Ira Winkler on Recognizing and Stopping Emerging Email Threats

If you ask a cybersecurity professional why email continues to be a primary attack vector, there’s a good chance they’ll quote a famous anecdote about bank robber Willie Sutton. When asked by reporter Mitch Ohnstad why he robbed banks, Sutton replied, “Because that’s where the money is.” And even decades later, this mentality holds true.

Threat actors today target email for a number of reasons, and money is not the only one. Not only do our email accounts contain a wealth of sensitive data, but they’re also a hub through which threat actors can gain access to just about any other account we have.

After all, email is the way we log into applications, the way we connect our business accounts, and the way we reset passwords. Gaining access to an email account provides a multitude of opportunities to move throughout the entire application ecosystem—making it truly the easiest way to further infiltrate organizations

While inbound email attacks remain a major concern and should be treated as such, there’s an emerging threat that enterprises also need to be aware of as they work to secure their cloud environments: email platform attacks.

In a recent webinar, Ira Winkler, Executive Director of the Human Security Engineering Consortium and former Chief Security Architect at Walmart, shared his insights on risks to cloud email environments and what enterprises can do to prevent these threats.

“If people all over can access a cloud, the bad guys can try to access that cloud as well.”
—Ira Winkler

For decades, every organization’s IT infrastructure was on-premises, and access to the network was limited exclusively to company-managed devices. Employees were restricted only to applications that were approved and managed by the IT team. As a result, there were substantially fewer entry points into the enterprise’s network.

Now, business has shifted, and on-premises technology is being increasingly replaced with cloud-based solutions—most notably Microsoft 365 and Google Workspace.

While the adoption of a cloud-first approach had already gained traction in the mid-2010s, the pandemic significantly accelerated the transition. Simultaneously, a growing number of enterprises began moving to remote-first or hybrid environments where employees now have the ability to work from anywhere, from nearly any device.

And although these shifts yield considerable benefits from the perspective of improving business agility and promoting a positive employee experience, a cloud-based infrastructure combined with a distributed workforce also creates exponentially more vulnerabilities that threat actors can exploit.

“Once you're in the emails, you can start moving to SharePoint; you could start moving to other cloud-based applications….And then with that, you can start resetting passwords. It's very common for attackers to lock legitimate employees out once they have compromised their account.”
—Ira Winkler

Millions of companies rely on either Google Workspace or Microsoft 365 for their cloud email. And while both providers offer native security capabilities, both are still vulnerable to email platform attacks, including :

• Account takeovers through credential phishing and brute force attacks

• Legacy authentication exploitation or MFA bypass

• Access compromise through third-party application APIs

• Vendor email compromise or supply chain compromise

And once an attacker has infiltrated your organization, they can immediately wreak havoc. Even more concerning is the fact that they can choose to keep the compromise concealed for weeks, if not months. According to the Cost of a Data Breach 2022 report, it takes an average of 277 days to identify a breach and another 70 days to contain it. That’s nearly a full year that a threat actor could have access to your account and associated information.

After compromising an account, threat actors can browse emails to gather private data and proprietary information as well as move laterally throughout your system, accessing sensitive documents or internal chats. They can also begin corresponding with colleagues to acquire more information and launch additional attacks. Additionally, attackers can reset passwords or identify business-critical elements of your network and install ransomware.

“Security awareness is a critical countermeasure in reducing risk…by user actions, by user decisions. However, we also have to make sure we reduce the user risk by implementing the right technologies around the user to help them not have to deal with most of the threats.”
—Ira Winkler

In the past, the email environment was fairly contained, requiring enterprises to only implement basic outbound security measures—email authentication protocols like SPF/DKIM/DMARC, message and file encryption, malware sandboxing, data loss prevention (DLP), and basic inbound email security.

A traditional secure email gateway (SEG) could do all of these things, and it could do it fairly effectively. But as we’ve discussed, the email threat landscape has changed dramatically, and legacy email security solutions are no longer sufficient. Enterprises must shift from basic inbound email security to behavioral inbound email security.

Organizations need a solution that leverages an API integration with their cloud email platform to ingest thousands of diverse signals, derive business context, and baseline normal behavior for every user across the organization. The platform must also monitor both internal and external traffic and assess the risk of every individual email based on content analysis using natural language processing and natural language understanding.

As cloud email continues to replace on-premises email as the preferred implementation, it will become increasingly important for enterprises to invest in more innovative email security solutions. Traditional email security solutions lack the capabilities to block advanced inbound email attacks or platform attacks, and, based on the data, these threats will only grow in frequency and complexity.

As Ira Winkler has said, the world is changing and our security prevention solutions must change with it. It is only by blocking the attacks before they reach our users that we can be sure that our organizations (and our employees) stay protected from the full spectrum of attacks.

For additional insights into the evolving email threat landscape as well as real-world attack examples, watch the on-demand recording of the webinar.