Beyond Known Bad: Historic Communications and Email Security

In most things in life, absolute certainty is rare. Decisions are made without perfect information, based on probabilities and risk assessment. Protecting your organization from email phishing attacks is no different, and yet most email security providers see the world in black-and-white terms of absolute certainty: they block the known bad and let everything else through.

At every level of your company, people are making dozens, sometimes hundreds, of decisions each day regarding email: open this one, delete that one, respond to this one, leave that one for tomorrow. When the email in question is a potential phishing attack, the wrong decision can impact an organization profoundly. And the wrong decision is too-frequently made: 1 in 25 people will click on any given phishing email.

The solution to this problem is not to block more known-bad emails. That just sends people digging through spam folders or quarantines for legitimate communications, and leaves the real threats lurking in their inboxes. The solution for organizations is to arm their users with better information about the unknown emails they receive. With better information, users make better decisions. In this post, we will outline two categories of contextual information that can take email security beyond black and white thinking and one thing your organization can do to turn your end users into valuable guardians of critical data and systems.

Individual History with the Sender

You may not be a person who is naturally suspicious of strangers, but it pays to have your email security solutions behave that way. A message coming in from an address you’ve never corresponded with before should be treated with a higher degree of caution.

Phishing attacks often “spoof,” masking an email address to make it look like the message is coming from someone familiar. It’s trivially easy to register a new domain (e.g.,, set up valid G Suite or Office 365 accounts against it, and spoof a known user scraped from LinkedIn. Your people need to know what’s happening underneath that mask. When an email looks like it’s coming from a colleague or partner, but in fact is coming from an address they’ve never seen before, that information has to be front and center. This helps users decide how to respond to the email. I.e., you know a Connor Sample, but not this Connor Sample.

The critical data points for knowing this information and making risk-based decisions are as follows:

  • Have you communicated with this Sender name before?
  • Have you communicated with this Sender and this email address before?
  • Have you communicated with this company name before?
  • Have you communicated with this domain (e.g., before?

Internal Colleague’s History with the Sender

In email, as in life, there is such a thing as too much information. Too many alerts and false positives turn valuable information into a nuisance. The human brain naturally senses these patterns and acquires the habit of ignoring such information. To help your users make better decisions about the emails they are receiving, it’s important to avoid communicating unnecessary information.

Another layer of sensitivity to risk in email communications is needed: your organizational email history. Email addresses and domains of vendors, clients, business partners and others that are frequent communicators with your company do not necessarily need to be flagged for closer review. This information can provide greater context as to its legitimacy. Just because an email is coming from a sender you have never communicated with does not mean this is a phishing email—others in the organization may have safely communicated with them.

The data points used when assessing historic company communications are the same as with your individual historic communication: sender name, sender email address, company name and company domain. Examining company history broadens the context for each of your users, reducing unnecessary warnings and making it more likely that when an email is flagged as potentially suspicious, the warning is heeded.

User Assisted Education

There’s a difference between vigilance and isolation: you can’t prevent every phishing attack from reaching your end users, and you also can’t block every message coming in from an unfamiliar address.

What you can do is give people the information, through historic communication, to make risk-based assessments. With this insight, they can make informed decisions for each email based on this contextual information to improve their level of scrutiny.

Organizations benefit from communicating with their people regularly about the risks of phishing emails and how they can protect against them. But it’s important to go beyond the classroom and bring user education into the real world and make it real-time. Context-specific education is needed at the moment users are making the potentially critical decision of whether to open an email attachment, click a link, or flag that email as suspicious. With these real time warnings, organizations can empower users and help them make better decisions.

It’s amazing how effective the right information can be when made available in the right place and at the right time. Phishers work on the assumption that most users don’t have context-specific information about history of correspondence with specific domains and sender email addresses. By providing information to people in your organization at the moment they open an email, you can thwart their attacks. You’re providing the tools needed to make an accurate risk assessment. People in your organization turn from vulnerable targets to valuable defenders, successful in their role as the “last line of defense” against phishing.

Note: GreatHorn and dmarcian hosted a webinar to provide organizations with real-world actions to improve day-to-day effectiveness against phishing attacks. Click here to watch the webinar.

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.