Nearly all forms of Business Email Compromise (BEC) attacks are on the rise, according to the fourth edition of Microsoft Threat Intelligence Cyber Signals published last week. In the latest Microsoft research for phishing protection, Microsoft Threat Intelligence Digital Crimes Unit (DCU) detected and investigated 35 million BEC attempts between April 2022 and April 2023, or 156,000 attacks every day. The FBI Internet Crime Report 2022 also found that BEC attacks were responsible for over $2.7 billion in losses last year alone. Microsoft saw an increase in both the sophistication of attacks and the tactics used by adversaries in BEC attacks. Cybercrime-as-a-Service organizations enable advanced phishing techniques at scale for bad actors, allowing them to easily circumvent traditional detection methods like “impossible travel” flags and malicious URL detection.  According to the Microsoft Threat Intelligence Cyber Signals report, BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. The report goes on to explain that, rather than targeting software vulnerabilities, BEC attacks exploit the daily sea of email traffic to lure victims into providing financial information or taking action which unknowingly helps criminals perform fraudulent money transfers. 

Key Findings by Microsoft Threat Intelligence Digital Crimes Unit from April 2022 to April 2023:   35 million annual BEC attempts detected and investigated  156,000 daily BEC attempts detected and investigated   417,678 unique phishing URL takedowns   38% increase in Cybercrime-as-a-Service targeting business email [2019 – 2022]   BEC threat actors increasingly purchase credentials and local IP addresses from end-to-end Cybercrime-as-a-Service (CaaS) providers to evade traditional detection methods Top Targets for BEC Attacks:   Executives & Senior Leadership   Finance Teams & Management   HR Staff with access to employee records (i.e. Social Security numbers, Payroll, and other PII)   New employees less likely to verify unfamiliar requests via email Top Trends for BEC Attacks in 2023 (January to April)   LURE attacks (Legacy URL Reputation Evasion)   Payroll/Invoice attacks   Gift Card Requests   Business Information Requests Defending Against BEC Attacks – Microsoft’s Recommendations The Microsoft Threat Intelligence Cyber Signals report discusses many best practices that organizations can implement in the fight against BEC, but their recommendations can really be boiled down into two key initiatives:     Enhancing existing defenses through AI-based phishing protection    Training employees to better spot BEC attacks in real-time

Microsoft + Tessian – Better Together Tessian’s Complete Cloud Email Security Platform is an ICES solution that defends against advanced email threats, protects your most sensitive data from being lost via email, helps security teams respond to email security incidents faster and more efficiently, all while coaching end-users to drive better security decisions in real time. Organizations leveraging Microsoft’s native email security capabilities along with Tessian find the most complete cloud-based AI-driven email security coverage for defending against BEC attacks.  Aligning with the recommendations in the most recent Microsoft Threat Intelligence Cyber Signals report, Tessian enhances Microsoft’s native email security capabilities by leveraging behavioral based AI detection for more effective prevention against social engineering attacks. Tessian also offers customizable, bespoke in-the-moment security coaching that encourages end-users to take a step back and consider the potential risks and costs associated with successful BEC attacks.  To learn more about how organizations are pairing Microsoft + Tessian for the most complete email security protection, download our Tessian + Microsoft 365 Solution Guide.  

Tessian Complete Cloud Email Security Platform defends against inbound email threats, protects your most sensitive data from being lost via email, helps security teams respond to email security incidents faster and more efficiently, while coaching end-users to drive better security decisions When evaluating email security solutions, security professionals care about one thing over anything else: will this help us prevent more threats?  The irony is, security solutions themselves have become one of the main drivers as to why security teams aren’t preventing more threats in the first place. Legacy gateway solutions are time intensive, manual and inefficient – meaning security teams simply don’t have the time, tools or patience to effectively manage their email security posture. Security teams today often rely on rule-based prevention policies or end-user reporting to first identify email risk, and then use between 2-5 different security tools to perform investigation and remediation workflows. For every individual email threat, this process can take 30 minutes on average – and sometimes, more.  This means if an organization sees any more than 15 potential email threat alerts, one single security team member may lose a full day of work.

