As technology advances, email phishing campaigns continue to improve in sophistication, emphasizing the need for vigilance and awareness. The recent spate of ransomware attacks on US healthcare has shown major chinks in the armor of many an organization’s security stack. Zero-Day malware, if unchecked, can bring an organization quickly to its knees, and in the case of small and medium business (SMB’s), their eventual demise. SMB’s and some enterprises rarely have the money or skilled resources to prevent a targeted and sustained cyber-attack by determined bad threat actors.
It isn’t that many of these organizations don’t deploy security controls to mitigate threats, it’s that the almost static defenses can be bypassed by bad threat actors with diligent research using OSINT (Open-Source Intelligence) to profile a target, understand their technology stack, and investing in the technology infrastructure themselves to find a way in. Customer case studies are a good source of intelligence, for example, and why VMRay anonymizes details to obfuscate the customer. As a virtual last line of defense, it would be disingenuous to reveal one of the key technology’s keeping a customer network safe and secure just to have a brand logo on a website.
It’s Always The .x% That Gets You
After decades of maturity, phishing detection solutions – whether perimeter or endpoint – are still allowing malicious emails to infiltrate the network. Depending on the size of the organization, perimeter-based phishing solutions could be handling hundreds of thousands of emails every day. Do they work? Yes, they do. They’re very effective at addressing the 96-99.x% of cyber threats thrown at them, but it’s that .x% that manages to get through, causing all the damage.
But let’s hypothetically quantify what that .x% number really means. Out of the 340 billion emails sent worldwide every day – according to Internet sources – there are 3.4 billion fake emails such as phishing emails and other types of email attacks. So roughly 10% of the overall total, with approximately 2% of the 10% flagged as truly malicious. An average person sends and receives 121 business emails per day. If you multiply the average number of emails per day, per employee and take 98% off the total, that quantifies your potential risk.
Moreover, different classifiers get different results, with perhaps the most accurate achieving 99.68%, with less accurate classifiers anywhere between 96%-99%. The more emails your organization sends and receives, the greater the exponential risk. The chart below should help you ballpark your exposure to phishing risk. Remember, these are malicious emails per day that primary phishing solutions potentially miss due to lack of classifier accuracy.
| Classifier Accuracy |
99.68% |
99% |
98% |
97% |
96% |
| 1,000 Â Â Employees |
7.74 |
24.2 |
48.4 |
72.6 |
96.8 |
| 5,000Â Â Employees |
38.72 |
121 |
242 |
363 |
484 |
| 10,000 Employees |
77.44 |
242 |
484 |
726 |
968 |
| 25,000 Employees |
193.6 |
605 |
1,210 |
1,815 |
2,420 |
| 50,000 Employees |
387.2 |
1,210 |
2,420 |
3,630 |
4,840 |
Figure 1. Estimated number of malicious emails per day that could potentially bypass point phishing solutions based on accuracy.
For the .x% that do get through successfully and into a user’s mailbox, what is your backup plan to detect malicious email threats before a user clicks on them? The only plan working well right now is end-user education on how to spot and confirm an email threat, then forward to a quarantine mailbox managed by the SOC.
The SOC team then must manually triage the email or run it through a sandbox-like technology to identify behavior and any suspicious activity that would indicate an attack chain to a malicious payload. The automation of phishing email triage significantly reduces the reliance on SOC team resources and helps to close the gap on detecting zero-day threats and phishing email compromise. The larger the organization, the bigger the challenge, and phishing detection accuracy plays a big part in it.
The Attacker Always Has the Advantage
In the real world and on a level playing field, the defender has an advantage of 3 to 1. In the world of Cybersecurity, the inverse is true. The attacker always has the advantage and can pivot faster than static defenses to new tactics based on available intelligence, resources, and intent. Especially true if the online documentation for the solution they are trying to circumvent is available on the vendor’s website.
