Cybersecurity News

50% of Advanced Phishing Attacks Evade Leading Secure Email Gateways

A new IRONSCALES report finds as threat actors increasingly leverage social engineering scams, nearly half of these advanced phishing attacks bypass the leading secure email gateways.

healthcare email security endpoint cybersecurity risk management email spoof spear-phishing business email compromise

By Jessica Davis

- Nearly half of all advanced phishing attempts, such as spear-phishing and social engineering attacks, bypass leading secure email gateways (SEGs), as hackers shift into more advanced schemes that prey on human nature, according to new research from IRONSCALES.

Researchers employed IRONSCALES Emulator, a breach and attack simulation tool, to assess the effectiveness of Microsoft ATP and other leading SEGs in stopping advanced email threats. 

IRONSCALES simulated real-world phishing attacks to test technical controls and review gaps in clients’ email security infrastructure, in an effort to address the shifting threat landscape as the majority of phishing emails do not contain malware via links or attachments.

Instead, most phishing emails leverage social engineering techniques, including business email compromise (BEC), impersonations of known contacts, and other techniques, like spoofing and fraud.

“From an attackers perspective, the transition from spear-phishing emails packed with malicious payloads to social engineering was a no brainer,” researchers explained. “That’s because, as we’ve written about before, the most commonly deployed secure email gateways... were not built to analyze the language within an email and decipher a message’s context and intent.”

During the third quarter of 2020, IRONSCALES sent 162 emulations against the top five SEGs, which equated to 16,200 malicious emails. The emulations revealed a penetration rate of 47 percent, meaning 7,614 emails landed in the users’ inbox after evading security controls.

Overall, the SEGs were mostly successful at stopping phishing emulations that contained malicious payloads, with a mere 3 percent penetration rate for emails containing links and a 4 percent penetration rate for emails containing attachments.

Sender name impersonation emails, where the attacker masquerades as a trusted source, allowed for the greatest penetration rate, accounting for 30 percent of all SEG penetrations. The statistic represents a 6 percent increase from 2019’s findings.

Domain name impersonations were the second-most effective, with a 25 percent penetration rate -- a 23 percent increase from IRONSCALES’ 2019 analysis. For these attacks, the actors register a domain name to “set the right authentication records in the DNS.”

VIP impersonations, including CEO spoofing, saw a penetration rate of 22 percent, while fake login pages bypassed security in 16 percent of emulated attacks.

For the last year, hackers have steadily increased attacks leveraging email spoofing and social engineering when targeting the healthcare sector. Proofpoint research revealed these hacking techniques prey on human nature, rather than attempting to exploit technical vulnerabilities.

In fact, in 2019, 95 percent of targeted healthcare organizations observed emails spoofing their trusted domain.

“These attacks can be hard to detect because they don’t exploit technical vulnerabilities. They target human nature,” researchers explained, at the time. “Social engineering is all about exploiting people. That’s why stopping it requires a cyber defense focused on people, not technology.”

“The average impostor attack spoofed (posed as) 15 healthcare staff members on average across multiple messages,” they added. “Nearly half of healthcare organizations were targeted in attacks that spoofed at least five identities; about 40 percent were targeted in attacks that spoofed two to five identities.”

Simultaneously, the healthcare sector has seen a rise in the number of successful credential theft attempts sent through spoofed login pages and social engineering attacks. These schemes rely on highly realistic looking login pages, with hackers masquerading as Zoom, Microsoft Office 365, the World Health Organization, suppliers of personal protective equipment, and a host of other entities.

Europol previously released guidance to help organizations defend against these targeted attacks, which includes actionable security policies and technology that can protect enterprise infrastructure. Board influence is also crucial for developing campaigns that are relevant to employees, as is the prioritization of security policies across the enterprise.

But as previously noted, phishing education and training is crucial for reducing healthcare’s cyber risk, as well as secondary mechanisms to help employees make good decisions under pressure.