Despite many years of organizations using firewalls, filters and secure email gateways (SEGs), malicious email messages still pose a huge threat.Business email compromise often starts with an email message. Phishing messages may lead to account takeovers. Malware can be delivered through attachments or embedded links.A malicious email message that evades detection is often just the initial vector in successful network or cloud-instance penetration. And the advent of AI-powered phishing campaigns is making things worse."Email is the starting point for attacks that quickly expand into other parts of the digital ecosystem and can escalate into compromised identities, cloud access abuse, or manipulation of collaboration tools — well beyond what traditional email defenses are built to handle," said Connie Stride, SVP of Product at Darktrace, in a company blog post.
What's needed are new ways of detecting and blocking malicious email messages, even those that bear no attachments or links to known malicious pages, and of correlating suspicious activity in other parts of the organization.What works is behavioral analysis powered by AI that learns the writing style, tone, vocabulary choices, history and systemwide activity of each email user in an organization, the better to spot anomalous signals both in email messages and in other domains.Combined with other innovations like Brand Indicators for Message Identification (BIMI), active screening for personally identifiable information (PHI) and protected health information (PHI) in outgoing messages, sandboxed payload analysis, and cloud-based automated forensic investigations, behavioral analysis can spot and block messages that evade legacy email defenses."Across real-world deployments, Darktrace/EMAIL immediately identified the 17% of threats that bypassed SEGs, including highly targeted social engineering messages," says the company. "Traditional methods miss these threats because they're built to stop obvious spam and malware and, to avoid false positives, default to trusting emails that appear routine."
The constant danger that email delivers
We're all familiar with phishing emails, and we've learned to be wary of unsolicited messages bearing unexpected attachments and using awkward or misspelled language, especially when they come from people we don't know.Our adversaries have adjusted to our awareness. Smarter phishing emails spoof the addresses of people you do know, especially your co-workers. ChatGPT and other large language models make it easy for even non-English speakers to craft phishing messages with impeccable spelling and grammar. Malicious attachments have been replaced by malicious links that are disguised to seem familiar or innocuous.Better yet for the attackers, many modern phishing emails don't look like phishing emails at all. They may seem to come from legitimate domains. They have no attachments. The language used matches that of normal business matters. As a result, the messages breeze past traditional static email filters.But like many scams, the messages themselves will urge immediate action, such as by requesting settlement of seemingly past-due invoices, diversion of scheduled payments to new accounts, or switching of vendors. Filters can't catch the gist of those messages, but context-aware AI can.Boringly benign emails may also be part of email-bombing attacks that flood inboxes with a deluge of pointless messages. These campaigns can serve to hide genuinely malicious emails in the crowd or drown out genuine security alerts.Another variant of email bombing has fake IT technicians reach out to the beleaguered message recipients through Teams, Slack or a telephone call and offer to resolve the problem. The relieved target hands their account credentials to the fake technician, and it's game over. The Scattered Spider threat group has reportedly been using the fake IT angle."Because these emails often originate from legitimate services and contain no malicious payloads, traditional email tools struggle to detect them until the attack is already well underway, leaving organizations exposed," says Darktrace.
New approaches to counter email threats
Darktrace's own solution to catch these harmless-seeming messages is to deploy what it calls Self-Learning AI as part of its Darktrace/EMAIL solution.The AI learns the preferred vocabulary, normal tone, and regular behavior of each user in an organization. When the users exchange email messages, the Self-Learning AI analyzes the messages for patterns, word choice and message tone that don't seem normal for each user."[The] Self-Learning AI engine understands how each organization normally communicates and spots subtle changes in sender, tone, timing, and behavior that signal a threat, even when conventional tools see nothing unusual," explains Darktrace.As explained above, this more holistic approach can catch many messages that traditional secure email gateways fail to spot."SEGs most frequently miss context-driven, low-signal attacks," wrote Darktrace Senior Product Marketing Manager Carlos Gray in a recent blog post. "Nearly one in six of the riskiest inbound emails still evade the native and SEG layers on the first pass — 17% is the average SEG miss rate after Microsoft filtering."He related a real-world example of behavioral detection in action."A global enterprise saw a surge of 'document-share' notifications from a trusted collaboration platform," Gray wrote. "The domain and authentication looked fine; their SEG allowed it. Darktrace/EMAIL flagged it because the supplier's sharing behavior and permission scope deviated from normal (volume, recipients, and access level). Follow-up confirmed the supplier account was compromised. Behavioral context — not rules or signatures — made the difference. "Furthermore, a new integration between Darktrace/EMAIL and Darktrace/IDENTITY means that if the former spots the signs of an email-bombing campaign, it can alert the latter to tighten up the protections around targeted users, stopping account-takeover or impersonation attempts.Another new feature of Darktrace/EMAIL is full support for Brand Indicators for Message Identification (BIMI), a standard that places organizational logos on outgoing emails and makes it easier for recipients to have confidence in the origin of the messages."By pairing BIMI enforcement with Darktrace's behavioral detection capabilities," says the company, "organizations can authenticate outbound messages while identifying inbound emails that attempt impersonation, helping to protect both their brand and their users."Darktrace's email solution has also beefed up its data-loss-prevention capabilities, adding the ability to detect the exfiltration of more than 35 new categories PII and PHI."Together, BIMI support and behavioral DLP help organizations secure both who appears to be sending an email and what is being sent, strengthening trust in outbound communications while reducing the risk of sensitive data exposure," the company says.In addition, there's integration with Microsoft Defender and Copilot to speed up incident investigation and response, and sandboxed analysis of potentially malicious attachments and other payloads."By embedding directly into the Microsoft ecosystem," wrote Gray in another blog post, "analysts gain instant access to correlated insights without switching consoles."Darktrace/EMAIL can also now automatically create ServiceNow or Jira tickets, beginning the remediation process and saving SOC team members the trouble."The new capabilities," writes Darktrace, "will help security teams catch sophisticated attacks that evade traditional email tools, protect sensitive data, and preserve trust in digital communications — all while reducing operational complexity in crowded security environments."
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.