Malware authors know about the trade-off between performance and security and bury the payload deep inside recursive links and directories. They may know that links in PDF documents aren’t checked by a specific vendor solution, but if they are they replace the malicious link with a QR Code to deliver a malware loader or payload.
 With an increase of sophisticated social engineering toolkits such as Blackeye, NPhisher, and Zphisher, bad threat actors can setup and tear down convincing fake websites extremely quickly. The toolkits provide any number of preconfigured website templates that are very well made, making them very difficult to identify. Remember, it only takes one wrong click on a phishing email to potentially bring a company to its knees.
What Organizations Can Do to Mitigate Phishing Email Bypass
As mentioned earlier, phishing emails that bypass perimeter and endpoint security controls is unfortunately quite common. Many of the successful breaches that happen today just wouldn’t if accuracy wasn’t a problem. According to multiple industry sources, phishing is responsible for approximately 90-94% of successful breaches. The reason why they happen to be so successful is due to the high email volume, bad threat actors that can pivot on a dime to bypass defenses, and users that click on phishing emails due to lack of training in how to identify them.
On average, 20% of users in an organization are the one’s responsible for clicking on email links or malicious attachments without consideration for their actions, according to SoSafe , a provider of CyberSecurity awareness training. Younger adults are more inclined to click on a phishing email than older people. Even when educated about the risks of a phishing attack, fatigue can play a role in lowering the mental defenses, so too an urgency to complete certain tasks. Bad threat actors know this and leverage these traits in their email campaigns. That’s why it is important for every organization to implement security awareness training with the ability to simulate phishing attempts, identify repeat offenders, and provide additional guidance and education when needed.Â
Post-Phish Penetration and Persistence
Depending on the malware, a successful ransomware attack doesn’t just happen in a day.
After an initial foothold on a system is established – typically by a phishing campaign – the bad threat actors start a new stage of reconnaissance and lateral movement throughout the network using stolen credentials purchased from initial access brokers (IAB’s). After planting additional backdoors to maintain future access persistence, the first stage of extortion begins with data exfiltration of the compromised systems to be used as leverage if the ransom payment isn’t made. Checking the Firewall throughput logs for multi-terabyte data transfers on uncommon ports using unknown protocols is one way to potentially identify an initial compromise at this stage of the ransomware implementation.
With all the system logs wiped to hamper investigations, the bad actors then initiate the second extortion stage by encrypting sensitive files and critical folders while still maintaining the system capability for boot up. This is so the ransom demand can be viewed and acted upon. The final stage of the triple extortion play – which is becoming more common – is the threat to DDoS the victim’s IT infrastructure if they fail to pay the ransom. In addition, they can also sell off the exfiltrated data to the highest bidder – another form of revenue the bad threat actors can benefit from.
Layered Security with 3rd Party Validation
The scenario given above recently happened to a Children’s Hospital in the US and brought it grinding to a halt. The cost to the organization wasn’t just financial or the loss of Personally Identifiable Information (PII) which violates HIPAA compliance. Nor was it the drivers’ licenses, passports, and other forms of sensitive information stored in the data that can be used in identity theft. The highest cost was to the children attending that hospital for current and future cancer treatments – which in many cases were cancelled or delayed – setting patient’s wellness schedules back months and driving some into remission or worse.
Other than the moral depravity of the hackers to attack a children’s hospital, who is ultimately at fault here? Is it HIPAA compliance for not providing enough guidance where cybersecurity is concerned? Is it the IT Department for not implementing a layered security approach with compensating controls for sensitive information? Or is it the Phishing solution vendor ultimately at fault?
A cost analysis for an end-user education program and VMRay’s User Reported Phishing verses the digital destruction caused by a ransomware attack – which costs on average $4.2 Million per incident – is easily justifiable. Unfortunately for some, cybersecurity is still a knee-jerk reaction and complacency reigns until an organization falls prey to a crippling attack.
