BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Email is the dream delivery platform for any and all types of cyberattacks; it provides a mechanism capable of placing almost any kind of threat in front of almost any target.
Attackers use email to send malicious software attacks to an end user. Even when filters are able to find potentially unwanted programs, attackers can still fall back to time-tested social engineering tactics to convince victims to take actions against their own interests.
For decades, email has been the predominant end-user network application, so it should be no surprise that attackers have focused their attention on exploiting email security threats. While the attack techniques have become much more sophisticated over the years, security teams have long understood the fundamentals of email security threats.
While the forms and intentions of email security threats have morphed many times, from sowing chaos and denial of service via spam campaigns to today's dominant threats of ransomware and email fraud, the email security threats themselves still generally fall into three categories:
- Malware delivery
- Domain spoofing
These three threats represent different families of tactics that attackers use to build their campaigns, so eliminating vulnerability to one or even two of these categories is not enough to extinguish the threat. Successful attacks often combine the following threats to succeed.
Ever since email applications began to include attachments, file attachments have been used to deliver malware. Once email applications began to support executable content using the same types of content that are offered on the web, attackers quickly learned to subvert that content with malicious code.
Early examples of emailed malware, such as the Michelangelo or Melissa viruses, resulted in damage to victim systems or disruption of email services. However, ransomware is perhaps today's greatest email security threat.
While ransomware can be spread by any type of network intrusion, email is a natural fit for ransomware attacks. Once one user's email account has been compromised, it can be used to further spread the ransomware to other accounts both inside and outside of the victim's organization.
One way to mitigate the threat of malicious software in email is by restricting email to text-only messages with no attachments, but that is a non-starter. Users and organizations depend on email to deliver many different types of content, as well as to transport files.
Email filtering and monitoring systems offer effective mitigation techniques that balance usability with function while reducing the risks stemming from the introduction of malicious code into the organization's network.
Phishing, in all its forms, is the practice of using email or other types of messaging applications to carry out social engineering campaigns in an effort to convince the victim to perform some action. Ordinary phishing campaigns spread generic phishing emails to a broad spectrum of potential targets in order to harvest user credentials or infect users' systems with ransomware by prompting them to click on malicious links.
Spear phishing, in which individuals are specifically targeted, can be more difficult to defend against, in part because spear phishing emails are often handcrafted to convince the victim of their legitimacy. Like with whaling, a type of spear phishing that targets high-ranking individuals, victims are often targeted because of their job functions, especially when their job functions include directing payments to outside entities.
While many ordinary phishing emails can be filtered out by email monitoring systems, employee email security training can also improve phishing risk awareness among potential victims.
Spoofing domains is a common tactic attackers use against email users. The domain being spoofed may be in the headers of a message to try to fool the recipient into believing that the email originated from a known domain. For example, an attacker may send a phishing message that appears to have originated from the recipient's employer, bank or other trusted source.
Domain-based Message Authentication, Reporting and Conformance is a protocol that offers some defense against this type of attack by enabling domain owners to advertise that they can authenticate messages sent from the domain and enable recipients to block messages that have not been authenticated.
Another type of domain spoofing activity involves creating domains that appear to be trusted but that actually use internationalized domain names with different ISO character sets to produce domains that visually resemble well-known domains, but which actually connect victims to websites controlled by an attacker. Defending against these attacks can be tricky, but email monitoring systems can often scan emails for domains that are known to be malicious, including domains that have been linked to advanced persistent threat groups.
Defending against email security threats
Specific threats continue to evolve as defenders deploy better security tools to root out attacks and as attackers improve their exploits to outfox defenders. Still, the underlying email security threats enterprises face today are not that different from the threat landscape of the past.
Understanding email security threats and educating users on the nature of those threats can help enterprises defend against increasingly disruptive and damaging cyberattacks. An important aspect of email security is understanding that while there are different types of tactics that attackers use to exploit email, the motivations behind using any email exploit are largely the same as for any type of cyberattack: to steal money or to disrupt operations at the targeted organization.