Top 8 Alarming Anomalies That Are Evading Your SEG

While a secure email gateway (SEG) used to be an effective way to block email attacks, that simply isn’t the case anymore. Free of traditional indicators of compromise and leveraging sophisticated social engineering tactics, modern threats are nearly impossible for traditional email security solutions to detect.

Silently lurking in your cloud environment, these alarming anomalies bide their time until they identify an opportunity to wreak havoc in your organization. And while they appear in many forms, they all have the same goal: exploit vulnerabilities to infiltrate your enterprise.

Read on to learn more about the eight most common anomalies targeting your organization and hear from security leaders who decided to replace their SEGs with an AI-native solution.

Heading to RSAC 2024?

Join the Anomaly Expedition for your chance to win cool swag!

Credential Phishing

The phishing emails of the past often contained several indicators that the message was malicious, such as numerous misspellings, poor grammar, and less-than-convincing impersonations. Now, thanks to online translation services like Google Translate and AI tools like ChatGPT, today’s threat actors can craft messages with perfect spelling, grammar, and syntax that are personalized to each recipient. Attackers also spoof email addresses of trusted parties, hiding their true identities behind usernames and URLs with minor misspellings or character substitutions that are easily overlooked.

In short, bad actors have learned how to create phishing emails that wouldn’t raise any level of suspicion in the majority of employees—one of the reasons it’s the most popular attack type, accounting for 73% of all advanced email attacks.

“A bad actor compromised an employee email account and quickly tried to send a credential phishing email to 500 internal inboxes. With [our SEG], I would have had to grab a computer and spend hours manually remediating. But Abnormal had already logged out and disabled the user’s account, reset the account password, and pulled the phishing emails from the recipients’ mailboxes.”
—Peter Mueller, Systems Programmer, Saskatoon Public Schools

Business Email Compromise

In business email compromise attacks, threat actors meticulously select their targets and conduct thorough research, leveraging publicly available information to customize their malicious messages. They impersonate individuals with whom the target has an established partnership or who hold positions of authority, allowing them to capitalize on the implicit trust within the relationship. Then, they apply social engineering tactics to exploit the natural tendency of humans to be helpful to deceive targets into divulging sensitive information or completing fraudulent financial requests.

BEC stands as one of the most financially devastating cybercrimes, resulting in losses of $2.9 billion in the previous year alone.

“Before Abnormal, our SEG let almost every executive impersonation email through. We needed something that could learn and do more than analyze headers. With Abnormal, anything identified as malicious gets stopped and pulled from all accounts.”
—Steve Tieland, Director, Corporate Security Operations, Pegasystems

Vendor Email Compromise

A subset of BEC, vendor email compromise (VEC) involves the impersonation of legitimate vendors to deceive targets into making payments for fake invoices, initiating fraudulent wire transfers, or updating banking details for future transactions. Given that the vendor-customer dynamic has an inherent financial element built into it, and invoices, billing accounts, and upcoming payments are often discussed via email, distinguishing these attacks from genuine emails can be extraordinarily challenging.

Consequently, they often lead to substantial financial losses. Notably, the largest VEC attack stopped by Abnormal involved a request for a staggering $36 million.

“When a malicious actor took over an ongoing vendor conversation, we could see how Abnormal assessed the change of context, the slight nuances in the way the language shifted, the addition of a file with different bank details, and the fact that the attacker interjected an email address into the CC field. I’ve never seen these things detected by a traditional SEG.”
—Jonny Concannon, Group Information Security Manager, Boohoo

Malware and Ransomware

Email is the only universal communication vehicle, making it an easy way to get in front of an employee and, subsequently, compromise an organization’s network via malware. To bypass email security tools that block obvious indicators of compromise, attackers often embed malware files within seemingly legitimate links or attachments.

They also utilize a strategy known as payloadless malware, which involves sending targets a text-only email about a fabricated time-sensitive issue that includes a fake support phone number. If the target calls the number to get more information, they are instructed to download a file that, unbeknownst to them, contains a malicious payload.

An increasingly costly threat, the total losses from malware and ransomware attacks grew by 74% between 2022 and 2023.

“[During the Abnormal Proof of Value], I saw that the SEG was missing more attacks than I had realized and how many advanced threats Abnormal caught due to its behavioral AI capabilities. Abnormal was the easiest solution for us to implement. It works seamlessly and keeps us incredibly secure. With the SEG, I always had a window open. With Abnormal, I don’t.”
—Robert Crowther, IT Manager, Atomic Cartoons

Account Takeover

Account takeovers may be the most dangerous email threat that organizations face, as they provide cybercriminals with unparalleled access to the company’s network. Once an account has been compromised, attackers can perform a variety of malicious acts, such as exfiltrating sensitive data, infiltrating connected applications, or using the account to send additional email attacks to coworkers, partners, and customers.

