Email phishing continues to be the most prevalent infection vector confronting enterprise security teams today. And with no end in sight to email-driven cybercrime, VMRay has been enhancing its email integration options, most recently with the introduction of Abuse Mailbox, an add-on feature to VMRay Analyzer.
Abuse Mailbox allows security teams to create and configure a dedicated mailbox (hosted by VMRay in the case of Cloud customers) so that all employees in an organization—or a selected subset—can use their email accounts to submit suspicious messages and attachments to the VMRay Analyzer platform for rapid analysis and detection. For organizations running Microsoft Outlook, we provide an Outlook plug-in that further simplifies the submission process. (See Figure 1.)
Making submissions via email is easy, fast and convenient. It eliminates manual processes that would otherwise bog down the IR team. And it quickly notifies users and security staff about malicious elements detected by VMRay Analyzer, so appropriate action can be taken. As a result, users are more self-reliant, and the IR team’s workload is streamlined.
Figure 1: Microsoft Outlook Plug-in
Empowering and Educating Users
On receiving a suspicious message, a user can take immediate and direct action. Rather than reaching out to the security team and waiting for a response, the individual can use email or the Outlook Plug-in to send the suspect message—along with related attachments and URLs— to VMRay Analyzer via the Abuse Mailbox.
In minutes the system scrutinizes the submission and sends back an email notification (Figure 2) indicating whether the sample is malicious or benign. In turn, the individual can make better-informed decisions about forwarding or replying to the message, downloading attachments, clicking on URLs or seeking further assistance from the security team.
Figure 2: Email Notification to the end user
Abuse Mailbox encourages end users to be proactive in protecting their email, and it gives them the confidence to move ahead with their work routine once a suspicious message has been given a clean bill of health. At the same time, users are helping to broaden and accelerate the security team’s awareness of threats that have already bypassed network safeguards, thereby enhancing the organization’s overall email defenses.
Streamlining the IR team’s Workload
Equally important, IR Mailbox offloads and automates a low-value but time-consuming task that often pulls skilled security staff away from more urgent or strategic activities. In many environments, IR teams rely on manual processes to review email user help requests, gather relevant data, submit suspicious emails for analysis, and report the results back to the user. By automating all these steps, the mailbox feature reduces the workload and eliminates potential bottlenecks, only requiring direct involvement by team members when malicious email elements are detected and a response is required.
Digging Deeper
In those cases, auto-notifications emailed to IR team members speed up the response by highlighting key findings requiring attention. For example, the email notification, shown in Figure 3—which has been sent to the administrator—clearly indicates that the submitted email contains malicious links or attachments.
Figure 3: Email Notification to the IR Team
To gain further insight, the administrator can click through to the sample overview page (Figure 4) which displays the number of IOCs detected, analysis results obtained by running the sample in different environments, and the severity of threat indicators associated with the email attachment.
Figure 4: VMRay Analyzer Sample Overview Page
Enhancing Email Defenses
In heterogeneous environments, Abuse Mailbox provides the same submission capability to every user, regardless of their chosen email client: Gmail, Yahoo, iCloud, etc. As previously mentioned, a Microsoft Outlook Plug-in provides one-click submission by adding an icon to the Outlook toolbar.
Easy Configuration
As the video below demonstrates, it’s easy to create and configure the mailbox in the VMRay Analyzer Cloud interface. There’s no need to install a local agent or create a new mail server. The mailbox will be hosted and managed by VMRay. For on-premises customers who would like to implement this functionality, consult the installation guide or contact our Support team.
To align with an organization’s existing IR processes and best practices, an account manager can define who can send emails to the mailbox for analysis, the maximum number of attachments and URLs that can be submitted for analysis per email, and who receives notifications once the analysis is completed.
In the battle against email phishing and other email-borne threats, the combination of VMRay Analyzer with Abuse Mailbox automates and expedites the process of submitting suspect emails for analysis and reporting back the results. This provides an extra layer of security for closing off these avenues of attack.
