How Confident Should You Be About Google Confidential Mode?

Google recently released a variety of security features to enhance, among other things, the user experience within Gmail (note that I use Gmail and not G Suite; this will become an important distinction). While many of these features were good steps for Google, one particular “security” feature has been met with heightened scrutiny from the security community. This feature is the ability to send “confidential” messages. Beyond the limitations and shortcomings of the confidential messaging features being discussed amongst concerned users, the feature has now caught the attention of the Department of Homeland Security.

Conceptually, the confidential messaging feature provides a method to send certain messages more securely within Gmail. End users can set expiration dates on messages, require SMS authentication before messages can be read, and messages are sent with the knowledge that the message cannot be printed or forwarded. Aside from the debate around how novel the methodology is, the means by which these messages are sent raises questions about how secure they truly are. Namely, how ripe are confidential messages for spoofing attempts?

Two scenarios come to mind. When a G Suite user sends a confidential message to another G Suite user, the recipient views the content directly in Gmail without needing to go to a secondary webpage. Under this scenario, the message never truly leaves the Google ecosystem (confidential messages always reside on Google servers). That said, nothing is preventing a confidential message from including malicious content such as a nefarious URL or attachment.

The second scenario deals with non-Gmail recipients, or Gmail users accessing mail in a client other than the Gmail client. Upon receiving a confidential message under one of these scenarios, the user is brought to a webpage where they are prompted to enter their Google credentials. The same condition holds true of the above regarding malicious content, but attackers can also seamlessly impersonate this workflow to steal credentials.

Under both scenarios, an attacker is exploiting user trust: not only is the user receiving a message in his or her inbox, but it is being sent “confidentially.” These types of tactics have been used for years as a way to engender trust between sender and recipient, but now Google has programmatically introduced a heightened level of trust seemingly without the means to prevent the feature from being exploited for nefarious purposes.

And as previously mentioned, the G Suite versus Gmail distinction is key: the confidential messaging feature is available and functions in the same fashion in both the free version as well as the paid G Suite platform. In other words, attackers can register Gmail accounts for free, set their display name to that of a business contact known to the recipient, and send these confidential messages as if they are the stated sender.

So how concerned should you be? From a professional perspective, the answer is, “it depends.” As a natural part of security awareness training, you are likely already emphasizing to your users that clicking on unexpected links is a bad practice. Unfortunately, training and real-world habits are often worlds apart.

If the notification of a confidential message is itself being spoofed, then your email security solution will treat it the same way that it treats other business service impersonation and credential theft attempts. When it comes to legitimate confidential messages being sent for potentially nefarious means, however, we open up a whole other can of worms. We recommend checking with your email security provider about this scenario in particular to understand how it addresses this scenario.

For our customers, they can rest assured knowing that GreatHorn is able to address both of the above scenarios. GreatHorn’s email security platform relies on anomaly detection based on deep relationship analytics and adaptive user / organizational profiling. Regardless of the intent, GreatHorn is still able to, among other things:

  • Gauge the relationship or lack thereof between senders and recipients;
  • Whether or not the specific address being used has been seen before; and
  • Scrutinize other key information about the sender

All of this is possible even when confidential messaging is being used.

In situations where Google’s confidential messaging is being impersonated, GreatHorn will analyze all of the above characteristics to gauge whether or not it is a legitimate confidential message as well as determine if the URL in the message is unusual or malicious.

Are you excited or concerned about Google’s new feature? Give us your view by commenting on the blog below.

4 Myths About Email Security

4 Myths About Email Security


There’s no debate that phishing attacks are on the rise. In fact, 90% of data breaches start with a targeted email attack. However, relying on legacy email security tools simply does not work when faced with the trifecta of business email compromise, malicious URL delivery, and malware/ransomware attacks. Modern cloud email platforms require a modern email security solution that can protect against spear phishing and social engineering attacks.

Here are four common misperceptions or “myths” about email security and a brief explanation to dispel them.

1. Microsoft or Google Will Fix It – Two tech giants in charge of billions of corporate mailboxes will surely find a solution to spear phishing, right? Both Microsoft and Google do a tremendous job addressing the security challenges presented by their own infrastructure such as data loss from someone hacking into a server or stealing information from a physical data center.

Think of Microsoft and Google as property management companies for a residential building. They can try to secure the property by installing cameras and modern entry systems but if a tenant gives their keys away and has their condo robbed, there’s not much they can do. Phishing will always be the purview of individual businesses.

2. Our Secure Email Gateway (SEG) Will Protect Us – Email gateways have seen their efficacy erode as enterprise infrastructure has migrated to the cloud. SEGs route mail through their systems, analyze it to see if the emails are “good” or “bad,” and then deliver or block it. By making it a binary decision, these tools allow phishing emails to reach employees at an alarming rate. Cybercriminals craft their attacks with SEGs in mind knowing they have difficulty catching phishing or social engineering attacks.

