Security leaders at a major cloud data management company recently identified a shift in their security posture after experiencing a spike in email attacks targeting their executive team with exquisite precision. The company’s existing email security controls were unable to detect and disrupt the attacks because the solutions were designed to search for malicious payloads.
These emails appeared to employ executive impersonation and social engineering tactics that are highly effective at bypassing this kind of content analysis. The Senior Director of Information Security and his team knew they had a choice—act quickly, or risk a dangerous compromise to the organization. By leveraging Agari Phishing Defense™, the team was able to eliminate the attack risk, bring trust back into the organization’s email communications, and reduce the resources assigned to mitigate the problem. Today, this leading cloud data management company’s executives, employees, and partners all enjoy the confidence that comes with knowing they can communicate productively—without fear of compromise.
Industry: Cloud Data Management
Solutions: Agari Phishing Defense™
Over the past few years, the information security team logged a steady rise in the number of targeted email attacks escalated by their executive team after successfully circumventing the security solutions
the company had in place. Understandably, the executive team’s concerns and frustrations mounted with each new attack, unable to understand why a seemingly simple problem could not be solved quickly. In investigating the problem, the team found that the attacks were highly sophisticated, socially engineered, impostor-based schemes specifically designed to bypass existing controls.
“Many of these attacks fit the profile of the executive asking for urgent contact, moving the conversation from email to another channel to launch subsequent social engineering attacks. Other attacks asked for specific information like personnel data or merger and acquisition information,” recalls the Senior Director of Information Security. “Display name impostor-based attacks that would use previously employed identities was also a big issue for us. Attackers would conduct research on our company to identify a previously employed executive. They would impersonate this identity and reach out to current executives attempting to retrieve sensitive data.”
The organization had recently migrated to native Office 365 and therefore was leveraging Exchange Online Protection (EOP) as their secure email gateway. In addition, they also purchased the O365 Advanced Threat Protection add-on to combat these threats. And yet they continued to face challenges. Exchange Online Protection with O365 Advanced Threat Protection was effective in stopping spam, known viruses, and other content-based attacks but was ineffective at safeguarding against the highly targeted, impostor-driven ones. Their initial solution forced them to manually generate content filtering rules for every missed spear phishing and business email compromise (BEC) attack.
Unfortunately, the process consumed too many resources from both the messaging operations and information security teams. “Aligning the teams was very challenging. Messaging operations did not know enough about the threat landscape and feared an interruption in legitimate mail flow while the InfoSec team did not have the O365 configuration skills to optimize protection,” mentions the Senior Director. “It would take several hours to days to implement rules and by that time, new attacks would surface. The situation finally hit a breaking point when several key individuals’ credentials were nearly compromised as a result of an undetected partner-spoofing phishing attack. Fortunately, the potential loss of sensitive data was averted, but it was a clear sign that a solution needed to be found—fast. The InfoSec team risked the complete loss of executive trust and future program investments if they could not deploy an effective solution.
The team established that solving the problem meant the solution would require the following:
The InfoSec team evaluated multiple solutions and ultimately chose Agari Phishing Defense. “EOP with O365 APD was our primary solution but cybercriminals had gotten very good at avoiding these controls. We needed a solution that understood the relationships with APD in our mail flow to pick out the mail that didn’t belong. We evaluated Proofpoint’s Protection Server with Targeted Attack Protection (TAP) but ultimately selected Agari Phishing Defense because of its superior effectiveness
and data-driven approach,” mentions the Senior Director. “In addition, our mail configuration had been simplified with O365 Native so we needed a product that didn’t need to be ‘in-line’ but could still provide protection via mailbox API integration. Agari also offered this capability by default.”
Since the deployment of Agari Phishing Defense, the team has not seen anywhere near the high number of executive escalations that strained their resources. Nor have their executives had to change their user behavior when communicating via email. “Our executives work in a fast-paced capacity and have done so successfully for the past 20+ years of their careers. When it comes to email, they don’t want to stop and wonder if an email is malicious. They want to read and respond quickly because any delay could mean a missed opportunity for the business. We wanted our executives to continue being successful and did not want to change the user behavior that made them so. Ultimately, our goal was to find a solution that removed the threat completely out of the inbox,” says the Senior Director.
EOP with O365 APD was our primary solution but cybercriminals had gotten very good at avoiding these controls. We needed a solution that understood the relationships within our mail flow to pick out the mail that didn’t belong. We evaluated Proofpoint’s Protection Server but ultimately selected Agari Phishing Defense because of its superior effectiveness and data-driven approach.
By deploying Agari Phishing Defense, security leaders have regained the trust from their executive team and subsequently reduced the operational load for both messaging operations and InfoSec, while also improving internal collaboration. Messaging ops in particular, no longer has to spend cycles manually creating EOP content filtering rules and risk interruption to legitimate email flow. Both teams have been able to work collaboratively within Agari Phishing Defense to validate policies prior to rolling them out into production. Finally, Agari Phishing Defense has been performing better than expected, as it is also eliminating a significant amount of non-targeted, “scattershot” phishing and spam attacks. This has been a huge plus for both teams as it helps maximize the organization’s investment in Exchange Online.
Today, Agari Phishing Defense stops an average of 18,000 unwanted messages per month from reaching our employees’ inboxes. That’s 18,000 messages our team does not have to worry about analyzing or archiving and 18,000 messages our employees don’t have to waste time manually filtering or deleting every month,” exclaims the Senior Director of Information Security.
For the InfoSec team, eliminating high-profile attacks has also removed the need for an analyst to spend several hours determining if a true compromise occurred. For compromised executives, this process was highly disruptive and extremely cumbersome due to the fact that the analyst had to piece together unauthorized sessions, the timing of the attacks, and what data may have been impacted in order to make a final determination. The team simply did not have the resources or the expertise to consistently come to the right conclusions. Today, most incidents are trivial annoyance that can be remediated in as little as 15 minutes.
In the near future, the InfoSec team plans to extend the use of Agari generated intelligence by integrating the data into their SIEM and Security Automation and Orchestration solutions. The Senior Director believes this data could be valuable in helping investigate non-email related incidents. Additionally, with Agari’s newest account takeover-based attack prevention and reporting capabilities, the organization can now stop targeted attacks launched from a compromised email account. The visibility provided will help the organization and its partners regain control of these rogue accounts and ensure that the entire email ecosystem is safe.
This leading cloud data management organization chose Agari Phishing Defense over other options because it’s the most effective solution available for stopping executive impersonation and other advanced spear-phishing attacks. Its flexible architecture design enabled quick onboarding and a seamless integration into the organization’s architecture. Automated and on-demand policy enforcement saves users time and reduces exposure, even as zero-day risks have arisen. Finally, its reporting capabilities gives the organization full visibility into the total number and types of threats that are actively bypassing their existing secure email gateway, easily justifying continued investment.
What’s more, the organization demanded a security partner that would align with its focused priorities— and Agari delivered. As the Senior Director puts it: “As a cloud service provider, protecting the platform, our customer’s data, and maintaining trust in our security capabilities is crucial. With email as our primary mechanism for engaging with current and future customers, securing this channel was a top priority. By partnering with Agari to stop customer phishing and targeted email attacks, we have enabled our customers, partners, and employees to communicate freely—without fear of being compromised.”