Email Phishing & Spoofing Threats Intensify, Bypass Security Measures

One in every 99 emails is a phishing attack, using malicious links and attachments as the main vector; secure email gateways fail to stop 99.5% of all non-trivial email spoofing attacks.

Those are results from two separate reports researching email threats. over the past decade or so, phishing and spoofing attacks have become a widespread digital threat for many organizations including credit unions and other financial institutions.

The “Global Phish Report” from New York based Avanan, which delivers a cloud security platform, analyzed 55.5 million emails sent to organizations using Microsoft Office 365 and Google G Suite. The study not only found about 1% were phishing attacks, but of those incursions 25% bypassed Office 365 security. They warned that number that is likely to increase as hackers design new obfuscation methods taking advantage of zero-day vulnerabilities.

Other concerning Avanan findings included that 33% of emails containing a link to a site hosted on WordPress; and 98% of emails containing a crypto wallet address are phishing attacks.

“Cloud-based email, despite all of its benefits, has unfortunately launched a new era of phishing attacks,” Yoav Nathaniel, lead security analyst at Avanan said. “The nature of the cloud provides more vectors for hackers and gives them broader access to critical data when a phishing attack is successful. Organizations are in desperate need for more information on phishing attacks and how to combat these attacks.”

Avanan’s study indicated phishing is the number one email security threat, outranking both malware and ransomware. Employees are bombarded with spearphishing, extortion, credential harvesting and malware attacks. The cloud email platforms by themselves cannot reliably block emails containing malicious language, links or attachments.

Other key findings:

• Over 30% of phishing emails sent to organizations using Office 365 Exchange Online Protection were delivered to the inbox.
• Over 50% of all phishing emails contain malware and 40.9% credential harvesting capabilities. Spearphishing .04% and extortion (8%) make up the remaining threat vectors. Avanan noted although spearphishing is far less common than the other vectors, it often has the largest effect. Spearphishing attacks target high level employees who have access to either company finances, financial accounts, or other sensitive information.
• One out of every 25 branded emails sent to organizations were found to be phishing emails, with Microsoft being the most impersonated brand throughout the year, except for the holiday season, during which it is Amazon.

Israeli-based email security provider IRONSCALES in its two-year study of more than 100,000 verified SEGs failed to stop almost all non-trivial email spoofing attacks, including sender name impersonations and domain look-alike attacks.

The most common email spoofing attack techniques to bypass SEGs include:

• Exact sender name impersonations (73.5%). When an email is sent masquerading as coming from a trusted source, such as a colleague. Example: SteveJobs[at]techcompanyxyz.com.
• Similar sender name impersonations (24%). When an email is sent masquerading as coming from a trusted source, such as a colleague, with minor obfuscations. Example: SteveJabs[at]techcompanyxyz.com.
• Look alike/cousin domain spoofing (2%). When an email is sent from a similar domain, in which attackers register the domain to set the right authentication records in the DNS. Example: SteveJobs[at]aapple.com.
• Exact domain spoofs (.5%). When an email is sent from a fraudulent domain that matches exactly to the spoofed brand’s domain. Example: SteveJobs[at]apple.com.

IRONSCALES pointed out secure email gateways, when configured correctly, are compliant with the domain-based message authentication, reporting and conformance, an email authentication protocol built specifically to stop exact domain spoofing. As such, SEGs are proving effective at identifying and stopping exact domain spoofing attacks. However, this attack technique is the least common of the four impersonation tactics because of the time and complexity associated with crafting an exact domain spoof.

IRONSCALES’ research concludes that SEG technology is severely limited in reducing risk from the vast majority of the most common email spoofing attacks. In addition, the findings reinforce the severe limitations of DMARC.

Eyal Benishti, IRONSCALES founder/CEO, said, “Our new data reinforces that legacy SEG technology was not built to identify social engineering attacks that are often absent of a malicious payload such as a link and attachment. Even as SEGs attempt to modernize through acquisition or innovation, gaping vulnerabilities remain that keep their customers at risk of succumbing to both the most common and sophisticated email spoofing attack techniques.” Benishti added, while SEGs ability to prevent the most trivial and common domain spoofing attacks is a value-add, this benefit is more of a credit to the technology’s compliance with DMARC. “Moving forward, organizations must address the threat of email spoofing by implementing advanced mailbox-level security that continuously studies every employee’s inbox to detect anomalies based on both email data and metadata extracted from previously trusted communications.”