3. Security Training Will Keep us Safe – Training is certainly a part of compliance but it has not proven to be effective at preventing data breaches. That’s because, according to a recent CSO article, ⅔ of inbound phishing attacks use a company’s own domain name in the ‘From’ field, making them extremely hard to detect. A well-crafted phishing attack delivered to the right person, at the right time will work regardless of the time, resources and effort invested in training them. Employees are soft targets.

4. We Haven’t Been Owned (Yet) – The phishing epidemic will continue — it has proven to be an extremely effective attack vector. And there is no such thing as a company that is too small or inconsequential to be the target of a cyber attack. The Ponemon Institute hammered that point home when they unveiled research that showed there was a 27% probability that a US company will experience a breach in the next 24 months that costs them between $1.1 million and $3.8 million. Just because a cyber criminal hasn’t tested your business’ email security posture yet does not mean you shouldn’t be ready when the time comes.

Learn more about these common misperceptions in our most recent webinar, 4 Reasons Why It’s Time to Rethink Email Security. Also hear GreatHorn CEO Kevin O’Brien explain how targeted phishing attacks work, how they’re evolving and what can be done to protect important assets from business email compromise.

The Google Docs Phishing Attack

Google Docs Is Fine, Right?

Earlier today, a major and sophisticated attack was levied against email users.

Unlike many commonplace phishing attempts, this attack cleverly used an imposter application to compromise mailboxes and accounts, by way of Google’s own OAuth framework. It was not an imposter email, user, domain, or the like — it was a real application that happened to be written in such a way as to look like a Google Docs application.

This is perhaps one of the most sophisticated phishing attacks we have seen to date.

Malicious cloud applications are almost impossible for an ordinary user to detect; by clicking on the “Allow” button, users are giving that application permission to operate on their behalf, both reading and sending mail from their inboxes. No credentials are stolen or exchanged; multi-factor authentication is of no help here.

There is a robust write-up on Reddit with additional technical details, as well.

How To Respond

First and foremost, the obvious: don’t click.

If you’re already running GreatHorn Inbound Email Security, you are also fully protected:

  1. GreatHorn automatically created a policy for every GreatHorn account today that detected and quarantined all instances of this attack from the time of detection onwards; no user action or administrative work was required here.
  2. Additionally, GreatHorn automatically detected and either quarantined or deleted every copy of the attack message, post delivery.

Unlike a traditional email gateway, GreatHorn’s cloud-native capabilities provide unique remediation capabilities, and can reduce incident response from hours to seconds — and as with the policy, this required no user action or administrative effort.

What’s Next?

One of our core beliefs is that advanced threats will not be limited to the phishing techniques seen today. Attackers are capable of building sophisticated, multi-step, and nearly impossible-to-spot threats that traditional email-only security tools and gateways cannot block.

Not only can we expect to see threats over email that defy legacy security tools, but we also expect to see an increasing number of attacks over secondary messaging platforms. Deploying this type of attack over a chat platform (like Slack) would be as effective as doing so over email — and no email-only security tool could detect or stop it.

GreatHorn is designed to uniquely provide detection capabilities for these additional platforms, with response capabilities tailored to deal with the threats of third party applications that leverage OAuth-based permission attacks.

As today’s attack demonstrates, protecting against social engineering and phishing attacks requires automated, comprehensive, and post-delivery response capabilities. Built on a foundation of over half a billion analyzed messages and leveraging the first and only cloud-native response platform, both Inbound Email Security and Messaging Security are available today, and both offer free 7-day trials.

GreatHorn automatically detects and removes phishing attacks from your inbox. 

Begin a trial or to request more information about Inbound Email Security for G Suite.

Unpacking the “Undetectable Hack”

How GreatHorn Can Stop the Latest Gmail Phishing Attack

Over the past week, a significant amount of digital ink has been spilled about a new form of phishing attack: an embedded GMail image that leads to a fake login page. 

Media coverage has skewed heavily breathless, and articles on the subject are peppered with scary terms like “frightening,” “really devious,” and “almost impossible to stop.”  Admittedly, this is quite a convincing attack.

It begins with an email sent from an already-compromised Google account to another Google Apps / G Suite / GMail user. The email contains a (fake) attachment that’s been made to look like a common document type (Word, PDF, etc.). The “attachment” is actually an embedded image link.

email image.png

The link looks like, but is actually a unique type of link, a data:text/html link — in other words, a Data URI, rather than an HTTP URI.

url field.png

When the user clicks the image link, instead of opening an in-browser preview of the document, it directs them to a spoofed page that prompts them to log in. 

faux google login page.png
If the user then inputs their email address and password, their credentials are passed to the attacker, who then has full access to the account – unless the user has MFA (multi-factor authentication) enabled on their account.

