Corvus Insights Blog | Smart Cyber Insurance

Best Practices for Email Security

Written by Corvus Threat Intel & Risk Advisory | 04.12.23

Why Email Filtering Isn’t Enough to Protect Against Cyberattacks

Email has been recognized as a convenient form of communication, growing to become a staple of everyday life. Due to its popularity and necessity for vital business communications, cybercriminals and threat actors see this as an opportunity to carry out cyberattacks for profit. Cybercriminals leverage emails as an attack vector to carry out phishing attacks, spread malware and gain an initial foothold in an organization's network to steal valuable data. Attackers will also use emails as a vehicle to deceive and manipulate unsuspecting employees with the end goal of compromising an organization. 

Cybercriminals have become more sophisticated with their attacks and continue to exploit overlooked and vulnerable email implementations. The FBI reported between June 2016 and December 2021 that $43 billion was lost through Business Email Compromise and Email Account Compromise scams. Additionally, 30% of claims submitted to Corvus during H1 2022 were caused by BEC. Clearly, cybercriminals have had success using emails as an attack vector and organizations must emphasize email security as part of their cybersecurity strategy to protect themselves and avoid becoming another statistic. 

So what can be done to protect against email borne threats? The answer seems simple - put security solutions in place to prevent malicious emails from reaching their destination in the first place. In reality, this can be challenging due to the various email security strategies that organizations can take and how the solution is configured. Many organizations take the route of basic email filtering to offer a baseline protection to a users' inboxes. However, there are inherent weaknesses with depending on email filtering alone and this can leave users' inboxes vulnerable to email threats. Like skittles, email security can come in different flavors. Some of the most common levels of email security start with a basic email filtering solution and can go up to an advanced solution like a secure email gateway. Many organizations can benefit by leveraging advanced email threat protection that a Secure Email Gateway (SEG) has to offer.

What is email filtering?

Email filters prevent spam, phishing, and other types of malicious emails from landing in a user's inbox. Suspicious emails are 'filtered out' from an organization's inbound email stream. Email filters aim to provide basic protection to users' inboxes from email-based cyberattacks. Email providers, such as Microsoft and Google, include email filtering as part of their hosted email service. This native functionality offers baseline protection to all users of their email service. Email filtering provides average protection against obvious spam emails, but falls behind with protecting against more targeted and sophisticated email attacks. 

Why this is not enough

Email filtering alone cannot provide comprehensive threat protection for a user's inbox. This is because it can’t detect threats that the filter hasn’t seen before (zero-day threats). Additionally, threat actors have evolved and leverage techniques to bypass email filters. These evasion techniques include irregular URL structuring (including “@” symbol in a malicious URL to avoid detection), spoofed websites appearing to be legitimate and malicious links in document attachments. Organizations should consider upgrading their cyber defenses to protect against the next generation of email based cyberattacks.

Consider a Secure Email Gateway (SEG) for Advanced Email Security

An SEG is an advanced email security solution. Email filtering can be thought of as the JV basketball team. It will show up and perform, but don’t expect an entertaining game that keeps you on the edge of your seat. On the other hand, an SEG is an NBA team that plays at a professional level with advanced plays. 

A SEG will examine and 'scan' different aspects of an email to determine if it is a threat. The goal is to prevent advanced email based attacks from reaching the intended recipient in the first place, which includes checking if an email includes malware or is spam / phishing. This is a step above basic email filtering as a SEG leverages dynamic threat intelligence feeds from multiple sources which includes real-time data. This information helps to quickly and constantly evaluate possible cybersecurity threats and determines if emails are malicious. Feeds may include blacklisted URLs, flagged keywords, indicators of compromise (IoCs), or other suspicious qualities that suggest an email may contain a security threat. 

A powerful function that sets an SEG apart from email filtering is the sandboxing capabilities. 'Sandboxing' is an isolated environment that runs attachments and URLs before delivery to a user's mailbox. This functionality allows for testing and deep analysis of a file / URL.  If the sandbox detects any malicious activity, the file or URL gets blocked and is not delivered to the user. In other words, a sandbox is a testing environment that mimics a computer and determines if URLs and attachments are malicious based on its behavior. This protects against known threats and unknown threats, aka ‘zero-day’ threats.

Key Differences in SEG vs Email Filtering

 

Protection Capabilities

  • Email Filtering
    • Protection against spam and malicious emails

vs.

  • Secure Email Gateway
    • Advanced Threat Protection: Filters and inspects email for malicious content based on threat intelligence feeds (real-time data on current and possible threats)

Detection Method

  • Email Filtering
    • Basic analysis: Sender IP reputation, signature-based techniques for malware detection

vs.

  • Secure Email Gateway
    • Dynamic Analysis: Uses detection engines to scan emails and attachments in real-time

Features

  • Email Filtering
    • Does not protect against zero-day threats

vs.

  • Secure Email Gateway
    • Sandboxing to defend against zero-day threats and advanced malware
    • Impersonation Protection - Looks at anomalies and keywords that are signs of spoofing

Leveling up your Email Security

Cybersecurity is a multi-layered approach with roots linking back to defense-in-depth. This fundamental building block of security is no different when approaching emails. Organizations must layer in defenses along the attack path starting with the most exploited vehicle into an environment - emails. While there is no perfect security strategy and you may not be able to stop all attacks, you can put enough obstacles in the way to deter and slow down a threat actor before it's too late. Consider bolstering your organization's perimeter by implementing a secure email gateway.