Account takeovers can be initiated using various methods, including session hijacking via authentication token theft or forgery, successful phishing, social engineering, password stuffing, or brute-force attacks. These attacks are among the most damaging, with the average cost of a data breach caused by compromised credentials totaling $4.62 million.

“[Abnormal] picked up 1,000+ attacks that bypassed our SEG. I really like the account compromise feature that autodetects threats and locks users out of those mailboxes. It gives me peace of mind that not only is Abnormal blocking all the attacks, but also that if one actually succeeded, Abnormal auto-remediates that mailbox.”
—Jim Robinson, CIO, SuperConcepts

Generative AI Attacks

The rise of AI-generated attacks marks a significant shift in the evolution of cybercrime tactics, as AI empowers attackers to craft emails that are tailored to individual recipients with unprecedented precision. By analyzing vast amounts of data scraped from social media profiles, online activity, and previous correspondence, AI algorithms can generate messages that not only believably mimic the writing style and behaviors of the impersonated party but contain content that is hyper-personalized to the target.

This level of sophistication makes the emails more difficult for traditional security measures to detect and more likely to deceive unsuspecting recipients. As a result, AI-generated attacks are already a significant challenge for security leaders—98% of whom report security risks from generative AI are a major concern.

“You can't rely on traditional secure email gateways anymore because the threat environment has changed from signature-based to behavioral- and language-based. Abnormal looks at each threat as a whole, including the language and the intent, and that approach sets it apart.”
—Kaushik Bagchi, Head of Digital Security, Mace

QR Code Attacks

QR code attacks, the newest iteration of phishing, are a type of social engineering attack in which a threat actor attempts to trick a target into interacting with a malicious QR code. The QR code is linked to what appears to be a legitimate website with a prompt to enter login credentials or other sensitive details. Unfortunately, any information provided can then be used by the perpetrator to compromise the target’s account and launch additional attacks.

QR code attacks contain minimal text content and no obvious URL, which significantly reduces the number of signals available for legacy security tools to analyze and use to detect the threat. This exploitation of the intrinsically harmless QR code contributed to the nearly 300,000 phishing incidents reported in 2023.

“We've employed cutting-edge technologies such as Abnormal Security because we found that the legacy security email gateways don't always keep up with the evolution and the advanced techniques employed by the bad threat actors.”
—Vincenzo Baldin, Executive Director of IT Infrastructure, Kroenke Sports & Entertainment

Third-Party App Attacks

Though inbound email attacks are a mainstay for threat actors, cybercriminals have recently begun shifting tactics to exploit third-party applications as a new method for gaining entry into an organization’s email environment. On average, enterprise organizations have more than 300 third-party applications integrated into their cloud environment. Every time an employee authorizes a third-party application, they grant it a number of permissions, and if an app is compromised, attackers can access sensitive company data.

Each third-party application is a potential entry point into your mailboxes, a side door attackers can take advantage of to compromise email accounts without detection. Unfortunately, vulnerabilities in third-party software accounted for 13% of all breaches in 2022—costing organizations an average of $4.55 million per incident.

“We employed two SEG solutions in sequence, and that still wasn’t solving our email security problems. Abnormal frees us from inbox cleanup, so we can proactively identify and address other security threats before they become problems.”
—Jason Stead, CISO, Choice Hotels

Business communication relies on email, as it is the only universally adopted platform. It also serves a multitude of purposes—connecting individuals with their coworkers, facilitating collaborative work on confidential documents, and enabling payment requests. Consequently, its widespread utility means that it is also a prime target for attack.

Security leaders know this, which is why securing email is a top priority for nearly everyone. But unfortunately, these adversarial anomalies are in the business of outsmarting the tools put in place to stop them—and they keep trying until they’re successful.

So what do you do about these attacks? To counter these highly sophisticated cyber threats, organizations need the right security platform.

Abnormal’s AI-native email security platform leverages machine learning to stop sophisticated inbound email attacks and email platform attacks that evade traditional solutions like SEGs. The anomaly detection engine uses identity and context to assess risk in every cloud email event, preventing inbound attacks, detecting compromised accounts, and remediating malicious emails.

Check out our Anomalies page for fun games that can help you sharpen your detection skills and understand the threats targeting your organization.