During our analysis of an advanced phishing attack last week, I was reminded why it is so important to scan every email—inbound, outbound and internal.
There was a time in which you could imagine a perimeter around your organization and assume that all the risk, such as Gmail exploits, Office 365 email security attacks including malware, ransomware, and phishing, came from outside. For email, this meant you would scan all incoming messages for threats and all outgoing messages for data leaks. Today, you must protect each inbox individually, while also treating it as a potential threat.
Today, we must adopt a Zero-Trust data architecture which eliminates the perimeter and is built on the assumption that at least one of your accounts is compromised. Zero-Trust Email Protection means you must protect inbound, outbound and internal email with the same level of security. What does this mean, though, in the world of SaaS-based email? How can you protect your users when you don't own the servers?
First, we must remind ourselves that the inbound threat is very real and incredibly prolific. In our labs, we see zero-day malware that was specifically designed to bypass certain types of security—for example, a virus that is written in a format that is missed by signature-based defenses or can tell when it has been opened within a sandbox to keep itself hidden. This is why we always recommend a multi-layered defense that includes at least three different detection technologies.
Both Office 365 and Gmail offer signature-based scanning by default, and last year Microsoft began offering its Advanced Threat Protection as an additional feature. While these are worthwhile layers, they are not enough. Because email is still the number one cause of corporate breaches, adding layers of defense to your email provide is the most important investment you can make.
The Zero-Trust model of security means that we must assume that at least one of your email accounts has been compromised. Our analysis of a recent phishing scheme demonstrated why. In short, the attack would use a compromised account within one organization to send well-crafted phishing links to specific contacts, taking advantage of the inherent trust that is developed between users that have previously exchanged email. Not only is the victim more likely to open and click on the email, all the security tools along the way will have lowered their defenses. For example, Microsoft’s Exchange Online Protection will never see the attack because it meets all the criteria for legitimate mail:
You don’t want to be this guy:
It is your responsibility to your clients and partners to protect them from your compromised users. Even if you don’t own up to the hack like this administrator (who should be commended for identifying and responding appropriately), your Internet reputation is still at risk.
One bad actor in your company, one compromised accout, could result in all of your outbound email being sent from an IP marked as suspicious or even blacklisted by some recipients. This is especially true when using SaaS-based email. For example, Microsoft maintains its own email reputation by moving risky accounts into a special High Risk Delivery Pool (HRDP) of servers. This means your company's email will be sent from an IP that represents the worst email offenders.
The Zero-Trust model assumes that at least one of your email accounts is compromised. If you are only monitoring inbound and outbound email, you are blind to the threat. This is one of the reasons we recommend against the MTA model of email scanning. The ‘CFO/CEO’ spoofing attack is much easier to accomplish if you are sending from an internal account and most people will not hesitate to click on a file from a known colleague.
It is possible to achieve 100% email monitoring when you own the server, but how do you monitor inbound, outbound AND internal email when you are using Office 365 or Gmail? While moving to the cloud makes it possible to pass responsibility to a SaaS provider, it does not pass on the liability.
There was a time when you were entirely dependent upon the email provider. Their security was your security. Today, however, it is possible to add additional layers beyond the default.
When looking for email protection, you should be sure that you address all the possible vectors of attack—inbound, outbound and internal.
Read more about the phishing attack that sent phishing emails from a compromised account. It harvested credentials and spread via trusted email contacts.