Old Habits, New Threats: Why More Phishing Attacks are Bypassing Outdated Perimeter Detection
Perimeter solutions such as secure email gateways (SEGs) have long been a cornerstone of email security, historically serving as the primary line of defense against malicious emails entering an organization. Utilizing legacy technology such as signature and reputation-based detection, SEGs have provided pre-delivery intervention by quarantining malicious attacks before they reach the end recipient.
Why, then, are 91% of cybersecurity leaders frustrated with their SEGs, and 87% considering a replacement?
Among many other concerns, such as their overlap in functionality with Microsoft 365 and the administrative burden of complex and manual rules, one of the key reasons for this major shift in attitude comes down to efficacy. As the threat landscape continues to evolve, cybercriminals are finding ways to bypass SEG detection technology. Additionally, the major burden of maintaining legacy technology slows SEG vendors’ ability to innovate their solutions in a cutting-edge way. This is why, in the first three months of 2024, we identified a 52.2% increase in the number of attacks that bypassed SEG detection.
Signature-Based Detection
One key detection mechanism used by SEG technology is signature-based detection, which can be effective against ‘known bad’, such as malicious payloads, sending domains and hyperlinks that have previously been identified and are present in definition libraries.
While this can be efficient in filtering out frequent attacks and spam mail, the fact the threat must be ‘known’ can dramatically reduce its efficacy when detecting zero-day attacks, socially engineered phishing emails without a traditional payload, and any hyperlink or domain that is polymorphic. This is especially concerning since the rise of AI and publicly available chatbots have allowed cybercriminals to churn out new payloads at an alarming scale – each not recognized by any blocklist.
Obfuscation
There are a few phishing techniques and payloads that can easily bypass signature-based detection. Firstly, obfuscation is a key tactic used by cybercriminals to mask malicious payloads and evade signature-based detection technology. In the first three months of 2024, 24.9% of attacks employing technical measures to bypass detection hijacked a legitimate hyperlink. This obfuscation involves hosting a malicious payload on a legitimate site or using a legitimate website link to obscure the ultimate destination. Additionally, 19.6% of attacks concealed hyperlinks to phishing websites within image-based attachments, and 16.2% used HTML smuggling, where an encoded malicious script is ‘smuggled’ within an HTML attachment.
Social Engineering
The key to signature detection is the presence of some form of ‘known bad,’ so what happens when the attack doesn’t include any form of physical payload?
Cybercriminals are increasingly using open-source intelligence (OSINT) to craft convincing phishing emails that impersonate trusted stakeholders in a business or supply chain. These attacks rely on social engineering techniques to trick the recipient into performing actions such as divulging personal information or changing financial details, without requiring them to click on a traditional phishing hyperlink.
Therefore, without any physical payload, purely linguistic and socially engineered attacks are highly likely to bypass signature detection. This is especially true if the attack is sent from a domain not listed on any blocklist, such as a legitimate but compromised account or a spoofed email domain with proper authentication.
Polymorphic Attacks
In 2024, our threat intelligence team has seen campaigns where cybercriminals have utilized polymorphic subdomains to subtly alter the end of the sending address on each phishing email. This makes it nearly impossible for security teams to block each email as a new domain will pop up in place of every reported one.
Reputation-Based Detection
Similar to the concept of ‘known bad’ in signature-based detection, SEG technology also uses reputation-based detection to identify traffic from previously identified malicious domains. To do this it will look at pre-defined blocklists, the age of the domain and authentication checks such as SPF, DKIM, and DMARC. By gathering information on source, age and verification, reputation-based detection should be able to flag a malicious sender.
Some perimeter technologies will also employ social graphing checks to determine pre-existing relationships between accounts. Therefore, if two people have communicated over email before, the sender’s address is deemed to be ‘safe’.
But as with most legacy technologies, cybercriminals have found workarounds to successfully deliver attacks into a recipient’s inbox.
Lookalike Email Domain
Another tactic we have seen utilized in 2024 is lookalike email domains. Unlike direct spoofs, lookalike emails have a few characters subtly altered, allowing the cybercriminal to set up proper authentication checks. Our Threat Intelligence team suspects that the ease of setting up authentication has contributed to the fact that 68.4% of the attacks that bypassed SEG detection in the first three months of 2024 passed all verification checks.
Legitimate But Compromised Accounts
In 2024, nearly half (48.3%) of the attacks that bypassed an SEG were sent from legitimate but compromised accounts. Whether this is from within the target’s own business, supply chain, or a third-party account not linked to their organization at all, a compromised account is highly likely to bypass reputation-based technology.
If the attack originates from within the recipient’s supply chain, compromised accounts can also ensure attacks bypass any type of social graph detection, as there will a pre-existing and therefore ‘safe’ relationship between the two accounts.
An Attack in Action- An Example of the ‘Perfect’ Phishing Email to Bypass SEG Technology
Below, our threat intelligence team has put together the ‘perfect’ attack to bypass legacy technology. Whilst other psychological factors come into play, we have focused on three key reasons why it would bypass reputation and signature-based detection.
- This phishing email has come from a legitimate but compromised account in the recipient’s supply chain meaning that the email will pass all authentication checks.
- The cybercriminal has hijacked an email chain, meaning there is a pre-existing relationship between the sender and recipient. Consequently, this would pass any social graph checks.
- The attack is purely linguistic, meaning there is no physical payload for signature-based detection technology to scan for.
Adapting to the New Era of Phishing Attacks
As cybercriminals evolve their strategies, the limitations of legacy SEGs become more apparent. The rise in sophisticated phishing threats like polymorphic attacks, social engineering tactics, and the use of compromised accounts have undoubtedly highlighted the significant gaps in perimeter technology, leading to a notable increase in bypassed attacks.
To effectively counter these advanced threats, organizations should consider transitioning to integrated cloud email security (ICES) solutions. By leveraging AI-powered, behavioral-based detection methods and adopting a zero-trust approach, these modern solutions offer superior protection, ensuring that even the most advanced attacks are detected, mitigated and neutralized.