Webinar Recap: Blocking the Advanced Attacks Your SEG Never Could
Here’s the worst part: if you’re relying on a secure email gateway (SEG) to protect your organization, you’re likely experiencing a false sense of security. SEGs were built to block traditional email attacks that contain known indicators of compromise (IOCs) within on-premises environments. But modern cybercriminals are launching attacks that don’t have those IOCs, and more organizations adopt cloud-based email every day.
I recently co-hosted a webinar with Hunter Hogan, Digital Technical Specialist at Microsoft, about the new generation of advanced attacks and the inability of legacy solutions to mitigate them. Here are a few key takeaways.
The Evolution of the Email Threat Landscape
Malicious emails have been around for more than three decades, nearly as long as email itself. The first iteration of email attacks used primarily low to mid-value and low to mid-impact tactics like spam. Threat actors would target a large number of people and then receive payment for each click of the spam email. Unfortunately for the cybercriminals, email security solutions providers recognized these patterns and developed technology that could effectively detect and block spam.
In response, cybercriminals transitioned to sending emails with malicious links and/or malicious attachments, which allowed them to infect the recipient’s network and steal valuable data. But, starting in the early 2000s, organizations could rely on their SEGs to block most of these attacks, reducing the ROI for attackers to the point it was no longer lucrative.
Now, threat actors have shifted their strategies once more, using never-before-seen URLs and malware and executing text-based social engineering attacks that focus on compromising people, rather than networks. Free of traditional IOCs, these high-value, high-impact campaigns are nearly impossible for traditional email security solutions to detect and yield a substantial ROI for cybercriminals.
While spam, graymail, and generic phishing emails still exist, advanced email attacks such as business email compromise, supply chain compromise, ransomware, and account takeover are becoming increasingly ubiquitous. For example, between 2020 and 2021, Abnormal observed a 300% year-over-year surge in ransomware payments.
Plus, not only are these modern attacks becoming more pervasive, the ensuing losses are growing. The 2021 Internet Crime Report from the FBI Internet Crime Complaint Center (IC3) revealed that cybercrime loss from business email compromise amounted to $2.4 billion last year.
Common Email Security Challenges
In addition to cybercriminals executing more sophisticated attacks, Hogan explained a few other reasons organizations are struggling to defend themselves.
First, the volume of threat signals being consumed by security teams is overwhelming, and in order to derive actionable insights, it requires extensive correlation, which is time-consuming and expensive.
Second, many organizations don’t have a unified cybersecurity tech stack, which causes inefficiencies and inconsistencies. “Stitching together expensive siloed tools can lead to gaps in coverage, limited visibility, and fragmented experiences,” said Hogan.
Finally, attack services have become considerably more accessible and affordable over the past decade. “Essentially, if you have access to a computer with an internet connection and the ability to convert Fiat currency to cryptocurrency to make a purchase from a bad actor, the average person could launch their own cyberattack,” said Hogan.
Why Modern Email Attacks Evade Secure Email Gateways
For years, secure email gateways were effective in filtering malicious emails because the vast majority of organizations used on-premises email environments and cybercriminals followed the same recognizable attack formula. But now, when 70% of organizations have adopted cloud email solutions and threat actors are constantly introducing new tactics, SEGs fall short for three main reasons.
SEGs have a legacy architecture that is neither cloud-native nor features native API integrations with Microsoft 365. As a result, SEGs can only observe and block attacks that are in the ingress-egress external mail flow, also called the north-south traffic.
Without the ability to see east-west traffic, a secure email gateway has no visibility into internal email patterns or the contextual signals that are essential to stopping modern attacks that often originate from the inside.
SEGs rely on the concept of known bad, which refers to the idea that if an organization can identify patterns of past suspicious emails such as ones sent from a bad IP address or untrusted domain, it can flag future attacks that match these criteria. The problem is there’s a fundamental flaw in using a rules- and policies-based system that is triggered only by known threats. In today’s evolving threat landscape, there is no “known bad” to latch onto.
For example, what happens when the attack originates from a newly-created account on a trusted domain like gmail.com? Because SEGs only look for known IOCs, they can’t defend against never-before-seen attacks.
Limited Cloud Email Integration
Within the Microsoft 365 platform, there are thousands of context-rich signals such as sign-in events and compromised accounts that can be used to detect suspicious behavior. However, due to the shortcomings of its architecture and approach, a secure email gateway is unable to leverage these signals.
Say an employee who usually signs in from San Francisco is trying to sign in from the Netherlands. After multiple failed login attempts, suddenly the employee is trying to sign in from New York and then successfully logs in. This is a critical signal of a potential attack that a SEG would miss because it’s unable to ingest and correlate these insights.
Clearly, enterprises need to consider a new approach to email security that includes native cloud email protection and integrated cloud email security. Gartner reports that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a SEG.
Stopping the Full Spectrum of Email Attacks
Ultimately, the goal for organizations of any size is to achieve a security posture that ensures the company is protected from all types of email attacks—from the simplest spam to the most sophisticated account takeover. That just isn’t possible with a secure email gateway.
In fact, if you’re currently using a SEG with Microsoft Office 365, there’s a good chance you’re not reaping the full benefits of Microsoft’s built-in email security capabilities. We’ve often had customers tell us the SEG vendor has requested they disable certain features within the Microsoft platform, marginalizing the efficacy of a solution they’ve already paid for.
Further, during our risk assessments, we’ve found that SEGs only block about 17% of the attacks that Abnormal does. Without the right technology, more than 80% of malicious emails are safely delivered to your employees, putting you at risk of costly cybercrime.
But with Microsoft Defender for Office 365 and Abnormal, you receive comprehensive, defense-in-depth protection. Microsoft Defender for Office 365 identifies known bad as well as similar to known bad, while Abnormal models known good to identify anomalies. Together, the two solutions keep malicious emails from ever making it to employee inboxes.
Learn Even More About Microsoft and Abnormal
Hunter and I discussed so many great topics in the webinar that a single blog post isn’t enough to cover them all. If you’d like to learn about:
The four-phase approach Microsoft takes to threat protection
The three key elements of Abnormal’s integrated cloud email security solution
How Microsoft and Abnormal work together to keep your organization safe
Then we invite you to watch the recording here!