Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing and Business Email Compromise.

Threat Intel Spear Phishing
Threat Intelligence: COVID-19 Proof of Vaccination Scams
By Charles Brook
21 October 2021
Scammers and threat actors are continuing to use the COVID-19 pandemic as a theme for their phishing campaigns. The latest trend? Asking people to download their ‘proof of vaccination’ or vaccine certificates. In fact, in a recent Tessian survey, 35% of US citizens and 22% of UK citizens said they’d received a ‘proof of vaccination’ phishing email this year.  That’s because (as you likely know) most businesses and travel companies are requesting that people now provide proof of vaccination or digital vaccine credentials. Attackers see this as an incentive to get targeted recipients to click links in phishing emails.  What do these emails contain?  Tessian researchers have been analyzing emails related to ‘proof of vaccination’ scams over the past six months and found that, in many of the emails, cybercriminals will apply a sense of urgency to their messages, using subject lines that include “IMPORTANT” and “OFFICIAL”.  This is a common social engineering tactic, prompting the person to act quickly so that they don’t spend too much time thinking about the consequences of complying with the request.  The call to action in 80% of the emails analyzed is to click a link to request and download a COVID-19 vaccination passport or certificate, explaining that if the recipient doesn’t have their proof of vaccination, they won’t be able to travel or must remain in quarantine. Wouldn’t you want to act fast? Most emails also contained a payload of either a malicious link or attachment which would direct the recipient to a web page designed to trick them into entering sensitive information such as personal details, credit card or banking details in order to receive their proof of vaccination.
Of the emails analyzed, 20% of them contained language indicating an intent to steal information. Once cybercriminals have this information, they can use it to access your other online accounts or commit identity fraud.  In the UK, the majority of the ‘proof of vaccination’ scams saw attackers impersonate the National Health Service (NHS), tricking their targets into thinking they’d received an email from a legitimate and trustworthy source.  Here’s an example of an email sent from a business email address using compromised credentials:
For anyone quickly glancing at this email, it looks like the real deal.  The attacker has spoofed the NHS in its display name, used the correct logo, and avoided any spelling mistakes. Only when you look at the sender’s email address can you see that it’s not actually from the NHS.  How can you avoid falling for a ‘proof of vaccination’ scam?  If you require ‘proof of vaccination’ for any of your upcoming holidays, plans, or activities, or if you have any questions, always go through direct channels with your local authority. You can find their email addresses or phone numbers via their website.  Remember;  For UK residents, the NHS App is free, the NHS Covid Pass is free, and the NHS will never ask for payment or any financial details. For US residents, COVID-19 vaccination providers cannot charge you for a vaccine or charge you for any administration fees, copays, or coinsurance.  So, if the sender of the email is asking you for money or payment information, such as bank details or card details, it is likely a scam. If it looks suspicious, avoid clicking any links or attachments. Mark the email as spam or move it to your junk folder to help improve dedication against the type of malicious email and if you’ve received the email on your work email, then report it to your IT team. Then, hit delete.
Spear Phishing
CEO Fraud Prevention: 3 Effective Solutions
20 October 2021
CEO fraud is a type of cybercrime in which the attacker impersonates a CEO or other company executive. The fraudster will most often use the CEO’s email account — or an email address that looks very similar to the CEO’s — to trick an employee into revealing sensitive data or transferring money. A report by UK Finance suggests that CEO fraud is among the main eight types of fraud attacks targeting consumers and businesses Like all types of phishing, CEO fraud attacks are very difficult for employees to spot. Some legal technical solutions, such as Secure Email Gateways (SEGs) can also struggle to detect this increasingly sophisticated type of cybercrime. But, there are still ways to prevent successful CEO fraud attacks. The key? Take a more holistic approach by combining training, policies, and technology. We’ve outlined three techniques that are crucial to help your organization defend against CEO fraud and other related types of cybercrime. Before we start: CEO fraud is a type of Business Email Compromise (BEC). If you want to learn more about BEC before diving into CEO fraud, you can check out this article: What Is Business Email Compromise? You can also get an introduction to CEO Fraud in this article: What is CEO Fraud? 1. Raise employee awareness Security is everyone’s responsibility. That means everyone – regardless of department or role –  must understand what CEO fraud looks like.  Staff training is getting tougher as CEO fraud gets more sophisticated. The FBI’s Internet Crime Complaint Centre (IC3) warns that along with CEOs, cybercriminals increasingly impersonate a broad range of actors, including vendors, lawyers, and payroll departments. So where do you start when training employees to detect CEO fraud attacks? Using real-world examples to point out common red flags can help.
