Akamai Diversity

The Akamai Blog

But We Have an Email Gateway...

In my previous phishing blogs, I wrote about the evolution of phishing and the industrialization of phishing that's being driven by the availability and low cost of toolkits. 

In this blog post, I'm going to provide more information about emerging phishing attack vectors and how cybercriminals are proactively using a range of techniques to bypass existing enterprise phishing protections.

Although email is still by far the most prevalent attack vector, there are other channels that pose a threat: 

  • Social media: Social platforms are being used to both distribute phishing attacks and amplify the spread of these campaigns. The free airline ticket phishing attack that Akamai security researchers blogged about last year is a great example of how social media is being used for phishing.
  • Messaging apps: There are numerous sanctioned and non-sanctioned messaging apps that are installed and used across enterprises. While today the use of messaging apps is most prominently observed in consumer phishing scams, I predict that we will soon see an uptick in their use in enterprise attacks.
  • Personal email on managed devices: Many enterprises are fairly relaxed about employees accessing their personal email on managed devices.
  • Compromised email accounts used to launch lateral phishing attacks: A recent report from Barracuda stated that these account takeovers are on the rise. As the report noted, "Because attackers send these lateral phishing emails from legitimate accounts, they can effectively fool many existing email protection systems and unsuspecting users." After all, who would ignore an email from IT asking you to change your password?

Although social media, messaging, and personal email might be perceived as unrelated to enterprise phishing attacks, they can serve as an avenue for attackers to gain personal information. At Akamai's 2019 customer conference, a speaker from the FBI noted that attackers are using gained personal information as a way to launch more targeted attacks on enterprise users. Since phishing relies heavily on social engineering and especially building trust with the victim, the more I know about my target or targets then the more effective my phish can be.

Currently, many enterprises rely on email gateways to protect against external phishing emails sent to their email server over SMTP. This protection can be deployed as an on-premise appliance, but more likely these days it's a stand-alone cloud service or bundled with the email service, for example Microsoft's Exchange Online Protection (EOP) service.

But there's one consistent point across these phishing attack vectors: None of them will be protected using an email gateway. Attackers know this and will exploit it. 

In addition, even when the attack is launched through inbound SMTP-based emails, it's a continuous arms race between the attackers and the defenders. As security vendors address the latest exploits for bypassing email gateways, the attackers are already developing new ways to continue to get through the door.

This year alone, attackers have used a slew of different techniques to obfuscate their attacks and bypass phishing defenses. These include the use of zero-width characters, URL redirection, Google Translate, and base HTML elements.

To be absolutely clear, email gateways are generally decent at what they do -- but the reality is that they are far from perfect. A recent article states that 25% of phishing emails bypass Microsoft EOP, and this report found a 25% increase in the number of phishing attacks that evade security defenses.

A Layered Approach Can Help

Given the new attack vectors and the innovative ways that attackers are bypassing existing gateway defenses, investing in an additional layer of defense likely makes sense.

A key point to highlight is that -- irrespective of the attack vector -- to get to the phishing page, a user needs to click on a link. When that link is selected, the first thing that happens is that a DNS request is made.

Akamai Enterprise Threat Protector checks every DNS request, regardless of whether that link is embedded in a social media post, an instant message, a personal email, a note from a compromised email account, or an email that a gateway missed. That level of inspection is then combined with up-to-the-minute threat intelligence gleaned from Akamai's unprecedented view and visibility into the Internet.

That means Enterprise Threat Protector is a really effective way for an enterprise to augment its existing phishing defenses by quickly adding an additional layer of DNS-based and URL level protections.

Best of all, the service can typically be activated in less than 30 minutes with a simple DNS configuration change. And as Mitchell Community College in North Carolina recently discovered, the ROI can be very quick:

"The service paid for itself in one phishing attack! When folks clicked the email document, it looked like nothing happened. However, when I investigated, I found that the document was redirecting them to a site that was being blocked by the DNS filtering service. If it hadn't been for the DNS filtering service, we would have been hit hard."
- Jeffrey C. Benfield, Chief Information Officer, Mitchell Community College

To find out more about how Enterprise Threat Protector can improve your security posture against phishing, visit Akamai Enterprise Threat Protector.

Leave a comment