Email Security Blog

Real Time Detection Can Stop Email Attacks Before they Scale

Agari March 13, 2014 How Email Works
Fallback Featured Image

by Alexander Garcia-Tobar, VP of Corporate & Business Development 
Agari often detects attacks in real time with very little “signal”, many hours or days prior to the spike in malicious activity. Early detection can alert Enterprises or Takedown vendors (companies that take confirmed malicious links/URLs offline) to suspicious email and dramatically speed response and remediation times. The speed of detecting new phishing attacks is a critical prerequisite to blocking such attacks before they scale and cause widespread damage.

 “Where the same URL was reported by more than one source, Agari reported it first, 90% of the time” – Major Financial Services Firm

The anatomy of a typical phishing attack

The pattern Agari sees in phishing attacks is very similar to that of a criminal testing out a stolen credit card: first a small charge (for example, filling up a car) is tested using the stolen card. If the charge goes through, the criminal will then progressively increase the charge amount until a certain level of confidence is achieved. At that point, the criminal will charge as much as possible to max out the credit card and collect as much “revenue” he/she can.

Similar to the stolen credit card example above, phishing attacks follow the same pattern. During the initial test phase, the criminal will test smaller amounts of phishing attacks to ensure he/she is getting through to the intended targets, and not being blocked by ISP spam filters or other traditional filtering mechanisms. Subsequently, the criminal will ramp up the attack until confidence is high the attack will avoid being blocked. At this point the test phase is over, and the criminal will ramp up the number of messages dramatically, sending out 10’s or 100’s of millions of messages to unsuspecting consumers.


The above graphic is a real example showing when Agari warned a global financial institution of an impending phishing attack. The criminal’s test phase was detected by our analytics engine on 5/10/13 at 12:00 and triggered a real time threat feed sent to the client and its takedown vendor. The feed contained information on the submission time, spoofed domain, subject line of the email, and any suspicious URLs embedded in the email. By detecting and blocking the phishing attack on 5/10/13 at 12:00 the client is able to prevent the majority of the targets from receiving the malicious messages. An important side benefit is in the detection of the embedded URLs in the suspicious emails. At the client’s discretion, the URLs can be analyzed by their take down/security vendor of choice and establish whether the URLs are malware/APT. The client can then make a determination on whether to “take down” the URLs and thwart any subsequent attacks on it’s employees, customers, any other company. The criminal now needs to mount a completely different attack and is back to square one.

As the above example demonstrates, early detection of email attacks is crucial to mitigating the majority of the damage to both your customer and your brand. We encourage all enterprises to use detection methods that are able to function in real time and detect attacks as early as possible.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

February 20, 2018 Jacob Rideout

Strengthen DKIM Signatures with DCRUP

In this final post of the DMARC series we’ll discuss the latest crypto updates to…

2 factor authentication

February 15, 2018 Markus Jakobsson

How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

One of the biggest challenges for a security strategy is making it accessible and understandable…

Agari Blog Image

February 13, 2018 Jacob Rideout

The Arrival of ARC

As we mentioned in the first post of this series, with the arrival of ARC,…

Spear Phishing

July 24, 2017 Markus Jakobsson

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

Imagine going to the doctor and only being able to say “pain” or “sick”. You…

Agari Blog Image

September 28, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 2

Agari has made significant investment into infrastructure as code. Almost two years into this project,…

mobile image