What are the signs that this email is part of a CEO fraud attack?First off, note the lack of spelling errors. Poor spelling and grammar can be a phishing indicator, but this is increasingly unlikely in today’s more sophisticated cybercrime environment. Also, notice the personal touches — Sam’s familiar tone, his references to Kat working from home, and his casual email sign-off. Fraudsters go to great efforts to research their subjects and their targets, whether via hacking or simply using publicly available information. These persuasive elements aside, can you spot the red flags? Let’s break them down: The sender’s email address: The domain name is “” (which looks strikingly similar to, especially on mobile). Domain impersonation is a common tactic for CEO fraudsters. The sense of urgency: The subject line, the ongoing meeting, the late invoice—creating a sense of urgency is near-universal in social engineering attacks. Panicked people make poor decisions. The authoritative tone: “Please pay immediately”: there’s a reason cybercriminals impersonate CEOs — they’re powerful, and people tend to do what they say. Playing on the target’s trust: “I’m counting on you”. Everyone wants to be chosen to do the boss a favor. Westinghouse’s “new account details”: CEO fraud normally involves “wire transfer phishing”—this new account is controlled by the cybercriminals. Your cybersecurity staff training program should educate employees on how to recognize CEO fraud, and what to do if they detect it. Check the sender’s email address for discrepancies. This is a dead giveaway of email impersonation. But remember that corporate email addresses can also be hacked or spoofed. Feeling pressured? Take a moment. Is this really something the CEO is likely to request so urgently? New account details? Always verify the payment. Don’t pay an invoice unless you know the money’s going to the right place. Looking for a resource that you can share with your employees? We put together an infographic outlining how to spot a spear phishing email. While these are important lessons for your employees, there’s only so much you can achieve via staff training. Take it from the U.K.’s National Cyber Security Centre (NCSC): “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle.  The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.” Humans are often led by emotion, and they’re not good at spotting the small giveaways that might reveal a fraudulent email. Sometimes, even security experts can’t! (More in this here: Pros and Cons of Phishing Awareness Training.) 
2. Implement best cybersecurity practice Beyond staff training, every thriving company takes an all-around approach to cybersecurity that minimizes the risk of serious fallout from an attack. Many companies choose to implement a cybersecurity framework, such as the CIS Critical Security Controls or the NIST Cybersecurity Framework, to help them adopt security controls and protections in a systematic and comprehensive way. Here are some important security measures that will help protect your company’s assets and data from CEO fraud: Put a system in place so employees can verify large and non-routine wire transfers, ideally via phone Protect corporate email accounts and devices using multi-factor authentication (MFA) Ensure employees maintain strong passwords and change them regularly Buy domains that are similar to your company’s brand name to prevent domain impersonation Regularly patch all software Closely monitor financial accounts for irregularities such as missing deposits Deploy an email security solution All the above points are crucial cybersecurity controls. But let’s take a closer look at that final point — email security solutions. 3. Deploy intelligent inbound email security CEO fraud attacks overwhelmingly take place via email (along with 96% of all phishing attacks).  That’s why deploying an email security solution is one of the most effective steps you can take to prevent this type of cybercrime. But not just any email security solution.  Legacy solutions like Secure Email Gateways (SEGs), spam filters, and Microsoft and Google’s native tools generally can’t spot sophisticated attacks like CEO fraud. Why? Because they rely almost entirely on domain authentication and payload inspection. This means they tend to check publicly available records to verify the authenticity of an email address, and examine any attachments to see if they contain malware. Social engineering attacks like CEO fraud easily evade these mechanisms. Tessian is different. Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of signals indicative of CEO fraud. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of CEO fraud. For example, suspicious payloads, anomalous geophysical locations, out-of-the-ordinary IP addresses and email clients, keywords that suggests urgency, or unusual sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.
