Defending Your Email Infrastructure

Email is an incredible tool for businesses, but it’s also an equally incredible tool for threat actors, consistently remaining the most popular attack vector for hackers looking to gain access into an organization. And it’s not hard to see why.

When planning an attack, the decisive question for a hacker is, “Will it be easier to manipulate a human or a machine?” The answer is so clear it’s like asking someone if they’d rather chop down a redwood with a nailfile or chainsaw.

Unlike machines, people are more easily manipulated, and they can be convinced something is legitimate without much effort by the hacker. In contrast, attacking a machine is time-consuming, and a threat actor needs to have the right skill set and industry knowledge to find and exploit network or software vulnerabilities. If there’s an easy way to achieve a goal, why would anyone, especially a criminal, opt for a harder one?

The Prevalence of Phishing Attacks

Although the stats are enough to make any organization reconsider its use of email, businesses can’t afford to give up emails no matter how pervasive attacks are.

  • Since March 2020, more than 80% of companies across the globe have witnessed an increase in email phishing attacks, according to a recent Ironscales survey.
  • An APWG report found that Q2 of 2022 was the worst quarter yet for phishing attacks, with 1,270,883 observed.
  • IBM noted that Business Email Compromise (BEC), a type of phishing attack, is the most expensive cause of data breaches, costing, on average, $5.01 million per breach. General phishing attacks came in second, costing organizations $4.65 million on average.

Phishing: Man vs. Machine

Today’s phishing attacks are incredibly effective because hackers have honed in on how to mislead humans and exploit their emotions. The one-two combination punch starts out by impersonating a reputable brand such as Microsoft, Amazon, or Zoom, luring recipients into a false sense of security.

The second blow comes from the keywords that elicit fear, curiosity, or urgency. including ‘attention,’ ‘important,’ ‘security alert,’ or ‘action needed.’ Whether out of carelessness or panic, recipients rush to action, clicking links, downloading attachments, or sharing sensitive data.

Since machines aren’t sentient, there’s no way to use the same emotionally charged scam. To exploit a machine, hackers must have programming skills or be well-versed in network protocols, operating systems, or security tools.

Humans and email systems will continue to remain soft targets unless organizations take the proper and necessary steps.

Prevention 101: Basic Ways To Secure Emails

Beyond raising awareness and educating employees about best practices, organizations can implement a few simple policies that provide a basic layer of security. Some common options include:

  • Multifactor Authentication (MFA): MFA makes it more difficult for hackers to access email accounts. Even if they do obtain a user password, they won’t be able to access the account without the second authentication.
  • Password Renewal Policies: These policies require employees to change passwords regularly, such as every 90 days. Without this policy in place, threat actors may have extended, undetected access to email accounts.
  • Complex Passwords: Password complexity rules make it harder to guess passwords. Guidelines can include minimum lengths, combinations of upper and lower cases, numbers, and symbols, excluding common words, and eliminating password reuse.

Advanced Email Security Solutions

Once essential solutions have been instituted, it’s time to get serious about protection. Given the stakes, more proactive solutions shouldn’t be ignored. As part of a broad security strategy, organizations should consider the following:

User and Entity Behavior Analytics (UEBA): UEBA solutions use machine learning algorithms to collect and analyze data from various sources, such as log files and network traffic, creating a baseline of typical behaviors for each employee. The established baselines can then be used to detect inconsistent behavior, which can indicate a threat.

For example, UEBA can detect user logins from unusual locations or attempts to access sensitive files outside of typical working hours. It can also identify suspicious email activity, such as a user sending many emails to external recipients or opening suspicious email attachments.

Analyzing Auditing Data: Most email services like Outlook and Gmail provide auditing data, including login information, country, operating system, and web browser information. Teams can then monitor and analyze the data to detect login anomalies.

Companies should look for login attempts from unfamiliar countries, browsers, or operating systems, which can indicate a compromised account. From there, security teams can investigate further, block access, reset passwords, or mitigate any threats.

Third-party SIEMs and SOCs: Achieving the most substantial level of email security and protection requires using a SIEM to collect, aggregate, and correlate data, including login data, creating a clearer picture of what anomalies might mean and triggering alerts for suspicious activity.

Then a SOC like CYREBRO, which can supplement SMB security teams, can investigate the data and alerts provided by the SIEM and connect different pieces of information and data using correlations and aggregations, ultimately reducing the number of investigations and alerts. In turn, this creates a richer investigation that can be used to build an attack story, identify the origins of the threat, and mitigate it appropriately.

Security Centralization – A CYREBRO Case

Early in 2022, an employee at a company that uses CYREBRO’s SOC Platform received an email they felt was suspicious and, using CYREBRO’s phishing reporting feature they were able to report the email for further investigation. Through the platform, CYREBRO investigated the email, its contents, and its attributes to identify IOCs. Since CYREBRO was connected to the organization’s reporting systems, including Office365, Dcoya, and its EDR solution, CYREBRO could create a complete attack story and fully investigate the case.

After analyzing the email, CYREBRO analysts saw that malware was installed on the host from a link in the phishing email and used the client’s EDR system to gather additional logs revealing how the malware operated in the client’s organization. If the EDR hadn’t been connected, CYREBRO would not have been able to access the EDR’s logs and would have had a harder time identifying the file that was downloaded onto that machine or which other hosts were infected, prolonging the investigation.


Employees will always be a vulnerability. Email, as it stands, will continue to be one of the most ubiquitous attack vectors. Combining those inseparable facts underscores the importance of email security.

Threats are constantly lurking right outside of every business’s virtual gateway; it’s only a matter of time before one finds its way inside. That’s why it’s crucial (and almost non-negotiable) for every company to rely on monitoring and detection solutions that are capable of identifying threats before costly and irreparable damage can be done.

Sign Up for Updates