SEGs Haven’t Stopping Phishing, So Email Isolation is Next, Hold On

Users of a Secure Email Gateway (SEG) are protected from most phishing, yet emails with malicious URLs still get through. To address the issue, SEG vendors have added isolation technologies to their security stacks. It is often marketed as email isolation, not to be confused with email URL rewriting, but more on that later.

Before we get into the details of this technology and its promises, let’s dive into the pre-isolation world first. When inbound emails are received by a SEG solution, it extracts the URL from the email body and attachment on behalf of its customer. This URL is checked against the vendor’s phishing database, and if the URL is listed, the inbound emails are quarantined or deleted. This approach works well against phishing emails sent en masse but not as effective against spear phishing attacks, as the URL is unlikely listed in its database until it’s too late. To combat this risk, SEG vendors introduced email URL rewriting solutions to their respective Advanced Threat Protection (ATP) offerings. With email URL rewriting, the URL in an email is rewritten before it is delivered to the recipient. When the recipient clicks on the rewritten URL, a browser request is sent to the vendor’s cloud phishing database. If the URL is known as malicious, it’s blocked; otherwise, the user is redirected to the original webpage. In essence, email URL rewriting solutions buys SEG vendors additional time to update their database with the latest phishing URLs.

Email URL rewriting is not bulletproof as it stops a user request to the webpage only if the URL is known to be bad. There is a whole sea of grey or unknown URLs between bad and good URLs, such as URLs using recently registered domains. These domains lack any reputations since they were newly registered, and they can be completely benign or have malicious intent. You cannot block emails containing unknown URLs as this leads to over-blocking, which will result in business disruptions and anger end users. This is where email isolation comes into the picture. It promises to protect the user against the dangers associated with unknown URLs without the risks of over-blocking.

Let’s look at how email isolation works. The inbound email with the unknown URL is delivered to the user. When a user clicks on the unknown URL in an email, the service executes the web session remotely on an isolation platform. It renders the webpage in read-only mode, which prevents the submission of sensitive data. If the webpage is a credential-stealing site, the user is protected since they cannot enter their username and passwords. If the webpage is benign, the user can still access the website, preventing any business disruption. In theory, this solution is a silver bullet to counter credential-stealing attacks, but that is not the case at all.

Here are a few examples:

  • Users are often given the option to opt out of isolation as a necessity because users need the ability to submit information on webpage.  Remember, benign webpages in the unknown category are isolated along with webpages with malicious intent.  So, you are relying on the user to differentiate between a company’s real webpage vs. a credential stealing attack

Can you tell that this phishing page impersonating Outlook?

 

  • Isolation doesn’t protect users from credential stealing webpages hosted on legitimate hosting infrastructures like SharePoint or collaboration services like Box, OneDrive, etc.  Email isolation still relies on URL risk scores to determine if a webpage should be isolated.  Services like those mentioned will have a neutral or positive risk score and therefore will unlikely be isolated.  The same is true with credential stealing web pages hosted on legitimate servers compromised by attackers.

In addition to the gaps mentioned above, isolation introduces noticeable latency which creates user friction.  When a webpage is isolated, you are no longer accessing the webpage directly.  The webpage is downloaded and rendered in an isolation container within your SEG providers co-location.  The rendered information is then presented to your web browser.  This process is resource intensive and introduces enough latency that forces users simply opt out of isolation to avoid slowing browsing experience.

For most who have layered in email isolation into their security stack to augment their SEG deficiencies, they might have added one marginally effective solution to cover for the other. In fact, trying to stop credential stealing and all other phishing threats with isolation technology is masking the real problem, the threat intelligence. Threat detection technology using domain reputation and block list to determine if a URL is malicious is not enough. It is ineffective against fast-moving phishing attacks and threats on legitimate infrastructure—a growing trend for cybercriminals.

Choosing technology that can stay ahead of the trends will keep your users safe.  SlashNext solutions help close the gaps found in SEG solutions and extend protection to less well-defended attack vectors such as personal email, social media, and collaboration platforms.

SlashNext is exclusively focused on phishing defense for business, delivered through real-time, end-to-end phishing defense services for users from anywhere – mobile, browser, or network. Powered by SlashNext’s AI phishing defense cloud (which performs dynamic, run-time analysis on billions of URLs daily through virtual browsers, machine learning. To see how SlashNext, the number one authority in phishing, can protect your workforce from the growing number of sophisticated phishing threats try it free today.


*** This is a Security Bloggers Network syndicated blog from SlashNext authored by Jimmy Lin | SlashNext Threat Lab. Read the original post at: https://www.slashnext.com/blog/segs-havent-stopping-phishing-so-email-isolation-is-next-hold-on/