Click here! Clique aqui! ここをクリック! Klikk here! !اینجا کلیک کنید naDev yIbej! Hic tange!
Language is deceptive. In the realm of email security, language can deceive a recipient into clicking a link or completing a transaction, and it can trick a security tool into thinking an email is legitimate.
It is for this reason that Darktrace/Email is not reliant on language, but rather uses mathematics to develop an understanding of ‘normal’ for every email user in an organization. This enables it to neutralize anomalous emails indicative of a threat around the world, no matter in what format or language they come.
Natural language processing
When it comes to catching a compromised account or impersonation email, how can you teach a computer to understand intent or a change of tone, compared to the normal way a person corresponds?
One of the most common approaches in email security is natural language processing. NLP looks at how to program computers to analyze natural language, commonly by exposing them to a large volume of data.
The result is a computer capable of ‘understanding’ the contents of documents, including the nuances of the language within them. The technology can then extract information in the documents as well as categorize and organize the documents themselves.
Modern-day limitations
However, using NLP is limited in scope for email security as it will often misunderstand specific jargon or colloquialisms, as well as terms that had not been invented when the computer was programmed, unless it is trained on these too. Each additional language requires the computer to learn from zero every time. NLP only works on the regional languages it has been trained on, and it is not commercially viable to teach the technology to work in all small markets.
If a company hires an email security vendor based in America, therefore, it is probable that the security vendor has invested most of their time in detecting English-based phishing threats. That is fine if the company only communicates in English, but this is often not the case. In a 21st century globalized world, the need for security technology to be language-agnostic is more critical than ever.
Not all AI is the same: Unsupervised machine learning
Darktrace/Email relies on unsupervised machine learning, which can learn on the job and does not need to be fed large data sets. It can glean insights from NLP for good measure, but it does not depend on NLP for detection or understanding.
When working with AI it is crucial to understand how the AI learns: does it learn on the job or was it trained with a labeled data set? This is particularly important when looking to understand the intent behind an email, specifically to uncover solicitation attempts either through spoofing, phishing, impersonation of a supplier or any other form of email attack.
Rather than teaching a computer to understand language in an email, Darktrace Cyber AI dynamically assesses activity across inbound and outbound emails including senders, recipients, links, IP addresses, and attachment types. The movement of all these objects are then used by the AI to create the ‘patterns of life’ for every user across all communications, including communications with external users who frequently correspond with a given business.
By taking a mathematical approach, Darktrace/Email is able to understand ‘normal’ for any user regardless of the dialect they are corresponding in, uniquely interpreting all languages from Norwegian to Latin and Persian, and subsequently identifying subtle anomalies indicative of a phishing attack or an account takeover.
Catching Emotet in Japanese
Last year, Darktrace uncovered a sophisticated Spamware campaign which leveraged Emotet, the infamous banking malware. The campaign targeted various industries with highly sophisticated phishing emails.
At a food production company in Japan, Darktrace detected six phishing emails sent over a two-day period in July.
In the email above, both the subject line and the filename translate to “Regarding the invoice,” followed by a number and the date. The attacker was clearly trying to imitate a legitimate business email here, spoofing a well-known Japanese company (三菱食品(株)) and a common Japanese name (‘藤沢 昭彦’).
Darktrace/Email revealed key metrics behind the email including that the real sender was using a domain name from GMO, a Japanese company which offers cheap web email services, and that the sender’s location was actually Portugal, not Japan.
Darktrace/Email’s models recognized the topic anomalies and inducement attempts in the emails, regardless of the language they had been written in – giving a high anomaly score of 85. Furthermore, Darktrace’s AI determined that the extension and the MIME type in the attachments were anomalous, when compared to the documents which the user normally exchanges via email.
Portuguese threat find
In another instance, a series of malicious emails were sent to an organization in Europe. These emails used several tactics to bypass the company’s security tools, including personalized subject lines and hidden malicious URLs.
As displayed above, the email contained a link that appeared to lead to a CaixaBank domain. However, Darktrace/Email recognized this as a deliberate attempt to mislead the recipient and revealed that the link in fact led to a WordPress domain, which Cyber AI identified as 100% rare for the business.
A closer inspection revealed that these emails were sent from Vietnam. The sender had never been in any previous correspondence with the business, and the isolated link within the email was also marked as a 100% rare domain. Darktrace/Email held these malicious emails back, protecting the organization from harm.
Universal defense
These two examples demonstrate the benefits of an unsupervised machine learning approach. An AI security solution which analyzes hundreds of different metrics and does not rely on pre-existing data is a groundbreaking advantage when faced with global phishing threats that now utilize a wide range of languages.
Email-based attacks are becoming more targeted and more convincing by the day. Targeted social engineering and spear phishing with advanced translation tools bombard companies daily, in all languages.
Whether it’s a phishing attack against a local office in Korea or a solicitation attempt in Arabic – even a malicious email written in Klingon from a Star Trek convention – or any of the thousands of email exchanges which occur in countless vernaculars and tones, Darktrace/Email can keep your company safe across the world, and beyond.
Look out for your first newsletter, coming soon.