Between a backlog of end-user reported emails, attacks that have bypassed traditional controls and inefficient email response workflows, security teams spend too much time responding to advanced email threats. It can take days, due to archaic tooling and approval processes, for organizations to remove known malicious emails from an enterprise, exposing the company to extended risk.  In order to prevent more threats, security teams need a solution that will help them cut through the noise, enhance their risk detection, and increase their response efficiency. This is exactly why we’ve built Tessian Respond. 

Tessian Respond is the fastest solution for security teams to quickly identify and respond to email threats by offering threat hunting capabilities and the automated response to end-user reported emails. Tessian Respond makes it easy for security teams to quickly pivot between email security events and response workflows, to better understand the full scope of an attack and make an informed response decision based on the risk. 

Powerful search queries leveraging data and threat indicators from the entire Tessian platform – such as Subject, URLs, or even File Hash Values – now allow security teams to investigate if a single email alert is an isolated incident, or part of a broader attack campaign across the organization. End-user reported emails will be ingested from any existing report phish button and prioritized by highest risk using a combination of machine learning algorithms and customer defined policies. Tessian Respond automatically classifies end-user reported spam and false positives, which enables the security team to quickly focus their time on legitimate higher risk email threats.  The ability to quickly detect and identify email risk does not, however, completely solve the problem that security teams are dealing with today. In order to enable more prevention, security teams need the ability to remediate existing email threats… FAST. Tessian Respond gives security teams bulk remediation actions directly within investigation workflows to quickly remove threats from the environment and reduce the organization’s attack surface moving forward. With a continuous feedback loop directly into Tessian’s behavioral based AI detection algorithm, every email marked as malicious, reported as spam, and removed from the inbox  improves Tessian’s understanding of an organization’s normal email behavior and helps Tessian improve prevention overtime. Security teams will benefit from Tessian Respond by spending less time triaging across multiple legacy email security solutions, manually remediating email threats with PowerShell scripts, and maintaining an overwhelming list of reactive rule-based prevention policies. Tessian Respond gives security teams the freedom and flexibility they need to do what is most important to them: prevent more threats.

When evaluating email security solutions, security professionals can be confident in one thing over anything else: Tessian enables security teams to respond faster, and as a result, prevent more threats.

Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.  The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.

Advanced threats require a new approach to addressing email security risk Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.  The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.

Secure Email Gateways (SEGs) SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.  SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.  Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period. And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 

The key attributes of SEGs include: Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies

Integrated Cloud Email Security (ICES) Solutions The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.  Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.  ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.

The key attributes of ICES solutions include: Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability

The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.  Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 

Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.

Here’s a real-life example of Tessian in action. On this occasion, Tessian has flagged a potential phishing email chasing an invoice payment from a supplier. The client is a 3000-user global law firm and receives thousands of emails a day. In this attack attempt the threat actor has spoofed a legitimate existing domain for the approach,  *******services.com. But crucially, for the reply address, the attackers used *******service.com, omitting the final S found in the original URL.  It’s a common technique for attackers to use a legitimate domain for the initial email to gain trust, and then use a lookalike as the reply to, so they can then divert all conversations to their own inbox. They hope it won’t look suspicious because the recipient will probably think that it’s the same sender’s address. The science behind the way humans read words would mean that this would be easily scanned over in a busy office. The warning displayed to the end user

Tessian alerted the end recipient that the email was suspicious and explained why in three simple points, after which they correctly marked it as malicious. It’s in-the-moment explaining and training like this that empowers employees to make the right security decisions themselves, without slowing down their workday.  And here’s how the Security Team saw the event in the Tessian portal. You can see that the user safely marked the email as malicious in under five minutes from when it arrived.  Tessian picked up on the fact that the reply to address is extremely similar to the sender address and that *******services.com is not very well known to the customer, based on their statistics. Other flags included keywords such as ‘invoice’ and ‘payment’.

