Email Security Blog

Using ML to Stop Latent Email Attacks That Dodge Early Detection

Scot Kennedy July 25, 2019 Email Security

When implemented effectively, real-world deployments of machine learning (ML)-based email security can block business email compromise (BEC) scams, phishing campaigns, and other advanced email threats. But sometimes, it’s what happens when a malicious email is somehow able to evade early detection that can matter most to that effort.

According to recent research, 22.9 phishing attacks are launched every minute—20% of them from hijacked email accounts. As many as 30% of corporate employees will open a phishing email, and 4% will fall for it. The FBI estimates that phishing, BEC scams, and other email attacks cost businesses more than $2.7 billion in 2018, up nearly 100% year-on-year. And as a growing number of organizations move to G Suite, Microsoft Office 365, and other popular cloud platforms, cybercriminals are followed suit. O365 alone now accounts for 36% of all phishing attacks—rising 250% in just the last year.

With an ever-increasing number of new attacks, we’ve reached a point where cybercriminals are using QR codes instead of links to easily bypass security controls. They’re weaponizing legitimate URLs through links that redirect only after the email has been delivered. Some are even using ML themselves, automating social engineering at scale to generate fraudulent emails that mimic the writing style of the email sender being impersonated.

While most email security solutions are designed to catch these malicious emails before they reach user inboxes, no solution can detect and block every single malign email, 100% of the time. But as we’ve discovered, the best deployments of ML-based email security can include a critically important role when these latent email threats are detected post-delivery.

Not Just Any ML Will Do

For those not fully dialed into the subject, machine learning is a subset of artificial intelligence (AI) that’s centered on enabling computer systems to recognize patterns and learn from sets of labeled, sample (or “training”) data in order to make predictive business decisions.

Our approach to leveraging ML to eliminate BEC scams, phishing attacks, and even the most sophisticated zero-day email threats—including those launched from hijacked email accounts is quite unique. Instead of a sole focus on training ML to search for attacks, Secure Email Cloud draws intelligence from more than 2 trillion email messages annually to graph relationships and behavioral patterns between individuals, businesses, services, and domains. By analyzing hundreds of different characteristics, or “features,” it’s able to establish what we define as trusted or “good” communications.

By using proven machine learning techniques, Agari Secure Email dynamically scores each new email message against those trusted patterns, enforcing policies according to each organization’s specific requirements.

Scale is Just the Start of It

As with any ML-based approach, the size and quality of the underlying dataset, and the domain expertise of the data scientists who guide it, determine the solution’s efficacy. One of Agari’s greatest strengths has always been that our domain experts rank among the world’s leading authorities on phishing, BEC, and account takeover (ATO)-based email attacks, bringing an unprecedented level of experience and insight to leveraging a dataset that’s not just Internet scale, but also dynamic.

Through real-time data streaming, intelligence that necessitates model changes are applied not in hourly or daily batched data updates, but rather within milliseconds of detection. Each new customer adds deeper, more relevant insights to this dynamic, global dataset, creating a network multiplier effect that amplifies the effectiveness of Secure Email Cloud on a continuous basis. And that gets to something else we’ve learned over time: It’s not just the size of your high-quality dataset that matters.

Email Attacks: Not Just ‘What,’ But ‘When’

The simple truth is that no email security system can prevent 100% of email attacks, 100% of the time. As I mentioned earlier, even with near 100% efficacy against phishing and BEC attacks, a malicious email will inevitably make it to employee inboxes. To address that challenge, Secure Email Cloud provides continuous detection and response capabilities to hunt down and remediate threats that escaped initial detection or have activated post-delivery.

Thanks to its deep integration with cloud-based email systems, Secure Email Cloud can remove a malicious email from every employee inbox that received it. Not just from that moment forward, but also those that may have arrived before the threat is first identified. It can even alert SOC teams if somebody has already opened the email or gone on to fall for the con.

Secure Email Cloud also provides SOC teams with automated tools that reduce the time it takes to detect and remediate any data breaches that may result from a successful attack from weeks or even months down to mere minutes, saving organizations millions average losses of $7.9 million per incident.

Phishing Intel, Made Instantly Actionable 

While all of this is undeniably cool, in my own opinion, what’s even cooler is the value of the feedback data that these latent email threats provide, and the ability to factor that data into ML model updates within moments of detection. That’s something our teams are in the process of rolling out as part of our continuous efforts to make Secure Email Cloud smarter, faster, and more effective with each new email it analyzes—pre, and post, delivery.

Once fully in place, a latent attack discovered in the inboxes of one Agari customer organization will be known and neutralized across all of them. All while dynamically and continuously improving the catch rate of Agari Phishing Defense™ for identity deception-based email attacks.

The importance of these kinds of capabilities can’t be overstated. According to TechRepublic, more than 3 billion fraudulent emails are sent every 24 hours, and the volume, ferocity, and sophistication of these attacks grow by the day.

Machine learning-based email security can make all the difference in the battle against costly phishing attacks, BEC scams, and other advanced email threats. But that’s only if it’s based on ML best practices, guided by top domain experts, and informed by a very large, high-quality dataset that includes intelligence from trillions of emails—both inbound and post-delivery.

To learn more about how Agari applies the power of machine learning-based email security to prevent phishing attacks, BEC scams and more, download an exclusive white paper.

This is the final part of a four-part series, you can find part one, part two, and part three here. 

laptop with envelope and security badge-secure email

November 24, 2021 John Wilson

TLS for Email: What is it & How to Check if an Email Uses it

Transport Layer Security (TLS) is encryption to secure email messages between sender and receiver to…

Laptop with multiple paddle locks with key holes

November 11, 2021 John Wilson

SMTPS: How to Secure SMTP with SSL/TLS (Which Port to Use)

We’re going to go over what SMTP is, whether it’s truly secure enough (or if…

Man with laptop with large red email warning screen pop up

November 5, 2021 John Wilson

Spear Phishing Emails: What They Are & How to Prevent Them

Spear phishing is more focused than normal phishing. To protect against this type of phishing,…

Combination lock with security badge showing locked

October 28, 2021 John Wilson

Email Protection: Tools for Maximum Security

If you haven’t protected your email yet, you’re open to attacks. This comprehensive guide explains…

fish hook in envelope with letter

October 21, 2021 John Wilson

What Is a Phishing Attack? Types, Defenses & Prevention

  Phishing attacks are all too common and can make a company lose millions of…

mobile image