Click here to learn more about how Tessian Defender protects your team from CEO fraud and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like CEO Fraud.
Spear Phishing
What is CEO Fraud? How to Identify CEO Email Attacks
15 October 2021
As we’ll explain below, there are several different methods used by cybercriminals to carry out a CEO fraud attack. But they all have one thing in common: money. Most often, a CEO fraud email will urgently request the employee to pay a supplier’s “invoice” using new account details. Cybercriminals use sophisticated techniques and meticulous research to make the attack as persuasive as possible.  Why do cybercriminals impersonate CEOs and other high-level executives? Two reasons: Power: CEOs have the authority to instruct staff to make payments. Status: Employees tend to do what CEOs ask. No one wants to upset the boss. CEO fraud vs. other types of cybercrime There’s some confusion about CEO fraud and how it relates to other types of cybercrime. Let’s clear a few things up before looking at CEO fraud in more detail. CEO fraud is related to the following types of cybercrime: Social engineering attack: Any cyberattack in which the attacker impersonates someone that their target is likely to trust. Phishing: A social engineering attack conducted via email (there are other forms of phishing, such as “smishing” and “vishing” via SMS and phone). Spear phishing: A phishing attack targeting a named individual. Business Email Compromise (BEC): A phishing attack conducted via a hacked or spoofed corporate email account.
These types of cyberattack all utilize email and impersonation—two critical elements of a CEO fraud attack. CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets—rather than impersonates—a CEO or other senior company employee. More on that in this article: Whaling: Examples and Prevention Strategies. CEO Fraud techniques As explained above, CEO fraud is related to Business Email Compromise. That’s because the attacker needs to make it look like they’re a senior employee of your company—so any email they send must appear to have come from a company account. There are three main ways cybercriminals can compromise a CEO’s email account: Hacking: Forcing entry into the CEO’s business email account and using it to send emails. This is the CEO fraud technique that’s most difficult to detect. Spoofing: Sending an email from a forged email address and evading authentication techniques such as DMARC. Impersonation: Using an email address that looks similar to a CEO’s email address. This can take the form of a “display name impersonation attack.” Once the threat actor has taken control of a CEO’s email account—or has convincingly impersonated their email address—they use one of the following techniques to attack the target organisation: Wire transfer phishing: The attacker asks the target to pay an invoice. According to the FBI, businesses lose billions of dollars per year via this type of phishing attack. Gift certificate phishing: The attacker asks the targets to buy them gift certificates. Gift certificates can be harder to trace than a bank transfer. Check out this (hilarious) example “from” Tessian’s own CEO. Malicious payload: The email contains an innocent-looking attachment that installs malware on the target company’s systems. Anatomy of a CEO fraud attack Now let’s take a look at an example of a CEO fraud attack to help you better understand the process. Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO is “in a meeting” or “at a conference” and needs an urgent favor, employees don’t tend to second-guess them.  Here’s how a CEO fraud email might look. Now, for the sake of the example, imagine your boss is Thomas Edison. Yes, that Thomas Edison.
