Top 5 Alarming Anomalies That Are Evading Your SEG

While a secure email gateway (SEG) used to be an effective way to block email attacks, that simply isn’t the case anymore. Free of traditional indicators of compromise and leveraging sophisticated social engineering tactics, modern threats are nearly impossible for traditional email security solutions to detect.

Silently lurking in your cloud environment, these alarming anomalies bide their time until they identify an opportunity to wreak havoc in your organization. And while they appear in many forms, they all have the same goal: exploit vulnerabilities to infiltrate your enterprise.

Read on to learn more about the five most common anomalies targeting your organization and hear from five security leaders who decided to replace their SEGs with an AI-native solution.

Credential Phishing

Phishing is a social engineering attack in which criminals send fraudulent messages to deceive individuals into divulging sensitive information, such as login credentials. While phishing attacks are commonly conducted through email, attackers can also utilize phone calls and text messages as alternative channels.

Regardless of the delivery method, these attacks typically masquerade as authentic communication from familiar organizations or individuals, often impersonating well-known brands like Microsoft. Phishing is the most popular attack type, accounting for nearly 70% of all advanced email attacks.

“I received an email from Abnormal on a Sunday about a compromised employee email account. Once the account was compromised, the bad actor accessed the account and quickly tried to send a credential phishing email to 500 internal inboxes. With [our SEG], I would have had to grab a computer and spend hours manually remediating. But Abnormal had already logged out and disabled the user’s account, reset the account password, and pulled the phishing emails from the recipients’ mailboxes.”
—Peter Mueller, Systems Programmer, Saskatoon Public Schools

Business Email Compromise

Business email compromise (BEC) relies on impersonation, typically of an executive or other employee, to steal money from unsuspecting victims. Attackers commonly employ text-based emails and leverage social engineering techniques to establish trust and manipulate recipients into providing sensitive information, updating payroll account details, or sending gift cards.

BEC stands as one of the most financially devastating cybercrimes, resulting in losses of $2.7 billion in the previous year alone.

“Before Abnormal, our SEG let almost every executive impersonation email through. We needed something that could learn and do more than analyze headers. With Abnormal, anything identified as malicious gets stopped and pulled from all accounts.”
—Steve Tieland, Director, Corporate Security Operations, Pegasystems

Vendor Email Compromise

A subset of BEC, vendor email compromise (VEC) involves the impersonation of legitimate vendors to deceive targets into making payments for fake invoices, initiating fraudulent wire transfers, or updating banking details for future transactions. In the most sophisticated VEC attacks, threat actors will send an email from a compromised vendor email account to add credibility.

Given that vendor communications frequently revolve around payments, distinguishing these attacks from genuine emails can be extremely challenging. Consequently, they often lead to substantial financial losses. For example, the largest VEC attack stopped by Abnormal involved a request for a staggering $36 million.

“When a malicious actor took over an ongoing vendor conversation, we could see how Abnormal assessed the change of context, the slight nuances in the way the language shifted, the addition of a file with different bank details, and the fact that the attacker interjected an email address into the CC field. I’ve never seen these things detected by a traditional SEG.”
—Jonny Concannon, Group Information Security Manager, Boohoo

Malware and Ransomware

Although malware and ransomware can be distributed through various means, email remains the favored delivery method for cybercriminals. To bypass email security tools that block obvious malware attachments, attackers often employ tactics such as embedding malware files within seemingly legitimate links or attachments.

In more recent cases, cybercriminals utilize payloadless malware, stating that the recipient has been charged a fee that they can reverse by calling the specified phone number. Upon making the call, targets are instructed to download a cancellation document, which, unbeknownst to them, contains a malicious file. These attacks are on the rise, with 89% of organizations being targeted last year.

“On the second day [of the Abnormal Proof of Value], Abnormal called about a malicious email and the indicators they saw. Both of our SEGs had let it go through. Abnormal saved us a lot of money because the message was something that an account manager would respond to quickly if it landed in their inbox.”
—John Mendoza, CISO, Technologent

Account Takeover

Among the most insidious forms of cyberattacks are those that grant criminals unauthorized access to legitimate accounts. Once accounts have been compromised, attackers can perform a variety of malicious acts, such as exfiltrating sensitive data, infiltrating connected applications, or using the account to send additional email attacks to coworkers, partners, and customers.

Account takeovers can stem from various methods, including successful credential phishing, password stuffing, or brute-force attacks. Shockingly, it has been found that nearly 80% of enterprises have at least one account that has been compromised.

“[Abnormal] picked up 1,000+ attacks that bypassed our SEG. I really like the account compromise feature that autodetects threats and locks users out of those mailboxes. It gives me peace of mind that not only is Abnormal blocking all the attacks, but also that if one actually succeeded, Abnormal auto-remediates that mailbox.”
—Jim Robinson, CIO, SuperConcepts

Business communication relies on email, as it is the only universally adopted platform. It also serves a multitude of purposes—connecting individuals with their coworkers, facilitating collaborative work on confidential documents, and enabling payment requests. Consequently, its widespread utility means that it is also a prime target for attack.

Security leaders know this, which is why securing email is a top priority for nearly everyone. But unfortunately, these malicious monsters are in the business of outsmarting the tools put in place to stop them—and they keep trying until they’re successful.

So what do you do about these attacks? To counter these highly sophisticated cyber threats, organizations need the right security platform.

Abnormal’s AI-native email security platform leverages machine learning to stop sophisticated inbound email attacks and email platform attacks that evade traditional solutions like SEGs. The anomaly detection engine uses identity and context to assess risk in every cloud email event, preventing inbound attacks, detecting compromised accounts, and remediating malicious emails in milliseconds.

While the right technology will stop these anomalies before your end users can interact with them, that doesn’t negate the importance of security awareness training. It’s vital to ensure that your employees know the latest tactics in email attacks and can identify when an email may be suspicious.

Use the resources in our Cybersecurity Awareness Month Kit to help your employees understand the types of threats targeting them and how they can detect and deter anomalous activity.