Today, most IT professionals understand that it’s impossible to stop every attack. That’s led to a more nuanced understanding of diagnosing and mitigating attacks at points inside and outside an organization’s security defenses.
Email is no different. Roughly 306.4 billion emails are sent each day, and an average of 126 corporate emails land in the inbox of any single user. There’s no way to catch every phishing attempt before it enters your users’ inboxes.
In analyzing billions of emails, the GreatHorn Threat Intelligence Team identified 0.1% are definitively malicious. These are easy to filter out. Another 0.8% are statistically anomalous: they’re potentially malicious. However, quarantining all of them would also catch legitimate messages, resulting in a lack of efficiency. No matter how good your filters are, this 0.8% of email is somewhere in your system, representing a risk that the phishing attack will be successful.
It’s helpful to think of this risk in terms of the phases of an email attack. This allows your security team to focus on the risks present at each phase, and how best to mitigate those risks.
Here’s a summary, pulled from our white paper, Breaking the Phishing Attack Kill Chain, of the phases involved in an email attack.
Phase 1: Vectors
At a basic level, email has some attack vectors built into the core functionality that make it such a widely used communication protocol.
- Unauthenticated messages: Email isn’t designed to verify the sender.
- Malicious attachments: File attachments open the door to a wide range of attacks.
- Malicious links: Email supports html, and therefore malicious links.
- Account takeovers: It can be virtually impossible to know the sender isn’t authentic.
Phase 2: Delivery
In Phase 2 of an email attack, we look at how cybercriminals use the attack vectors above to get phishing emails into your users’ inboxes.
- Domain spoofing: “Lookalike” URLs can get past security filters and induce users to open messages.
- Email header spoofing: Fabricated message headers make it more likely that users will trust a malicious email.
- Website spoofing: Users click on a link to find a page that looks like a trusted site, but is in fact designed to collect sensitive information or install malware.
Phase 3: Exploitation
Once an attacker gets past your organization’s email defenses, here are some of the exploits they will use to gain access to sensitive systems.
- Malicious payloads: Once users download or open a file, it can begin to work.
- Keylogging: Links take users to malware sites, or to fake pages used to harvest information.
- User actions: Attackers may convince users to transfer funds or provide passwords.
Risk exists in your email systems at each of these phases of a phishing attack, from email’s native vulnerabilities that make it an attractive medium for cybercriminals, to the malicious messages sitting in user inboxes right now, awaiting an unsuspecting user to open them and take an action.
The GreatHorn Threat Intelligence Team has aggregated data from a broad array of organizations, designed to help you quantify the risk across categories seen within email environments. Visibility into your organization’s risk exposure is important. Not all risks are considered equal, which is why we advocate a layered approach to match your organization’s risk profile.
We want to help you understand the risks your organization is facing in order to develop a comprehensive email security plan. To quantify your organization’s email risk profile, use GreatHorn’s Email Risk Calculator.