There are a few things to note about this CEO fraud email: Note the subject line, “Urgent request,” and the impending payment deadline. This sense of urgency is ubiquitous among CEO fraud emails. The fraudster uses Thomas’s casual email tone and his trademark lightbulb emoji. Fraudsters can do a great impersonation of a CEO by scraping public data (plenty is available on social media!) or by hacking their email and observing their written style. Cybercriminals do meticulous research. Thomas probably is in Florida. “Filament Co.” might be a genuine supplier and an invoice might even actually be due tomorrow. There’s one more thing to note about the email above. Look at the display name — it’s “Thomas Edison”. But anyone can choose whatever email display name they want. Mobile email apps don’t show the full email address, leaving people vulnerable to crude “display name impersonation” attacks. Cybercriminals can also set up a fake email domain impersonating your company’s real domain name. The domain is the part of the email address after the “@” sign. A cybercriminal impersonating Bill Gates, for example, might purchase a domain such as “” or “”.  Likewise, using “freemail impersonation”, a less sophisticated attacker might simply set up an email account with any free email provider using the CEO’s name (think “”). It sounds crude, but such attacks really can work. We explain domain impersonation in more detail – including plenty of examples – in this blog: Inside Email Impersonation: Why Domain Name Spoofs Could be Your Biggest Risk. How common is CEO fraud? It’s fair to say that cybercrime has gone into overdrive in recent years. Data from the FBI’s Internet Crime Complaint Center (IC3), released March 2021, shows a record-breaking number of cybercrime complaints in 2020. The IC3 reports a 69% increase in the number of complaints since 2019, with reported losses exceeding $4.1 billion dollars. The main cause of cybercrime reported to the IC3 was—you guessed it—phishing. So it’s clear that cybercrime, particularly phishing, is pervasive—and increasingly so. But what about CEO fraud itself? CEO fraud once dominated the cybercrime landscape. However, there is some evidence that cybercriminals are moving away from CEO fraud and towards a broader range of more sophisticated social engineering attacks. In 2020, the FBI noted that while CEO fraud previously dominated BEC, cybercriminals now impersonate a broader range of actors, including vendors, lawyers, and payroll departments. And a report by UK Finance suggests that while CEO fraud is still among the main eight types of fraud attacks targeting consumers and businesses, there was a 14% percent drop in CEO fraud attacks between the first half of 2020 and the first half of 2021. (So it’s not all doom and gloom…) These days, employees don’t only have to be wary of CEO fraud attacks. They also need to watch out for more advanced cybercrime techniques like Account Takeover (ATO), deepfakes, and ransomware. But CEO fraud is still a big deal. And as with all other types of social engineering attacks, there’s evidence that CEO fraud attacks are becoming more sophisticated and easier for threat actors to carry out. For example, in March 2021, a CEO fraud “phishing kit” was discovered that enabled cybercriminals to easily host fake Office 365 login pages in the cloud storage tool Backblaze. Want to know how to protect yourself and your business from CEO fraud? Read our article: How to Prevent CEO Fraud Attacks.