It’s also worth noting the time the email was sent, around 2pm GMT. Our own State of Spear Phishing report shows that the most successful attacks happen just after lunch, or towards the end of the working day, when people are at their most distracted.  Let’s now look at the email itself, and some of the social engineering triggers the attacker has used. It’s worth noting there’s just the right amount of suspicious intent: too much urgency such as ‘please pay immediately’ can cause people to double check and action it there and then, especially if the request comes from a senior manager or the C-Suite. Too little urgency meanwhile, means it might not get done at all.  The email arrived on Thursday 19th of January, with a suggested payment deadline of the 31st – just the right amount of nudging to ensure it’s quietly added to someone’s ‘to do’ list the following week. 

Attacks that mimic your suppliers can be particularly tricky to defend against, as psychologically, your organization and people have probably dealt with them before. Even small firms can have hundreds of different suppliers – from office cleaning to raw materials to payroll. For large multinationals like Walmart, or Total that number can run to over 100,000. That’s a lot of emails back and forth.  Tessian stops attacks like this on a daily basis, delivering a modern email security posture and protecting your end-users and data. But the best thing is we do all that, while reducing your security team’s workload. This ultimately saves you money and reduces complexity, leaving you confident that your organization is protected.

Here at Tessian we’ve built the world’s most comprehensive and intelligent cloud email security platform that deploys in minutes via a single API. But what does that ‘soup to nuts’ deployment look like? And when’s best to do it? Well someone who knows in detail is our Senior Sales Engineer, Tam Huynh. We caught up with him to hear how previous Tessian customers have done it in the past.

Briefly explain the history of Integrated Cloud Email Security Integrated Cloud Email Security evolved because of the way Secure Email Gateways handle threats. Historically, you took a look at established data sets and threat signals. You have a static analysis which looks at the hashes of the file, or simply checks the reputation of that hash.  Beyond that they may sandbox that hash to be able to do some behavioral analysis. But a lot of times with account takeovers and business email compromise today, there’s no malicious payloads. ICES evolved to leverage behavioral intelligence or machine learning to analyze the threat signals or the data sets that are missed or ignored by secure email gateways.  So Tessian examines things like the unique writing styles between one person and another, looking for anomalies such as a sudden switch to a more formal salutation or sign off, or unusual IP address location. These are just some of the thousands of threat signals and variables Tessian can analyze.

How long does it take to deploy an Integrated Cloud Email Security solution? The application programming interfaces (APIs) that Tessian uses have given us a way to be able to deploy advanced and intricate solutions to Microsoft 365 in around 20 minutes, depending on how quickly the administrator can get the author credentials. Users enter the credentials inside of our portal, and they grant permissions to the Tessian console, let us know which groups to sync, and they’re done.  If we look back a decade on how SEG were deployed, it could take well over a month or more of multiple phase approaches, changing control windows, testing within a lab or a sandbox first, and then rolling over to production. This is much faster.

How does Tessian work with existing tech stacks as well as new ones?  So from what we’re seeing, many customers are looking to essentially replace their SEGs. So what we’ll typically do is a full feature map of their SEG, and then recommend Microsoft 365 E5 license that allows them to be able to leverage features such as sandboxing and behavioral analysis as well as several other regular features that are found in a SEG. And if some clients choose to retain their SEGs and have 365 E5, that’s fine too.  For organizations not looking to move to Microsoft 365, who might have an on premise exchange server, or are using G Suite, Tessian can leverage a gateway testing deployment, which means an install time of around an hour. And that’s from start to finish. Either way, deploying via the APIs or Gateway means no worrying about modifying MX records.

