BLOG

Takedown Attacker Infrastructure to Disrupt Email Abuse Campaigns

Email is the most prevalent source of attacks facing organizations today. A recent Verizon Data Breach Investigations Report reflects the breadth of email abuse, showing that email represents over 94% of all malware attacks targeting businesses. Security vendors acknowledge this continual uphill trend of email-based attacks and have innovated accordingly. Solutions like email security gateways, anti-phishing tools, and spam filters address many of the problems posed by email.  Despite all the investment and effort, compromises still occur. Why? Apparently campaign execution costs for adversaries is low and the payout remains worthwhile. It’s time we change that equation.

Most email security solutions focus on flagging potential spam, blocking known malicious senders, and filtering out malicious links and attachments – all tactics that temporarily inhibit but do not thwart an attacker. With the low execution costs (bots deliver phishing emails for pennies per million) and relative ease of entry of these types of attacks, adversaries continue to invest in email as an ideal threat delivery method for a wide range of attacks. 

Identifying gaps in current email protection coverage

From phishing to brand impersonations and malware delivery, organizations have an obligation to protect their brand, their employees and their customers from the threats posed on email platforms. Traditional security tools focus on detection and response, alerting organizations to potential malware, blocking email addresses, and driving mail to spam folders. Organizations need a solution that not only blocks malicious email but takes down the infrastructure to disrupt attackers from future attacks. By disassembling their investment, halting fake accounts, removing spoofed sites, etc., we raise the cost to attackers to disincentivize them from targeting your followers and spoofing your brand.

Here’s what we know:

  • Email-based attacks persist, despite a plethora of security tools designed to prevent, detect and remediate them – unfortunately, these are all reactionary steps that address the symptoms more than the root cause.
  • Most organizations rely on automation and self-reporting by internal employees and external email recipients to identify phishing, brand abuse and malware 
  • Self-reporting, such as abuse inboxes are a rich source of telemetry, but it is often difficult for security and IT teams to speedily process, synthesize and take action on 
  • A combination of internal tools and external solutions are necessary for combatting email threats 
  • Combatting root cause, by taking down attacker infrastructure, drastically raises the cost to attackers to dissuade them from future attacks – it’s more cost-effective to move to softer targets.

Enhance protection by leveraging an under-utilized resource: [email protected] Inboxes and DMARC Failure Reports 

As a first line of defense, many organizations rely on [email protected] email addresses to collect potentially malicious emails across employees and customers. These inboxes are usually maintained by either an IT or security team that reviews each email, blocking senders determined to be malicious and quarantines or deletes emails that pose a threat.

In a perfect world, these teams would have unlimited resources and time to review and contextualize every email that comes in. But often, these teams have limited bandwidth for in-depth analysis, which often leads to a cycle of detecting and blocking, or worse: these inboxes go largely unreviewed.

Another method for validating the authenticity of emails is DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance,” an email authentication, policy, and reporting protocol. It links the author (“From:”) domain name, published policies that tell recipients how to handle authentication failures, and reporting from receivers to senders, to help protect the domain from fraudulent email. When email sender addresses are spoofed (as is often the case with phishing campaigns), this can trigger a DMARC authentication failure report containing valuable information that can be used to determine the nature of the failure/violation.  And while DMARC can instruct how to handle non-authenticated email, the information within such failure reports is often ignored or underutilized. This is unfortunate as the information within these reports can help identify abuses that other protections miss. Outsourcing through a service that can process this information is an easy way to add significant protection while minimizing impact on IT staff and users.

Meet ZeroFOX’s Email Abuse and Phishing Protection

ZeroFOX Email Abuse and Phishing Protection enhances organizational email security, detecting brand abuse, phishing and targeted campaigns that other solutions miss. It complements your current email protection solutions by leveraging existing information such as DMARC failure reports and forwarded [email protected] inboxes, with no impact on your users.

With a simple change like modifying your DMARC policy or adding another mail route, you can start streaming these sources into the ZeroFOX platform in minutes. ZeroFOX will then leverage its AI-driven rule engine to filter out the noise and creates alerts on noteworthy incidents. Each alert includes information like content previews and headers to simplify investigations. Next, ZeroFOX’s expert analysts execute playbooks to report or take down malicious indicators identified through these emails to mitigate the incident and to minimize future harm or disruption inside and outside of your organization.

ZeroFOX analyzes these rich sources of malicious emails and remediates malicious domains, brand impersonations and offensive content to keep your employees and customers protected. We notify a range of blocklists that customers employ through current solutions and the solution also uniquely changes the game by dismantling attacker infrastructure to prevent future attacks as adversaries move to softer targets.

Interested in learning more? Check out this short video showcasing the capabilities.