We analyzed more than 56 million anonymized emails from 91,500 corporate mailboxes to identify trends and gain insight into the highly targeted, message-based threats facing today’s businesses.

The Cloud Email Security Challenge

Why does email continue to be a viable attack vector, and what can organizations do to secure it?

We are at an interesting moment in the evolution of communication technology.

As legacy email technologies are being replaced by their modern, cloud-native successors, new platforms that merge messaging, collaboration, and filesharing are seeing widespread adoption. Where once information technology teams discussed the risks of cloud applications and so-called “shadow IT,” entire organizational units are bringing new infrastructure online in minutes, deploying it to improve their efficacy and ability to interact across traditional business lines.

In many ways, we are witnessing the beginnings of a shift away from cloud as a means of reducing costs, and towards a new future where the mechanisms of discussion and collaboration will inform not only where we interact, but how.

Unsurprisingly, email remains at the heart of the modern enterprise communication landscape, and given its integral role in core business operations, the adoption rate of email security technology is nearly 100%. In spite of this deep investment in security, however, the rate of compromise that can be attributed to email security failures is stunningly high; in aggregate, targeted attacks account for over $3.1B in damage annually – a figure revised upward by nearly 30% since 2015 alone.

93% of breaches begin via targeted attacks that originate from business email compromise attacks (BEC) and other forms of threats that legacy technologies cannot detect. 

The widespread adoption and interconnection of cloud services plays a significant role in the continued vulnerability of email as a communication channel. The level of enterprise workloads in the cloud is expected to reach 60% by mid-2018; one in three enterprises now run all their applications in the cloud, and more than half of those who don’t are on their way to doing so. The data that moves through these platforms is changing: core business information is now being exchanged over infrastructure that legacy security models cannot account for, especially in the communication space, where gateways and static threat detection are at odds with the systems that business users rely upon.

In addition, cybercriminals are becoming increasingly sophisticated (and successful) in their attacks, recognizing that the convergence of non-technical users and externally hosted systems creates an opportunity to use deception and social engineering to extract financial and data gains from companies. Despite the high success rate, cloud email providers and secure email gateways don’t protect against these types of payload-free attacks.

“Attackers are striking even more effectively with spear phishing and highly-focused business email compromise (BEC) scams … these emails are so convincing that they can even bypass the secure email gateway.”

– SANS Institute Report, Guarding Beyond the Gateway: Challenges of Email Security 

In order to effectively secure email in this increasingly connected environment, security professionals must implement a comprehensive security strategy that encompasses all services that touch the company’s communications infrastructure. This multilayered threat landscape includes the services that an organization controls directly — such as internal mailboxes — as well as external partners and third-party services that send mail on an organization’s behalf. 

What we see today as the systematic set of interaction points between executives, trusted partners, and vendors (email, chat, CRM, web, social, etc.) is incredibly dynamic; one of the challenges facing security teams is thinking not in terms of point solutions for technologies, but rather in terms of the hub-and-spoke model of infosec. This is a view in which data (the hub) is accessed by myriad platforms and products (spokes); security that exists at the center of the model and protects against types of threats becomes a scalable center, whereas products that focus on the deficiencies or vulnerabilities of spoke-level technologies is commoditized at best, and distracting at worst.

Effectively securing the email attack surface requires a risk management approach to your entire security landscape.

By implementing security where it will have the highest return-on-investment — in other words, by identifying the types of risks that most often lead to large or frequent breaches or loss within your industry or across the market as a whole, and automating the detection and remediation of those threats within your email infrastructure — it is possible to interweave security into the systems that most need protection.

The dataset analyzed for this report consists of:

9 months of mailflow

91,500 mailboxes

56,513,652 unique emails

653,447 domains

773,410 risks identified

GreatHorn’s Inbound Email Security platform is focused on detecting modern attacks that operate by exploiting user trust rather than through the delivery of malware or via the transmission of insecure URLs.

By natively integrating with cloud email providers like Google and Office 365, the platform is able to perform realtime analysis of message authenticity, based on both authentication data such as SPF, DKIM, and DMARC as well as contextual analysis of mail transmission pathways, sender IPs, domain “look-alike” attack vectors, and indicators of message or domain spoofing.

Spear Phishing By The Numbers

Threats detected across the GreatHorn Data Cloud  

Simply put, spear phishing emails are customized attacks that appear to be from legitimate, well-known sources. Rather than trying to fool a message recipient into clicking an unsafe URL or opening a malicious attachment, these low-volume, highly-targeted attacks exploit trust and leverage pressure tactics to trick users into taking action that will put their organizations at risk.

Display Name Spoof

An attacker identifies the “friendly” name of a known contact (typically a first and last name) and uses it as the display name in order to fool the recipient into thinking the message came from a trusted source.


Direct Spoof

An attacker rewrites SMTP mail headers to send mail with the From:, Return-Path:, and other key email fields manipulated to appear as though a user inside of your domain sent the message.

Domain Lookalike

An attacker either registers or spoofs a domain name that looks similar to one your organization actually uses, and then sends mail from the faked domain to users inside your real domain.

We believe that effectively protecting against spear phishing at scale requires automation — not manual intervention. As attackers move faster and utilize more sophisticated strategies, the windows of time to compromise and exfiltration are shrinking; unfortunately, time to detection is concurrently increasing as overburdened security teams struggle to sift through increased volumes of data and potential threats.

As a result, many organizations are notified of a breach by external parties, like law enforcement and third-party partners. The number of breaches discovered internally or through fraud detection methods has declined steadily over the past ten years, and in 2015, less than 20% of breaches were detected via each of these channels.

Bolstering detection capabilities is more effective when coupled with automated response capabilities.  GreatHorn enables users to monitor, manage, and create policies, which operate autonomously to protect mailboxes against inbound threats in real time. Policies are combinations of focusing conditions such as attack types, email recipients, senders, content keywords, etc., along with automated actions taken by GreatHorn in response to email events flagged by policies. 

See what your current email security solution is missing.  

GreatHorn Inbound Email Security deploys in just minutes (yes, really).

For Admins:

If you are an administrator for your domain, follow the link below to begin the trial deployment process.

For Non-Admins:

If you don’t have admin permissions for your domain, contact our team (or send a note to [email protected]) and we’ll be in touch to get you started.