How should companies communicate ICES to the rest of the business?  So as we’ve seen you can deploy an ICES in under an hour, but that might come as a shock to other teams around the organization, so a clear communication strategy is as important as the technical deployment strategy.  You need to ensure all of the relevant teams have a heads up well ahead of time, especially the non-technical teams. For example, is this going to affect any imminent sales? Does the Customer Success team need to inform customers? Also don’t forget to let the leadership team know. Finally, use the skills of the comms team to help get the information out to the wider organization, and have them on standby in the rare case of there being an issue.  Finally, is there a right time to deploy an ICES?  Yes! Not at 5pm on the penultimate Thursday or Friday in the quarter when sales might be trying to hit target! The ideal time we’ve found with Tessian customers is after business hours on a Monday. The mail volume is down, so it wouldn’t be noticed by the end users.

A career in Infosec can be demanding. And as recent headlines have shown, the stakes have never been higher as Chief Information Security Officers (CISOs) are charged with keeping all facets of their organization protected online. This constant vigilance also results in security pros regularly working extra hours and overtime, and even missing holidays, to keep the company secure.  We recently took an updated look at how overworked and stressed CISOs are in 2022, following our inaugural CISO Lost Hours report last year. This year, we learned that CISOs are working more than ever which is contributing to stress, fatigue and feelings of burnout: 18% of security leaders work 25 extra hours a week, which is double the amount of overtime that they worked in 2021.  Some overtime or extra hours worked can be unavoidable, but the consequences of habitual overwork are real. Our recent study shows that employees are more likely to make mistakes when they’re tired or stressed, which could have serious consequences for security pros.

Here are the highlights: CISOs are working overtime and can’t always switch off from work The demands of the CISO role mean they are putting in significant overtime – about two extra work days per week. The study found that on average, CISOs work 16.5 hours over their contracted weekly hours, an increase of 11 hours from last year. What’s more, many have adopted an “always on” way of working. Three-quarters of security leaders report being unable to always switch off from work, while 16% say they can rarely or never switch off.  Last year, we learned that CISOs were missing out on important personal and social events outside of work like holidays, family vacations and even workouts and doctor appointments due to the nature of their role. Even if security leaders are able to attend these events, the “always on” mindset takes away from being fully present during these moments.

The size of the company makes a difference The survey also found that security leaders at larger companies are putting in more overtime. CISOs at smaller companies (10-99 employees) report working an average of 12 extra hours a week, whereas those in the same role at a company with 1,000+ employees report working an extra 19 hours.  On the other hand, security leaders at small companies say they have more difficulty creating boundaries between work and home life. Twenty percent of CISOs at these companies say they can always switch off from work, compared to 31% of those at larger companies.

Overworked employees make more security mistakes Many overworked and burnt-out employees are finding resolve in “quiet-quitting” where employees do the bare minimum of their job requirements. However, CISOs don’t have that luxury. They’re putting in more hours and can’t switch off from work just to keep up with the demands of the job.  Unfortunately, the Great Resignation has impacted the IT industry, with IT employees being the most likely to look for a new job, according to another Tessian data report from earlier this year. We’ve also learned that employees are more likely to make security mistakes when they’re tired or stressed. In fact, 47% of employees cited distraction as the top reason for falling for a phishing scam, and 41% said they accidentally sent an email to the wrong person because they were distracted. While accidentally sending an email to the wrong person might seem small, mistakes like these can lead to serious cybersecurity incidents like data loss or a breach.  While no employee should ever be shamed or punished for making a security mistake at work, it’s mistakes like these that can contribute to the extra time CISOs are putting in at work. According to a separate survey conducted by Forrester and commissioned by Tessian, employee-related security incidents take up a significant amount of CISOs’ time. In fact, the survey found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error – the equivalent of nearly four employees’ full-time workloads.

So what can CISOs do to create a better work / life balance? Lean on your team: While CISOs are the Head Honcho within IT and security teams, that doesn’t mean they have to do everything. It’s okay to ask for help, prioritize, and then divide and conquer. Beyond their immediate team, CISOs can also work closely with other members of the C-Suite – like the CFO – to adopt new tools that automatically prevent threats and give CISOs some time back in their day. Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Similarly, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge. For some it might be a walk or making time to connect with kids during a lull in active work. These mini breaks can also make a big difference in recharging your battery.  Unplug: This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. You also won’t model the kind of the habits that will help up-and-comers in your organization to see a path to balanced work and life if you don’t figure it out for yourself. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.

