The why and how of advanced email security

By: David Finger, Director Product Marketing FORTINET

Last month we discussed why—based on empirical industry data about the success and cost of email attacks—strong email security is a must.  Today, I wanted to take a moment to explore some of the common reasons why cybercriminals are enjoying so much success (i.e. tactics) and the type of email security technologies it’s important to have in place to thwart them.  And while we could probably write a book on this subject, we’ve chosen to start with what we (shout out to Anthony Giandomenico of the FortiGuard team for his input) feel are arguably the top three.

1: New (and Kind of New) Attacks

For those of you who may have missed this data point among all the goodness of the 2018 Verizon Data Breach Investigations Report, they noted that “at least 37% of malware hashes appear once, never to be seen again…most of it will come by email.”  To me that’s a remarkably high number, and particularly challenging for the traditional signature- and reputation-based technologies in place that rely on existing intelligence to catch and thwart attacks.

However, in addition to brand new code and attacks, there are even more that are “kind of new” threats—those that are new versions of existing campaigns that have been changed just enough to appear new to many security technologies.  By way of example, consider that the Gandcrab ransomware that made headlines early in 2018 was already on version 3 by May.  In fact, in 1Q18 alone, our FortiGuard Labs saw 15,071 unique malware variants in a 90 day period!

To deal with highly targeted and frequently changing attacks, newer behavior-based technologies like sandbox analysis are required. In FortiMail 6.0, a deep integration with FortiMail appliances, SaaS, and public cloud options continues to play a key role in an organization’s defense.

2: Active embedded code

However, keep in mind that today’s malware is no longer just executables as attachments (which we hope most recipients know not to click!)  As Verizon again kindly quantified, 58% of the time malware comes in the form of scripts, with MS Office files and executables each coming in at under 15%.

That’s because it is increasingly common for attackers to embed java or VB script, even active flash files, within other more common (for the end user) file types such as Microsoft Office or Adobe PDF files.  As very simple code—typically designed to communicate out to a command and control server to, or just directly, download additional components—malware is easily and inexpensively changed to bypass traditional email filters.  Further, the embedded code will often exploit system vulnerabilities (such as the recent Flash zero-day vulnerability CVE 20018-5002) in order to be installed without requiring any end user action whatsoever.

While sandbox analysis can often be applied to this embedded code, there is growing interest in a newer technology called “content disarm and reconstruction” which removes embedded code components while maintaining the original file format. (For example, removing macros from Excel files while keeping the working xls format.)  This is also a recently added FortiMail option that allows for faster email delivery while removing a threat.  Keep in mind that embedded scripts and code are appropriate in some cases and for certain groups, so it’s a more aggressive (but in many cases appropriate) security approach that may warrant exceptions for groups like the finance department on traffic types such as internal email.

3: Sophisticated Social Engineering

Without question, many attacks across categories include a fair bit of social engineering to entice the user to click a link or open an attachment.  In fact, the use of Microsoft Office file types to house embedded code, as described above, is part of social engineering.  That said, cybercriminals have taken social engineering to a new level, successfully defrauding organizations of an estimated $675m in 2017 according to the FBI—often without the use of malicious code or websites.  Instead, they impersonate a trusted figure—an executive, business partner, or the like—and establish trust through communications over time. Ultimately, they end up asking the individual to wire money or take other actions that can be monetized.

In these cases, there is typically no file or embedded code to sandbox and no URL to rate or proxy.  Accordingly, newer approaches to detect impersonation attempts are emerging.  They include various methods to authenticate the sender, look for inconsistencies in the message, such as a display name not matching the actual sender address, assess the age and nature of the sending domain, and more.  FortiMail 6.0 includes many of these techniques, including a new impersonational analysis category of protection which will continue to expand over time.

The Time is Now

With the digital transformation of most organizations in full swing, there is no shortage of business-critical projects. That said, if organizations continue to rely on their traditional security technologies (or relinquish them to cloud email providers), we will continue to see large numbers of installed malware, defrauded customers, and stolen data continue. The silver lining here is that the same troubling numbers to which we refer are already quantified and published, helping you make a business case for improved email security very possible.  Look for that discussion next month!

Our solution brief provides an overview of the key capabilities available in FortiMail 6.0.  And for tips on how to know which solution is right for your organization, an eBook exploring key aspects to consider can be found here.

. Learn more at, the Fortinet Blog, or FortiGuard Labs.



More Stories