How to defend the inbox

Adeshni Rohit, Axiz

---

We’ve been sending emails since the 1970s, but over 50 years later, email security remains a challenge. Alongside multiple generations of security products attempting to defend the inbox came increasingly sophisticated attacks that always find a way to bypass any sort of controls. And with everything moving to the cloud, email is not only a delivery vector – the mailbox is now the target. In the cloud, email is not simply a messaging protocol, but a content repository filled with sensitive data cybercriminals are looking to exploit. So, what can a traditional phishing tool actually do about the content sitting in a mailbox at rest?

Mimecast’s ‘State of Email and Collaboration Security 2024’ report ranked account takeover as one of the top five email security challenges. Phishing is still how threat actors are getting in, and AI is only increasing the attack volume. “Existing technologies may protect organisations from malicious attachments, links, spam and generic AI-driven phishing,” says Brian Pinnock, Mimecast’s vice-president of sales engineering for EMEA.

“The real gamechanger for risk will be AI-based spear phishing attacks.” These highly personalised, targeted spear phishing attacks are harder to defend against because attackers gather information online to craft messages that persuade the target that the message is legitimate. “This level of detail can easily deceive even the most vigilant individuals,” says Pinnock. While spear phishing attacks were previously costly and time-consuming for attackers, with AI, criminals can now create these attacks at scale.”

GenAI has made phishing attacks far more difficult to detect. According to Verizon’s 2024 data breach investigations report, 90% of cyberattacks begin with an email. Research released at the IEEE 14th Annual Computing and Communication Conference showed that up to 60% of people fell victim to AI-automated phishing. Emails that once had telltale grammar and spelling inaccuracies can be cleaned up easily. Using GenAI, hackers can now create credible and hyperpersonalised spear-phishing emails for next to nothing. But AI can also be used for anomaly detection to flag potential AI-driven phishing attacks, says Adeshni Rohit, an executive at Axiz, who recommends investing in tools that analyse mail and content, building a baseline of normal behaviour. Here, any deviation from normal behaviour patterns can be flagged and tracked as a potential AI-driven phishing attack. Rohit adds that AI-driven phishing attacks can also be mitigated at the email platform layer. Since mail is encrypted, regular change and rotation of encryption keys and credentials, at random intervals, can prevent attackers from accessing these security passes to the email infrastructure and inhibit them from generating forged emails.

Forged emails, bolstered by GenAI, are commonly used in business email compromise (BEC) attacks. After ransomware, the ‘Sophos 2024 Threat Report’, says that BEC is the second most popular attack. BEC campaigns are more sophisticated; instead of sending a single email with a malicious attachment, attackers may send a series of conversational emails back and forth, or even phone them. In an attempt to evade detection by traditional spam prevention tools, attackers are also experimenting with new formats for their malicious content, by embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case reported by Sophos, attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice”. The download button contained a link to a malicious website.

It’s often used to exploit the emotional aspect of human decision-making. As we in the security community know well, ‘amateurs hack systems, professionals hack people’.

Brian Pinnock, Mimecast

BEC is effective because it uses psychological tactics to exploit human trust and authority, deceiving employees into transferring funds or divulging sensitive information. “It’s often used to exploit the emotional aspect of human decisionmaking,” says Pinnock. “As we in the security community know well, ‘amateurs hack systems, professionals hack people’.” Cybercriminals use social engineering, also known as human hacking or social hacking, to psychologically manipulate people. They achieve this by impersonating high-ranking executives or trusted partners, creating a sense of urgency or authority that pressures employees into bypassing normal procedures.

BEC attacks carry significant financial implications. In August this year, around $60 million was stolen from a global supplier of carbon black – a material used to make batteries, ink, paints and rubber products like tyres. In July, a commodity firm in Singapore lost $42.3 million when money was transferred to a supplier that was fraudulent. It was reported that the email account was spelled slightly differently to the official’s email address.

On the dark side, 35-year-old Ebuka Raphael Umeti from Nigeria, involved in a phishing scam going back to 2016 worth $1.5 million, was taken to court, found guilty, and now faces a maximum of 102 years in prison. In this particular case, the BEC was templated and sold to other cybercriminals.

If a business doesn’t get email security right, the rest of the tools in an organisation’s security stack will just be playing catch-up. As cybercriminals become more sophisticated and AI-driven attacks increase in volume and precision, businesses need to strengthen their defences where it matters most: the inbox. A robust email security strategy isn’t just a line of defence; it’s the foundation of a resilient security posture. Without it, organisations will remain vulnerable, reactive and, ultimately, one step behind the attackers.

CAN THE REAL WEBSITE PLEASE STAND UP?

According to Mimecast’s ‘State of Email and Collaboration Security 2024’ report, 98% of companies said they’ve seen counterfeit web domains in the past year, while 60% said they’ve seen a year-over-year increase in the misuse of their brands via spoofed email. “The industries most targeted by counterfeit domains are online banking, delivery and online retail,” says Mimecast’s Brian Pinnock.

Lookalike domains appear as well-known domains of suppliers or brands. For example, attackers have long used simplistic approaches such as swapping a letter “l” with a number “1”. Bad actors also use other alphabets, such as Greek or Russian, that make imposter domain names almost undetectable to people. Domain similarity checks have existed for years, but attackers will continue to use lookalike domains as they appear to easily bypass many generic email and web security solutions. “With Black Friday and the festive season on the horizon, many South Africans will engage in online shopping – and cybercriminals will be on the prowl for victims, posing as a favourite retailer,” warns Pinnock. “It’s critical for brands to ensure a secure user experience. It takes years to build a brand, and phishing attacks that target customers by impersonating brands they love can cause a catastrophic loss of trust.”

UNDERSTANDING COMMON EMAIL SECURITY THREATS

1. Phishing: Phishing emails typically include links to fake websites or attachments. Malware (for example) can be spread via email attachments, links or via infected email messages.

2. Spoofing: Used by attackers to trick recipients into divulging sensitive information or downloading malware by sending forged emails that appear to be from a trusted source, such as a friend, colleague or legitimate organisation.

3. Email bombing: A form of Denial of Service attack where the attacker sends a large number of emails to the target email address, overwhelming the recipient’s email server and rendering it unable to send or receive legitimate email messages.

4. Email interception: When an attacker intercepts email messages in transit between the sender and the recipient. Email content can then be read, altered or even deleted by the attacker.

5. Man-in-the-middle attacks: When an attacker intercepts an email between two parties, altering the contents or adding malicious code into the message.