The threat caused by malicious, embedded URLs will grow as Business Email Compromise (BEC) attacks increase. Only a behavioral-based approach that involves a thorough examination of the URL content contained within the email body and its attachment allows you to reduce the risk of a URL-based email compromise. Differentiating from the SEG While URL link rewriting, also known as time-of-click protection, is offered by legacy email security providers, such as Secure Email Gateways (SEGs), it has major restrictions on the level of security it can provide. The problem is that your protection is only as effective as the rules and policies you create and how up-to-date the threat detection engine of known threats is. Tessian enhances the protection against known and unknown malicious URLs by ensuring they are detected and retrieved from both the email’s body as well as any attachments that may include them. From here the URLs are analyzed against known and unknown indicators of compromise (IOC).

Cyber Criminals break the rules The static, rule-based approach to malicious URL detection offered by legacy email security presents an open opportunity for threat actors to circumvent them using a range of obfuscation methods. For example, in a well-documented case of APT 39’s malicious URL campaign, the cyber criminals were able to hide malicious links within attached files and bypassed the rule-based SEGs of numerous victims. 

Five Shortcomings of URL Link Rewriting Protection  Here are five additional reasons why URL Link Rewriting falls short in protecting your organization from malicious URLs: URL link rewriting is an overly manual security control prone to human error It requires a significant degree of manual security rule and policy orchestration. The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.  URL link rewriting is ineffective at protecting against zero-day attacks It only offers protection against known threats and limited protection against zero-day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors.  URL link rewriting lacks the intelligence to detect advanced attacks on email Threat actors are continuously becoming more sophisticated. Hiding malicious URls in an attachment or having a redirected link tricks the victim into thinking they are clicking on a perfectly safe link when in fact they are actually clicking on a malicious link. Protection starts and stops at the gateway When utilizing a perimeter solution, such as a SEG, you can only see what is coming into and out of the organization. Lateral phishing attacks are missed as the email doesn’t pass the gateway. If all you have is a hammer, everything looks like a nail URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign-looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.

The need for Intelligent Cloud Email Security  Email-based attacks are still by far the most popular attack vector. The efficiency of legacy email security controls has come into sharp focus as a result of the constantly shifting and developing attack landscape. Threat actors are continuously becoming more sophisticated and circumventing the rules-based approaches of legacy email security tools. Today URL link rewriting is no longer capable of defending organizations from advanced attacks on email. Only by leveraging intelligent email security solutions that understand behavior and have contextually aware scanning capabilities – detecting the most obfuscated of URLs – can you significantly improve your email security posture against URL-based attacks. To see how the Tessians Intelligent Cloud Email Security platform prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.

For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

October is Cyber Security Awareness Month, The US Cybersecurity and Infrastructure Agency (CISA) and National Cyber Alliance (NCA) call for organizations to focus on the fundamentals of cyber security. So we caught up with Tessian’s Head of Risk and Compliance, Kim Burton, to find out what they are and what they mean for your organization. Watch the video below or read the transcript.

So one of the things that’s really exciting about starting your security journey is that there are things that are actually very, very easy to do. And these are true for everyone. It doesn’t matter if you’re an employee somewhere. It doesn’t matter if this is what you’re doing at home trying to protect your friends and family. The key core components of where security starts are… Strong passwords That means long, strong, and unique. You can store those in a password manager, and with that password manager you want to pair that two-factor authentication on every account that you have if possible. Not every account allows for two factor authentication, but everywhere that you can. You want to use multi-factor authentication, Updates Make sure you’re always keeping your machine updated! Mindful posting What I mean by that is, make sure that when you’re posting on social media, you’re being careful about the kinds of information you reveal. And note that you’re also protecting your friends and family, your business when you’re posting online. So you want to just be careful about the kind of privacy implications that that could come about.  Report suspicious emails And then, when you see something uh make sure you talk about it with your coworkers. If something seems a little bit off, send it to your security team. Report fishing emails uh, and remember that you’re in a community, protect each other.

