Mimecast’s latest quarterly email security risk assessment (ESRA) report finds user email inboxes are hit with tens of thousands of phishing and impersonation attacks, malware laden attachments, and malicious URLs.

Across almost 400,000 email users and more than 230 million emails over a span of approximately five years and eight months, researchers found “26,305,457 spam emails, 27,156 malware attachments, 55,190 impersonation attacks and 466,905 malicious URLs were all missed by incumbent providers and delivered to users’ inboxes, an overall false negative rate of 11% of inspected emails.”

Spam messages often include malware attachments such as ZBOT, CRILOCK, and DUNIHI. File types commonly used in targeted attacks (phishing or impersonation) include PDFs, DOCs, XLS, RTFs, JPEGs and ZIP files.

The SANS Internet Storm Center offers good and updated lists of malicious domains and URLs.

Given that phishing and impersonation attacks, malware laden attachments and malicious URLs are standard weapons in attackers’ arsenals, how is it that these types of attacks still get past email security systems in such large numbers?

Mimecast’s Matthew Gardiner

“Because email communications are so business-critical to many organizations, there is a risk of blocking too aggressively and getting more false-positives or not blocking aggressively enough and getting more false negatives. Striking this balance can be tricky,” said Matthew Gardiner, Mimecast cybersecurity expert.

“This is why, to keep up with attackers, email security systems must use a variety of analytic techniques, be curated by a team of security experts, and continuously monitor and adjust to the latest attacker tools and techniques. It is not a game of set-it and forget-it for security controls,” added Gardiner.

The MSSP Angle

The Mimecast report studied several incumbent email security providers, all of which – including Mimecast – are continuously working to improve email threat detection and mitigation. However, the most successful efforts combine user awareness training with technologies adept at detecting known and emerging threats.

MSSPs have long held the edge in providing both the training and the technological expertise required to successfully mitigate a growing and diverse set of email threats. Even so, selecting the right combination of technologies to protect clients is an art in itself.

“In our experience, when it comes to detecting malware in email attachments, there is no one perfect analytic technique; in fact, the best techniques vary over time and ultimately must be able to adapt as threats change,” says Gardiner.

“Because there is such a varied nature of malware, malware obfuscation techniques, malware generation toolkits and delivery systems, it follows that malware detection must leverage many techniques as well. We find that combining multiple AV engines, dangerous file type filtering, static file analysis, and behavioral sandboxing provides the benefits of multiple layers of detection within a single malware detection service,” Gardiner added.

While it’s common advice to layer protections, there’s no consensus on what technologies should be in each of the layers at any given time. For example, many organizations are unsure whether to keep their current cybersecurity investments in play, invest in entirely new programs and platforms, or rebuild security from scratch. MSSP assessments can be invaluable in answering those questions but also in plotting the underlying and crucial cybersecurity strategy.

In any case, email will remain a key vulnerability in most organizations for the foreseeable future.