How VMRay’s User Reported Phishing Works
The first step in defending your business against phishing attacks is making sure that your employees know that these attacks exist and what they consist of. VMRay’s Abuse Mailbox enables Enterprise, MSSP and MDR SOC teams to create a dedicated mailbox hosted by VMRay solutions, allowing each client’s employees to forward any suspicious emails that may have bypassed the organizations primary phishing solution to VMRay for safe detonation and rapid analysis. SOAR solutions can then use that analysis to create an incident case file and initiate automated mitigation actions if required.
The ten steps below outline the workflow and simplicity of VMRay’s User Reported Phishing post end-user education and demonstrates how little the SOC is impacted in deploying and managing the solution.
- SOC Team enables Abuse Mailbox, then deploys the Outlook auto-submit plug-in to each client end-user desktop.
- End-user identifies a suspicious email and one-click auto-forwards it to the company’s preassigned Abuse Mailbox; <phishing@companyname.com>.
- VMRay then strips the forwarding envelope and inspects the sender information along with the originating IP and mail server.
- Email attachments and embedded URLs are then submitted to the reputation engine which contains a database of known malicious file hashes, known benign file hashes, and referenced URLs prior to starting deeper analysis. If identified, previously known malicious files and web links are immediately flagged within seconds.
- The first stage after the reputation assessment is static analysis, which parses the suspicious phishing email or file attachment through a multi-stage process that includes:
Deep Content Extraction: Fully extracting all the embedded content  from samples, no matter how deep they are hidden. After extraction these objects are sent for further analysis. This includes extracting embedded objects and links from documents, links and attachments from emails, archive unpacking with no depth limit, as well as decrypting password protected samples.
Computer Vision: An important part of detection & analysis is the ability   to extract text from images using Optical Character Recognition (OCR) to detect social engineering techniques used in phishing campaigns.
Phishing URL Detection (Smart Link Detonation): Attribute-based rules that determine if links   embedded in emails and documents should be detonated for example, domain age, reputation score, abnormal URL string.
Password-Protected File Analysis: Protection against malicious  password-protected attachments by searching for passwords in the email body and subject.
- The additional technology used in Dynamic Web Analysis to identify phishing threats are:
Adaptive Browser Simulation: Certain phishing attacks delivered via  web pages may only be triggered if the user clicks on a button for example, a download button on file sharing site. This technology detects and simulates the user interaction to automatically trigger payload delivery.
Machine Learning: Fed by high quality input data derived from the  VMRay analysis, machine learning is used to identify hard to detect phishing and credential harvesting attacks.
Automatic User Interaction: Simulation of user behavior to spoof evasive malware into detonation so analysis can continue. This includes  mouse movements and clicks, as well as clicking on dialog boxes and providing expected responses.
QR Code Detection: Extract and analyze URLs embedded in QR codes—  detection techniques force the detonation of QR-encoded URLs originating from an email.
Live Interaction: Allows Threat Analysts to manually interact with the sample during Dynamic File Analysis and Dynamic Web Analysis.
- For links that reach out to external sites, VMRay follows all recursive links with multiple hops and determines whether the site / payload is malicious or not.
- Both the end-user and SOC team are alerted of the submission if malicious.
- The system generates an analysis report, which includes screenshots of any potentially harmful activity.
- SOAR solutions can be configured to monitor the Abuse Mailbox and collect the analysis once complete to create an incident case file, initiate an email Policy Rule update based on VMRay’s IOC’s, scan the endpoint to ensure no malware was deployed, or any other automated responses.
To see a quick video of the setup and demonstration of the Abuse Mailbox in action, check the demo video below:
There are many benefits to educating users on phishing attacks and how to identify them. When combined with VMRay’s User Reported Phishing, the burden is lifted from the SOC team by automating the analysis and the results in the form of IOCs can be used to create policy and quarantine rules to quickly mitigate the threat. Adding the human element to the organization’s phishing detection fabric helps strengthen the weakest link in the cybersecurity chain – us.