Hosting a security open day There are all kinds of different activities that you can run for Cybersecurity Awareness Month. Having a security party where you all come together and discuss secure solutions that the company specifically requires and  relying on people at the business to present their expertise to other coworkers like doing brown bag lunches that are focused on security components. You can use your employees to actually do a pretend ‘hack the company’ event where you can encourage them throughout the month to name different security concerns that they see. Maybe someone’s left their laptop unlocked, or maybe they noticed people aren’t badging in consistently. Or maybe you’re trying to encourage them to wipe down whiteboards – a security scavenger if you will. Have a prize at the end of it. You can get people to design security posters. Your employees know what secure behavior looks like, and they actually get very excited to talk about the knowledge that they have. What’s hard is if someone’s coming in and top-down, telling them very aggressively like waving a stick and saying “you will do these things”. A lot of these folks have worked  other places. They know what they need to be doing, they just need to be empowered to do it. So let them show what knowledge they have and encourage them to talk about it with you, so that you can maneuver exactly their knowledge to be exactly what the business needs. You can make it so that they have the opportunity to talk about it, teach their peers, and then encourage them to grow from where they’re at. You can have other security events like an Osint scavenger hunt. So Osint is Open Source Intelligence Gathering. That would be maybe a couple of employees gather a bunch of different photographs around the Internet and you ask your folks to identify where they are. It’s amazing how quickly people can identify locations from photographs, and they think they’re not going to be good at this and they’re like “I’ve never done this before, there’s no way I’ll be able to tell from this corner of a building where this is located in the world”. But then you give them five minutes to think about it, and they start saying “You know that type of tree doesn’t grow anywhere else”, or “you know the angle of the sun there seems like it could be in this region of the world” It’s amazing how fast people like start to to figure out these things. And that teaches them how attackers think, that teaches them how malicious actors are going to react.  And it’s fun. You’ve changed it into a game, but what they come away with is; “Oh, okay, I was able to do this in  half an hour of activity. What could someone do with a month? I’ve got to be careful. I have a duty to protect myself. I have a duty to protect my friends, and I really need to protect the business”. It helps them  really see the practicality of of the events that they’re doing.

Andrew Frey is a Forensic Financial Analyst for the San Francisco Field Office of the U.S. Secret Service, working in the Cyber Fraud Task Force. As one of the most knowledgeable people in the US Government on the threat of Business Email Compromise (BEC), Andrew works directly with companies and individuals to gather intelligence on cybercriminals behind these attacks and helps recover lost funds when wire fraud has occurred. In a recent episode of the podcast, he spoke to Tim Sadler about attacks he’s investigated, explained how lost funds are recovered and why he believes BEC is on the rise. Listen to the whole episode, here, or read on for three key Q&As from the interview.

Why are BEC attacks growing more frequent and more effective? I think that the answer is in the question – BEC attacks are growing in frequency because of their efficacy. BEC is an unprecedented type of cybercrime because of its enduring effectiveness. For most scams, widespread education brings their downfall – think IRS impersonation scams, lottery scams, and the Nigerian prince scam. Those schemes are all still around but their heyday is over because most people have been made aware of them in one form or another. You also have organizations like banks and gift card retailers pitching in with warning signs or detection systems that help deter those scams with a high degree of effectiveness. In the case of BECs there is now more education, communication, and detection technology than just about any other scam, and yet they are still very common with no sign of becoming less so. The victim pool is also very broad. It isn’t just senior executives being targeted, we now see everyday people losing down payments to their new homes through BEC, for example. The victims also aren’t necessarily so-called ‘vulnerable’ or lacking in tech-savvy. Many victims are Fortune 500 companies – companies that most folks know by name and logo, companies with rigorous security and control. So as long as the crime continues to have success it is only going to grow.

