Check Point Email Security | Blog

How Avanan Catches Phishing That Others Miss

Written by Gil Friedrich | May 16, 2019

Why does conventional email security fail to catch some sophisticated impersonation, spear phishing, credential harvesting, and malware?

The rapid adoption of the cloud email has dramatically changed the email security landscape. When email lived in on-premises servers, companies secured it with Secure Email Gateways (SEGs). SEGs redirected email traffic to email proxy servers that ran the anti-malware and anti-spam layers. 

In recent years, most companies have moved their email to cloud-based Email mostly to Office 365 and Gmail. Cloud-based email comes with default security, but customers observe that phishing and malware attacks still get through.

Conventional email security solutions have tried to address these new attack vectors and vulnerabilities, but their legacy technology is missing a few crucial components to meet the demands of cloud email.

1. Training the AI with the attacks others miss

Avanan has a unique advantage — its security layer runs after the default security filter that Microsoft and Google provide. Artificial Intelligence (AI) learns to classify the data on which it is trained. Because of how Avanan is deployed, the AI is mostly trained on the specific attacks not caught by G Suite and Office 365 security. Avanan leverages two distinct and specialized AI models for Office 365 and Gmail to block the threats targeting the security of those platforms.

Conversely, SEGs are the first line of defense, meaning their training set is less focused. They also need to whitelist themselves in Office 365 and Gmail, making them the only line of defense. Adding a layer of security, instead of replacing the default security (as SEGs generally do), means that the Avanan AI is laser-focused on the holes that compromise the security of these platforms.

2. Using the attack against the hacker

In most sophisticated attacks, hackers leverage vulnerabilities in Office 365 and Gmail to bypass the default security. HTML obfuscation methods commonly confuse security parsers. Avanan uses these methods as indicators of phishing in our AI algorithm. To block similar attacks in the future, the AI constantly adds these hacker signatures to a growing list of over 300 Indications of Phishing (IoPs). This approach is at the core of what allows Avanan to accurately catch some of the most sophisticated phishing attacks.

Because Avanan is deployed after Microsoft and Google security to focus on what they miss, our analysts have consistently been the first to uncover new attacks, which we reveal in Attack Briefs after responsibly disclosing them to the related vendors. Often quoted in the press, the details of many attacks (including baseStriker and zeroFont) are originally referenced in the Avanan blog. 

3. Scanning Inbound, Outbound, and Internal Email to Identify Compromised Accounts

Generally, SEGs scan inbound email. Outbound and internal filtering require further configurations, which are not guaranteed to provide complete inline protection. Even when these security providers use journaling rules to scan internal messages, most of the indicators that the AI is trained on — like the historical communication between the sender and receiver — are not applicable when the system is confronted with a compromised account.

Avanan, however, installs as an app in Office 365 to scan all email — including internal and outbound. In addition, Avanan has a specialized AI model for scanning internal traffic, with indicators relevant for an internally-originated attack. As hackers infiltrate internal accounts to send malicious content to partners, customers, and other employees Avanan identifies those emails as phishing and blocks them.  

The Only API-Based  Security that is Inline

Pioneered by the Avanan team, the API approach to cloud-email security is gaining popularity. Recently, industry analyst firms such as Gartner have started to advocate for API-based solutions as a superior alternative to securing email.

In their research, Gartner distinguishes API methods from the SEG approach, suggesting that “Non-gateway solutions that integrate with the SaaS server/service [via API] are in a better position to detect communication anomalies, as well as to protect internal email…” (Gartner clients can download the full document here: “How to Build an Effective Email Security Architecture”.)

All other API-based email security vendors offer post-delivery protection, meaning that email is scanned after it arrives in the inbox. Because these vendors don't offer inline scanning, users protected by their product are vulnerable to threats sitting in their inbox that haven't been scanned yet.  

Avanan is the only API-based email security solution that scans email entirely inline. This means that the message never reaches the end-users’ inboxes or leaves the organization until it’s cleared by the Avanan security stack. The architecture allows Avanan to install in a few minutes, even for the largest organizations with sophisticated infrastructure.

Reinventing Email Security

Avanan provides the best anti-phishing solution for cloud email because it is focused on catching the attacks that the built-in security tools miss. By scanning after all other existing security layers, Avanan continuously learns new hacking methods, uses them for self-incrimination of attacks, and trains the AI specifically on the attacks that actually get through.

Conventional SEGs lack the specialized algorithms required to effectively secure cloud-based email. Other API-based solutions lack the ability to deploy inline, a must-have to truly prevent the attacks from getting to end-users' inboxes.

Avanan is the only solution that is built specifically for cloud-email, leverages the cloud-email API and secures email before it gets to the end-users.