate previous communication between the senders.

Darktrace identified the full range of anomalies that are typically associated with account takeovers, including the unusual IP address, the inconsistency of the link based on its learned ‘pattern of life’, the unusual group of recipients, and in some emails, the topic anomaly.

FW: Thinking

In this instance, the attacker had taken the time to read the previous correspondence to contextualize their impersonation attempt. Going forward, artificial intelligence will increasingly be adopted to learn prior communication patterns between two senders to make for more legitimate-looking emails, which can be sent at machine-speed and scale. One of the most notorious pieces of contemporary malware – the Emotet trojan – is a prime example of a prototype-AI attack. Emotet’s main distribution mechanism is through email, usually via invoice scams.

‘Forward thinking’ attackers could easily use AI to supercharge attacks. With artificial intelligence analyzing the context of every email thread and replicating the language used, these email attacks could become highly tailored to individuals. This would mean that an AI-powered Emotet trojan could create entirely customized, more believable emails and, crucially, send these out at scale, allowing cyber-criminals to increase the yield of their operations enormously.

This possibility gives rise to a new chapter in email security, and one in which a holistic ‘immune system’ platform is necessary. Legacy security tools that are confined to the email gateway or inbox are no longer sufficient to stop this vast range of sophisticated attacks. By leveraging AI to learn ‘normal’ behavior across email traffic and the entire digital estate, Antigena Email is able to protect email users not only from traditional phishing attacks, but from every threatening email seeking to cause harm.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Mariana Pereira
VP, Cyber Innovation

Mariana is the VP of Cyber Innovation at Darktrace, and works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.

share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out this article by Darktrace: RE:Thinking Email Security