What are the typical traits and characteristics of these attacks? In almost every BEC case that I have worked there were red flags in hindsight. They could be as subtle as a different font or a different representative than who you have always worked with, or even a different salutation. It is very rare that when reviewing the email with hindsight you don’t spot something that probably should have caught your eye. As for who is targeted most frequently, it is tough to say because each criminal organization probably has a favorite industry – one that they’ve spent time familiarizing themselves with to allow them to talk the talk in a convincing fashion. I am currently working on a case where about a dozen cities and counties were hit with millions of dollars in BECs, and this is a number that is growing by the day. Victims include city police departments and even some school districts, and part of what has made them appealing targets is that so many of their suppliers and the amounts and frequency paid to them are publicly available online. This takes a lot of the work out of the process for the criminals. In some instances, a cyber intrusion isn’t even necessary because the criminal actor could impersonate the supplier or municipality’s finance director and request payment without intrusion. Cases like this are becoming more and more common.

How do you recover lost funds? What is important to know for people who one day might be victims of these kinds of attacks? We have a number of tools at our disposal that can help recover funds, including cryptocurrency and funds that have been wire transferred abroad, which is common these days. As a victim, the key is timely notification to law enforcement. I personally receive one to three reports of BEC a week, and the recovery rate is actually a lot better than you would imagine. I think people think BECs aren’t recoverable and that is not accurate, but timing is everything.  When I am notified of a BEC I immediately work with the relevant financial institutions to trace these funds and I won’t stop until there is a definite dead end or the money is recovered. Simultaneously we might be arranging for an exam of the victim’s network by one of our network intrusion responders to gather evidence for a criminal investigation. But really one of the best ways we help is pro-active education. We try to get out there and provide a resource for companies and institutions so that when any kind of cyber incident happens they know who to call.  In terms of more general advice, businesses need to practice good cyber hygiene. That means anti-phishing training, using complex unique passwords, and changing passwords frequently. It is also very important to prep yourself before an attack occurs by having an incident response plan with clearly outlined roles. That way, if something does happen you don’t have a half dozen people trying to figure out who to call and what to do.

For more of Andrew’s anecdotes and further discussion, listen to our Tessian Podcast episode, here. You can also visit the Secret Service website to find out more information.

Our latest product update for our Advanced Email Threat Prevention module, Tessian Defender, improves the efficiency of security event filtering through new and easy-to-navigate event filters. We have also improved malicious email reporting, resulting in improvements to our detection efficacy.

New and enhanced filters for more efficient event filtering The enhanced event filtering interface will improve confidence and control for security admin using Tessian’s portal. It enables security admins to  efficiently filter and find security events, enabling security teams to respond faster.

Some of the new and enhanced filters include: Original filter location: Folder location of the email at the time of delivery to the end-user’s mailbox. Attachment filter: Contains attachments or not. Phishing simulation filtering: To exclude/include phishing simulations. Confidence level filtering: To filter on high/medium/low confidence interval events.

Improved end-user reporting capability Improvements to malicious email reporting will further improve the ability to recall malicious emails from inboxes, as well as improving detection efficacy. After a security admin reports a malicious email, future emails that share the same characteristics will automatically be quarantined in the portal – reducing cyber risk.

Why these updates matter: Quicker response time and improved detection efficacy In a hypothetical example of attempted Account Takeover (ATO), Tessian will flag suspicious emails as potentially malicious. After receiving an alert, security admins using the Tessian Cloud Email Security Platform, analyze all suspicious emails marked with a high degree of confidence and take appropriate action.  The new event filtering capability further speeds up this process, enabling security admins to filter all the security events by event type, confidence level, user response and quarantine status, while also allowing security admins to exclude events classified for example as phishing simulations – improving response times.   The new labeling feature incentivizes customers to report malicious emails. This, in turn, improves the detection efficacy of the platform’s algorithms with each reported email. 

Every minute counts to reducing cyber risk Time is of the essence in triaging security events on email. Our engineering teams are working relentlessly to cut response times and give time back to security teams. These latest product updates do just that, enabling our customers to reduce the time spent on event triaging while also improving detection efficacy. To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.

