Is email really that dangerous? (Updated)

Spoiler alert: yes. Previously, here , we looked into phishing and some of the actions you could take to protect yourself. This time, we want to dive a little deeper into what makes email so dangerous, but also, what you can do to protect yourself and your company (because as bad email is, we still need it to get a lot of things done).

Most malware is still delivered via email, and when you think of it, it is pretty logical, other attack vectors  (like USB keys) require someone to buy the keys, infect them, find you, try to get the key in your hands and then try to persuade you to connect it. With email, they can send a million of them in a couple of minutes, and even if they have a one-in-a-million chance of you opening one, well, that is still one person for a couple of minutes of investment…

To understand the risk and why some of the protection methods from before are no longer effective, it is important to understand what has changed with malware (aka viruses, trojans, ransomware, adware, rootkits…) in the last couple of years. Malware used to be simpler, it had a specific binary signature that would be injected into a file and you could look for it (scan) and discover hidden malware to deal with it before you got infected. You had a “virus scanner” that would get updated regularly, would check all new and old files and keep you safe. But how things have changed:

• First: there is now file-less malware, they never actually get written to disk, so they evade all previous generation anti-malware that is looking into files.
• Second: Malware is now polymorphic, it changes its signature every time it moves, so signature scanning is useless.
• Third: zero-day attacks, they are so new that detection software is not yet updated to detect it

So, what to do? Use a new generation of anti-malware (aka Next Generation). The new products on the market are now called “behaviour” based anti-malware. They execute under the assumption that malware could be anywhere and watches for abnormal behaviour. For example, you receive an urgent email from an unknown customer that wants to place a large order. You open the attached PDF (PDFs now make up 18% of all new malicious filetypes, while Office files make up 10% [1]) and without you noticing, it (the PDF) starts downloading a second file, modifies your registry and scans your hard drive, that’s not “normal” behaviour for a PDF! So, the Next Generation anti-malware stops those actions, quarantine the PDF and lets you know what happened.

Before we get back to email, I also want to introduce another cyber security concept: “defence in depth”. The key to the concept is to have multiple layers of defence to stop attacks/malware before it even gets to your devices. Think of your classic medieval castle, it did not just have a door, it had moats, high walls, draw bridges… So, the anti-malware running on your device (because you are running one, right?) is your last line of defence, whenever possible you want to stop everything before it gets to you. With email, this is actually easier since all emails need to go through a server before they get delivered to you and a minute or two of delay to make sure all is safe is acceptable.

Here is what a Next Generation email gateway solution looks like: all emails coming in (and ideally out) are analyzed. This gateway is usually a stop before your existing email solution (like Office 365 or G-Suite)

1. All attachments are reviewed against a known good database (if that exact file, with that exact binary signature, has already been tested, it gets the ok to move on)
2. Unknown attachments are scanned with multiple signature-based anti-virus (they miss things, but they are fast, so it is an easy step to detect low-end malware)
3. If the attachment still looks ok, it is then moved into multiple “sandboxing” engines. Here we take the file and open it in a virtual environment made to look like a real device and see it does anything unexpected (bad behaviour). We recommend using multiple different sandboxing engines because newer malware also uses evading technics if they think they are in a sandbox.
4. Then the URLs (web links) in the email are checked to see if they could potentially connect to bad websites or infected files.
5. And if all this looks good, the email is sent to your mailbox (and this usually all happens in under 2  minutes).

So by using a proper Next Generation email gateway and using a newer behaviour-based Next Generation anti-malware on your devices, you dramatically increase your level of protection, but we will also tell you about a secret weapon that can save you from a lot of trouble: a telephone. If you receive an unexpected email from someone, especially with an attachment, call that person before you open it.

Lastly, if you receive an email with an encrypted zip file and they very graciously provided the password in the email, just delete it (and if you really (really) think it could be something you need, call the person first!).

Safe emailing everyone!

Loïc

*1:SonicWall 2022 Cyber Threat Report (https://www.sonicwall.com/2022-cyber-threat-report/)