In the wake of sophisticated and expensive network security measures, protecting the lowly email server often gets missed. However, attackers count on this and have made even greater inroads into an already lucrative route for malware. Verizon’s 2022 Data Breach Investigations Report notes that email is still one of the two top delivery methods for malicious payloads, and the median organization receives three out of four malware payloads in this way.
That’s why email security solutions are a necessity for companies hoping to establish zero trust. Simply put, email security is “the practice of protecting email accounts and communications from malicious threats,” but to know how to defend, you first have to know what you’re defending against. Looking back at the threat landscape this past year, there are several key email security threats that are a cause for concern and must be accounted for when developing this year’s strategy.
1. Human Error.
Statistically speaking, email is where people spend most of their time within the network, and people are the weakest link. The same report notes that 82% of breaches involve the human element, and nowhere are humans more present – and more off their guard – than when blearily checking their inboxes. A recent survey by Adobe noted that “people even check personal email while watching TV (60%), using the bathroom (40%), talking on the phone (35%), working out (16%), and even driving (14%).” With so many working remotely, and the line between business and personal devices blurring, it is very likely that many of those email-checking sessions are not done with security top of mind.
Errors can be reduced by training employees on what to look for when scouting through emails, and which red flags give away a phishing campaign. While mistakes are an inevitable part of life, errors can be reduced with increased security awareness and the right technical solutions.
2. Malicious Attachments.
Hackers have found that email attachments can be a very viable vehicle for distributing a lot of malicious code fast. Innocuous enough, the attachments popularly carry HTML code that can redirect users to fake websites, encrypt files, exfiltrate data, or download malware. While most software vendors have disabled macros by default (which would otherwise trigger the malicious code upon opening the file), various ploys are engaged to get around the issue. Fill-in forms or customized phishing messages now entice the user to click and enable macros once the attachment is viewed.Again, training workers to not immediately open attachments, or to review the sender address for errors prior, can cut back on the chance of activating hidden malicious code. However, such training should always be backed up by endpoint security solutions that can block any malware that gets through.
3. Missent emails.
Emails delivered to the wrong recipient – can cost a company greatly. In the worst cases, sensitive data is delivered beyond the network to an unintended viewer and Business Email Compromise (BEC) occurs. The 2019 FBI Internet Crime Report noted that this type of threat costs organizations upwards of $25 billion dollars, and those dollars are hard to recoup. It’s not only the money – once proprietary data has crossed the wire, you can’t get it back.
Certain email protection solutions do allow you to check the content of each email, including attachments, before sending. Using AI-driven technology they scan for confidential data and flag the user before they can send it outside the network. Additionally, Digital Rights Management (DRM) tools can allow the sender to allocate permissions to the email recipient, encrypt emails, and revoke access rights even after the file or message has been sent. In that way, the data will be safe even if it ends up in the wrong hands.
4. Email Spoofing
Highly recognizable brands like Microsoft, LinkedIn and shipping titan DHL are all top of the list for most impersonated brands in phishing campaigns. Their recognizability and trust within their industries makes users more likely to open unknown emails from them, and hackers frequently exploit their good names for nefarious purposes. Check spelling, investigate the URL, look for the padlock, and scan for anomalies before responding automatically to an unwarranted email to “update your password” or “confirm a shipping address.” However, the popularity of these name-brand spoofs is making them more well-known among users, who are becoming more wary. It is predictable that hackers will change tactics and move on to more personal email phishing attempts; impersonating supply-chain partners, customers, or suppliers.
Protocols like DMARC, DKIM and SPF all combat spoofing and can be found in email security solutions. They each add an additional layer of security, whether it be validation, authentication, or policy.
5. MFA evasion.
To combat phishing attempts, many organizations wisely implement MFA solutions. However, techniques are evolving that allow phishing campaigns to circumvent multifactor authentication protections. By taking advantage of MFA fatigue, clever phishing tactics can fool users, and sophisticated exploits allow the malicious client to act as a proxy with the real authentication system.
Defensive layers must be used as contingencies in the event that an advanced phishing attempt should make its way onto your network. Antivirus solutions and tokenized authentication can help offset the cost of a tricked MFA tool, and endpoint security solutions can catch malware as soon as it appears on an email server.
Malicious email trends are evolving, and phishing exploits are becoming increasingly treacherous, subtle, and sophisticated. Zero-trust must include solutions across the network, the endpoint, and the user to be effective in combatting these multi-vector attacks. A defense-in-depth approach is no longer the best-practice, but the only practice if organizations hope to stay ahead of impending email threats in 2023.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.