For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Innovations in machine learning have fundamentally changed the email security landscape.  And in order to stay ahead, and to ensure that we are protecting our customers from new and advanced email threats, we need to continually improve our machine learning algorithms. Most recently, Tessian’s data science team updated our platform’s Behavioral Intelligence Modeling algorithms to detect advanced social engineering threats. The result? A 15% increase in the detection of advanced email threats including impersonation spear phishing and account takeover (ATO) attacks.

The growing threat of advanced social engineering attacks  Social engineering attacks like impersonation and ATO attacks are a growing threat, with ATO attacks witnessing +300% growth over the last three years.  Impersonation and ATO attacks are a notoriously difficult type of advanced email threat to detect and prevent. This is because the threat actors either impersonate a trusted party or, in the case of ATO, the emails originate from a legitimate source, either within the organization from an already compromised account, or from a compromised vendor in the supply chain.  Traditional, rule-based email security solutions, like Secure Email Gateways (SEGs), which enterprises have been reliant on for decades, offer little protection against these types of attack. Why? Because legacy solutions like SEGs and built-in security from cloud providers are unable to detect adaptive and unknown threats with no prior indicators of compromise reported.  This makes the case for why security and risk management teams must move away from a rule-based approach to one that analyzes behavior instead.  This behavioral approach should leverage machine learning, Natural Language Processing (NLP), Behavioral Intelligence and Global Threat Feeds to automatically determine whether an email sent to an end-user at a particular time is an advanced threat.

A machine intelligent approach to email security Encouragingly, an increasing number of security leaders are realizing the need to adopt machine intelligent solutions to tackle the persistent threat of advanced email attacks. In fact, over half of cybersecurity leaders (58%) surveyed in a 2022 Forrester Consulting report said that they are actively looking to displace SEGs for the next generation of email security solutions. These solutions, like Tessian, leverage machine learning to help organizations mitigate risk on email.  The importance of machine learning powered cybersecurity solutions was similarly recognized by IBM’s Cost of Data Breach Report for 2022. IBM reported that the average cost of a data breach was $3.05 million less in organizations that deployed security artificial intelligence (AI) versus those that had not. What’s more, 66% of security leaders from across the world believe that AI and Machine Learning enables faster threat detection on email and 56% say it makes threat detection more accurate.  Continual improvements to our algorithms are important to ensuring we quickly and accurately detect new and unknown threats on email – keeping our customers and their data safe and secure.  Learn more by speaking to our experts and seeing our machine learning algorithms in action. 

Introducing our latest product update, designed to improve security event triaging efficiencies for security admins using the advanced email threat prevention module, Tessian Defender, in the Tessian portal.  The enhanced event triage update not only provides security admins with greater control and confidence in preventing advanced threats coming into corporate inboxes, but it also gives valuable time back to security teams. How does it work?  When Tessian flags an email as potentially malicious, security admins quickly analyze the email within the Tessian portal. After analyzing the email, they can assess whether the email is malicious or not. If the email is deemed safe, the security admin can release it to all of the end-user’s inboxes with a single click and if it’s malicious, they can delete the email from the end-user’s quarantine as well as delete the released copy from the user’s inbox with a single click. As a result, security teams can significantly reduce the risk of an end-user interacting with a malicious email.    This capability extends to bulk remediation of large scale phishing attacks – a.k.a. burst attacks – that affect multiple end-users.

The update builds on our previous update which improved the visibility for security admins to view the full body of flagged emails and label workflow.

Greater efficiency and control for the Security Operations Center Triaging security incidents on email is a time intensive task. In fact, research shows security teams that rely on legacy email security software spend as much as 9-12 hours detecting and responding to each email security incident.  With this latest product update in the Tessian portal, our customers are able to cut the time spent on event triaging down to minutes, significantly reducing the risk of an end-user engaging with a malicious email and reducing the administrative burden for security admins

Every one of our product updates are part of our continuous effort to improve the experience we provide our customers and give security teams peace of mind and confidence in their email security solution.  To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo