SEG: An Outdated Technology Failing in the Face of Modern Email Attacks

In the past decade, there have been two major shifts in the world of email. First, the majority of enterprises have moved from on-premises email servers to cloud email solutions like Microsoft 365 for better employee experience and productivity. According to the 2021 Gartner Market Guide for Email Security, over 70% of enterprises globally have made significant investments in transforming their email infrastructure to the cloud.

The second shift has been in the mindset and tactics of threat actors. Attackers have shifted from traditional email attacks that were low-mid value and low-mid impact (such as spam, campaign phishing, and ransomware based on malicious URLs and downloads) to modern email attacks that are high-value and high-impact, such as business email compromise, supply chain compromise, and advanced ransomware. The shift in the attacker’s mindset is motivated by the fact that modern attacks yield a higher return on their investments.

That these modern attacks are delivering higher ROI for attackers is unfortunately evidenced by the rise in cybercrime losses, as these attack types evade traditional email security solutions like secure email gateways (SEGs). Business email compromise (BEC) cost businesses and consumers over $2.4 billion of the $6.9 billion lost—making up 35% of all losses, as per the 2021 IC3 Internet Crime Report, produced by the FBI.

As enterprises globally struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs? The quick and straightforward answer is that the SEGs never evolved to adapt to those two major shifts—i.e., the movement to cloud email platforms and the shift in the attacker's mindset. A more elaborate explanation hinges on three key reasons.

Reason #1: Legacy Architecture

The majority of SEGs are not cloud-native and have limited to no native API integrations with modern cloud email solutions. Instead, they are mired in complex MX record integrations and tangled in a web of draconian rules and policies.

The lack of native API integrations allows them to only observe the ingress-egress external mail flow, often referred to as the north-south traffic. They don’t have the native API integrations with the cloud email providers’ infrastructure to observe east-west traffic. As a result, they have no visibility into internal email patterns and rich contextual signals that are critical to stopping modern attacks—for example, lateral phishing attacks or account-based attacks.

Reason #2: Outdated Approach

SEGs were built to protect against traditional attacks by creating rules and policies to block known threats based on static threat indicators. The outdated approach has been, essentially, “Oh! Here is an email originating from a bad IP address or untrusted domain. Let’s create a rule to block emails from it”.

But what happens when the attack originates from a newly created account on a trusted domain like gmail.com? Or what happens when the attack originates from a trusted third party that has been compromised or is being impersonated? SEGs have no way of detecting these modern and never-before-seen tactics being employed by threat actors.

As a result of relying on this known-bad approach, security teams find themselves on a backfoot when dealing with modern attacks.

Reason #3: Lack of Cloud Email Intelligence

The third reason is closely related to the first two. SEGs are not structurally built to leverage rich and contextual signals provided by cloud email platforms (e.g., Microsoft 365 and Google Workspace) due to their architectural shortcomings. They cannot ingest signals like user sign-in events, compromised accounts, or user sign-in locations from email cloud providers.

As an example, let’s take a series of events in which an attacker tries to use a compromised employee account to launch an attack. The attacker impersonating the employee (who generally signs in from New York) tries to sign in from a suspicious location and fails to gain access to the email account. As a next step, the attacker spoofs the IP to a location in the US and after a few failed attempts is able to successfully sign in.

The events trail is rich with information to signal anomalous suspicious activity to an email security solution. However, as SEGs cannot ingest (let alone take advantage of) critical cloud email signals and events like the one mentioned, they miss advanced account-based attacks.

Attackers have figured out the formula for launching modern attacks to evade SEGs and extract significant sums of money from enterprises. Below is an example of a vendor impersonation attack on a Fortune 100 company in the financial industry. The company almost fell victim to the attack because its SEG incorrectly determined the email to be a legitimate vendor email.

(We say "almost fell victim" because, in the second part of this story, Abnormal detected and blocked the attack. We will celebrate that win as a security community in a subsequent blog post.)

The impersonated vendor email shown below has all the characteristics of a modern attack—socially-engineered, entirely text-based, no known bad IOCs, and payload-less. It was purposefully crafted to evade an outdated email security solution like the SEG. Let’s take a closer look at the critical misses by the SEG related to this attack.

Miss #1: Relying on Trusted Assumptions

Since the request originates from a known vendor, the SEG did not trigger any warnings or alerts and delivered it to the employee’s inbox. It missed a critical signal that the email had originated from a never-before-seen IP address.

Miss #2: No Relationship Context

The attacker used social engineering and personalization to trick an unsuspecting employee into believing the conversation should be trusted. As SEGs don’t have any relationship context between an organization and their vendors, it misses the fact that John* (names changed to protect customer privacy) from the vendor has never emailed Steve* in accounts payable at this company.

Miss #3: No Tone and Content Analysis

SEGs don’t have advanced natural language processing (NLP), natural language understanding (NLU), or computer vision. Because the SEG lacks these capabilities, it fails to detect that a significant amount of funds were being asked to be transferred to a never-before-used bank account. It also misses the tone of the email, which is insinuating a sense of urgency for this transfer and trying to exploit human behavior.

Miss #4: Only Relies on Known-Bad IOCs

Most modern attacks, like this vendor impersonation attack example, are payload-less and text-based. As there are no malicious URLs or file attachments to scan, the text-only email did not trigger any known bad signatures from the SEG, leading it to evaluate the attack email as a legitimate vendor email.

An unsuspecting employee would have fallen victim to this modern email attack, leading to significant monetary losses to the company. Fortunately for this enterprise, at the time of the attack, Abnormal was being evaluated as an email security solution in passive mode. We precisely detected and blocked this attack and, in turn, won the trust of a notable brand as our customer.

Thousands of enterprises, large and small, assess the efficacy of their SEGs to block advanced modern attacks through Abnormal’s email security risk assessment. We have found that SEGs only block approximately 17% of all attacks blocked by Abnormal! This clearly indicates that a modern email security solution is required to defend against modern email attacks with high efficacy.

Abnormal’s modern cloud email security solution has been developed using:

1. Native API integrations and cloud-based architecture
2. A behavioral approach that baselines known good and detects anomalies with high precision
3. Machine learning models to build federated user and supply chain graphs for rich context
4. Natural language processing and natural language understanding models, image recognition, and more to perform precise tone and content analysis
5. The full power of cloud email platforms by ingesting thousands of signals to augment its own machine learning and AI models

Not yet an Abnormal customer? Request a demo today to learn how Abnormal can enhance your email security capabilities and provide visibility into email threats that other solutions miss.