Frustrating, isn’t it?
No matter how much you tweak your spam filters or scan every attachment, a few phishing emails always slip through to your users’ inboxes. You might wonder: is it something you’re doing wrong?
Most likely, it’s not. As we’ve discussed before, there’s more to why users fall for phishing scams than simple mistakes. Even with strong security controls, a small percentage of phishing emails will inevitably reach inboxes.
Consider this: research shows that at a company with 5,000 employees, users collectively receive roughly 14,400 malicious emails each year. And these numbers are expected to rise, as phishing continues to deliver high returns for threat actors.
But the story isn’t just about the numbers…
(Some) Threat Actors are Smart
Now you would think that with so many security experts and vendors bent on the idea of the perfect spam filter, we wouldn’t have to worry about phishing anymore.
But here’s the thing.
The cyber crime industry is huge, and threat actors can make big money. That’s an incentive to get really good at what they do, wouldn’t you say?
And it turns out there are plenty of ways to fool spam filters.
For instance, even fairly low-level threat actors can effectively ‘spoof’ an email account, meaning that they can make their phishing emails appear to be from someone else. And we’re not just talking about changing the name attached to their account, with a small amount of effort they can make it look extremely convincing.
Specifically, using open-source software such as PHP Mailer allows threat actors to manually type in both ‘To’ and ‘From’ addresses. Once the email is delivered, the recipient will be viewing an email that looks very much as though it’s from the email account listed in the ‘From’ field, regardless of where it actually came from.
Pretty easy, right?
Of course these types of emails can be blocked by your spam filter, as they will typically fail certain technical checks. But unless the person configuring the filter really knows that they’re doing, there’s a good chance these emails will make it through.
Unfortunately, it gets worse. Threat actors have other techniques open to them that are just as difficult to spot, and often don’t fail those checks.
For instance, threat actors often hijack mail servers and use them until the provider cottons on to their game. At that point, they’ll simply hijack a different mail server and keep on keeping on.
Or how about hijacking home computers?
No doubt at some point you’ve received an extremely dubious email from a close friend or relative. This usually happens because they’ve opened a malicious attachment or URL, a threat actor has taken control of their PC, s/he has used the victim’s email account to send out phishing emails to their entire address book.
Most of the time these emails are obvious, and aren’t much to be concerned about. But this technique can be used by more experienced threat actors to send highly convincing spear phishing emails, particularly since they can use the victim’s own sent emails to inform the tone/content of their campaign.
Do any of your users login from home, or occasionally email the office from their home accounts? That’s going to be difficult to catch if their home PC is compromised, right?
And that’s still not the extent of the problem.
By far the simplest way for threat actors to send convincing emails is to use throw-away email domains, free email addresses, and ISP access accounts, all with fake, forged, or stolen IDs. Once again, even when the provider catches on, all they have to do is move to a new account.
All these techniques combined are a nightmare for administrators trying to protect their users from phishing.
Tactics and Content Change Constantly
If you learned anything from the last point, let it be that threat actors have lots of options.
Content and subject line filtering are two more tools in the network administrators kit for blocking phishing emails, but threat actors have taken to switching up their tactics constantly. They aim for as little consistency as possible, and constantly switch up the length, format, and content of both subject lines and email content.
Some even make use of filter-evading scripts, which automatically randomize the subject lines, source addresses, and source domains of their emails, making it much harder for spam filters to identify bulk emails.
And, of course, hackers have a wide range of tactics at their disposal. From malicious URLs and attachments to pure social engineering attacks such as business email compromise (BEC), they’ll try everything in the book to get past your filters.
Don’t forget, the financial incentive is there, and they can make a lot of money from figuring out how to game the system.
But in the end, it boils down to this: How can you expect to filter an email that comes from a legitimate domain, has a plausible subject line, and doesn’t obviously contain malicious attachments?
If it looks like a duck, swims like a duck, and quacks like a duck, your spam filter will almost certainly treat it like a duck, and not a malicious phishing attack.
Get With the Program
Technical security controls are the backbone of a strong defense and help keep your threat profile low.
But no system is foolproof, and anyone who claims otherwise is fooling themselves. Some phishing emails will inevitably reach your users’ inboxes, and the key is knowing how to respond.
By delivering the right training and ongoing reinforcement, you can transform users from a potential liability into your strongest line of defense against threat actors.
Rather than obsessing over the last fraction of phishing emails that slip through your filters, focus on strengthening your human firewall.