While Google has stated that they are working on improving defenses around this kind of attack, GreatHorn’s native spear phishing protection functionality is designed to catch most of the common attack techniques:

  • Display Name Spoofs. Many phishing attacks come from an email address with a Display Name that matches someone you know (“Your Boss”, for example), but an unusual email address (“[email protected]”). These emails can be automatically highlighted to a user, warning them of a risk present in the message, and admins can preset a customizable combination of notifications and actions in order to minimize the risk they pose.
  • Domain Lookalikes. More advanced attacks will come from look-alike domains, often only a single character away from a domain you recognize and/or regularly exchange email with (“” vs “”). GreatHorn’s automated social graph analytics catches and flags these types of emails, and admins can also chose notify users, quarantine the message, or delete it outright.

warning banner.png

Additionally, we are excited to announce that next week, we will be releasing two new features that will strengthen security postures against this type of attack and expand the capabilities of the GreatHorn platform significantly: Link Analysis and Attachment Analysis. 

Link Analysis will automatically flag embedded Data URIs, and Attachment analysis will similarly flag risky email attachments. In-message alerts to recipients as well as automated remediation actions can be applied to flagged messages, and the option to send event-triggered reports to the intended recipients of dangerous messages gives security awareness training efforts more teeth. By educating employees in the moment rather than through simulations of attacks that are inevitably happening in the wild anyways, we are able to move more definitively towards a frictionless, integrated SecBizOps environment

warning page.png


Next week is a big week for us: along with releasing the new Link Analysis and Attachment Analysis features in the GreatHorn cloud communication security platform, we’re also publishing our second 2017 Spear Phishing Report. Sign up to recieve updates or get in touch to discuss how GreatHorn can help your organization protect against advanced targeted threats here.

GreatHorn’s 2017 Spear Phishing Report Shows that 91 Percent of Phishing Attacks are Display Name Spoofs

GreatHorn, the cybersecurity solution for cloud communication platforms, today announced the findings of its annual 2017 Global Spear Phishing Report. The company captured insights into the cybersecurity threats facing today’s enterprises by analyzing more than 56 million emails from 91,500 corporate mailboxes from March to November 2016. The report demonstrates the defensive measures many organizations must adopt to protect themselves in the face of highly-targeted, message-based threats.

New @GreatHorn #spearphishing report shows that 91% of corporate #phishing attacks are display name spoofs.

Tweet this

The data found that display name spoofs are the clear phishing weapon of choice for cybercriminals. Attackers are increasingly relying on highly targeted, non-payload attacks that exploit trust and leverage pressure tactics to trick users into taking action that will put their organizations at risk. Of the more than 537,000 phishing threats GreatHorn detected in its research, 91 percent (490,557) contained characteristics of display name spoofs. Display name spoofs impersonate a person familiar to a business user in order to fool the recipient into thinking that the message came from a trusted source. It’s an extremely effective tactic against a workforce deluged with incoming communications all day, every day. Direct spoofs were the second most popular attack type (8 percent), and domain lookalikes made up less than 1 percent of phishing attacks.

“Stopping spear phishing attacks isn’t as simple as pushing a button; the sheer volume of these attacks, coupled with the size of the attacks surface and security resource constraints, makes it impossible to mitigate risk solely via human intervention, no matter how much you try to train your end users,” said GreatHorn Co-Founder and CEO Kevin O’Brien. “A true defense-in-depth strategy for protecting against these attacks requires unified visibility and control, coupled with risk-appropriate automation, across an organization’s entire communications infrastructure.”

Key findings from the research include:

Enterprises Reluctant to Leverage Automation

  • Data shows that security and IT professionals are often indecisive in how they handle a phishing attempt that has been flagged, as 41 percent take no action and only 33 percent alert an admin.
  • Of those organizations that did act on a flagged communication, 7 percent moved it to a folder, 6 percent added a label (G Suite) or category (Office 365), 2 percent moved to trash and 1 percent quarantined the message.

Email Authentication Frameworks Are an Essential Component of Email Security – But Rarely Fully Used

  • 80 percent of companies had minor authenticity issues, 10 percent had major authenticity issues and 15 percent had no email authentication at all. These last two statistics are troubling because, when combined with a robust data set that spans hundreds of millions of senders and messages, authenticity can be used as a major component of risk identification.
  • Sender Policy Frameworks (SPF) are the most popular as 75 percent of enterprises have it enabled.
  • DKIM (DomainKey Identified Mail) provides cryptographic proof that a messages was sent from a specific sender but is used by a little over half of respondents (53 percent).
  • Finally, DMARC (Domain-based Message Authentication) check for alignment between the apparent sender of a message and its SPF and DKIM headers. Because of its added complexity, it’s only enabled in 21 percent of the enterprises that were analyzed. However, the value of correctly implementing it is clear, as the dataset shows that organizations with correct and complete authentication records receive less than a quarter (23%) of the threats that those without received.

Cybercriminals are a Persistent, Ever-Present Threat

  • GreatHorn found that roughly 1 percent of all emails to business users contained email that contained specific characteristics that were deemed “risky” – a figure may seem low until the volume of emails that workers send and receive is taken into consideration. The Radicati Group’s Email Statistics Report, 2015-2019 shows that the average worker received 122 business emails per day in 2015, and this number is expected to grow through 2019. This means that the average business user faces at least one risky email per day, and it’s safe to assume that executives receive exponentially more attention.