Spear Phishing Remote Working Data Exfiltration
Cybersecurity Awareness Month 2021: 12+ Free Resources
By Maddie Rosenthal
30 September 2021
October is Cyber Awareness Month, and this year’s theme is “Do your part. #BeCyberSmart.”   Fun fact: Cyber Awareness Month started back in 2004, the same year a former AOL software engineer stole 92 million screen names and email addresses and sold them to spammers. Sadly, that’s peanuts compared to more recent breaches. Incidents involving insider threats are at an all-time high, phishing incidents are doubling and even tripling in frequency year-on-year, and the cost of a breach is now over $4 million. This is all to say that cybersecurity is more important than ever. And at Tessian, we live by the motto that cybersecurity is a team sport. So, to help you educate and empower your employees, we’ve put together a toolkit with over a dozen resources, including:
You can download them all for free, no email address or other information required. But, that’s far from the only content we have to share… CEO’s Guide to Data Protection and Compliance By 2024, CEOs will be personally responsible for data breaches. So it’s essential they (and other execs) understand the importance of privacy, data protection and cybersecurity best practices. To help you out, we’ve published an eBook which breaks down: How different regulations have changed how businesses operate  How cybersecurity and compliance can be leveraged as a business enabler The financial and operational costs of data breaches OOO Templates OOO emails can contain everything a hacker needs to know to craft a targeted spear phishing attack… Where you are How long you’ll be gone Who to get in touch with while you’re away Your personal phone number Use these templates as a guide to make sure you don’t give too much away👇🏼
Human Layer Security Knowledge Hub Cyber Awareness Month is all about raising awareness and sharing best practices, and we know the #1 source of trusted information and advice for CISOs are…other CISOs….  That’s why we’ve created a hub filled with dozens of fireside chats and panel discussions about enterprise security, spear phishing, data loss prevention, leadership, and the human element. Sign-up for free and hear from some of the biggest names in the industry.   You Sent an Email to the Wrong Person. Now What? Did you know at least 800 emails are sent to the wrong person in organizations with 1,000 employees every year. While it’s easy to shrug something like this off as a simple mistake, the consequences can be far-reaching and long-term. Learn more, including how to prevent mistakes like this.   6 Best Cybersecurity Podcasts While we’re partial to our own podcast – RE: Human Layer Security – we’ve learned from the best in the business.  To get our fix of cybersecurity breaking news, threat intel, and inspiring interviews, we regularly tune into these podcasts: The CyberWire Daily The Many Hats Club WIRED Security Get the full breakdown here.   How to Get Buy-In For Security Solutions As a security or IT leader, researching and vetting security solutions is step one. Step two involves convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done… So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs.  Here’s a summary of their tips.    Ultimate Guide to Staying Secure While Working Remotely While most of us have been working remotely or in a hybrid environment for well over a year, we know that more than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely. This eBook offers plenty of helpful reminders, including: The risk involved in sending work emails “home” Why using public Wi-Fi and/or your personal device as a hotspot aren’t good ideas Best practice around using cloud storage to share documents How to physically protect your devices Top tips for businesses setting up remote-working policies What Does a Spear Phishing Email Look Like? We know you’re working hard to train employees to spot advanced impersonation attacks…but every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails.  Download the infographic now to help your employees spot the phish.   The Risks of Sending Data to Your Personal Email Accounts  Whether it’s done to work from home (or outside of the office), to print something, or to get a second opinion from a friend or partner, most of us have sent “work stuff” to our personal email accounts.  And, while we might think it’s harmless…it’s not. In this article, we explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.  Looking for more helpful content? Sign-up to our weekly newsletter, or follow us on LinkedIn and Twitter (or do all three!).
Spear Phishing DLP
New ESG Report Highlights Gaps in M365 Native Security Tools
By Jessica Cooper
28 September 2021
Millions of companies around the world depend daily on Microsoft 365, including yours. So to better understand its native security tools, and any gaps within them, we’ve partnered with Enterprise Strategy Group (ESG Global) to produce a new report exploring Microsoft 365’s security environments.  The report covers several topics of Microsoft 365, both E3 and E5, including capabilities and gaps for protecting against ransomware, phishing, accidental data loss and sensitive data exfiltration, as well as architectural challenges to consider. The full report, ESG Whitepaper: Closing Critical Gaps in Microsoft 365 Native Security Tools can be found here. Report highlights Phishing was involved in 43% of breaches in the past year Over two-thirds (69%) of respondents to the ESG research survey report that email security has become one of their top 5 cybersecurity priorities 18% cite email security as their most important cybersecurity priority 62% of organizations are reevaluating all security controls currently available natively Ransomware ranks as a top-3 risk concern, with 77% of organizations classifying ransomware as high or medium risk. 45% or organizations report that more than 40% of their sensitive data flows through their email application. Cloud-delivered email solutions aren’t a panacea. Moving on-prem email solutions to the cloud replaces the operational infrastructure but doesn’t necessarily fully replace security controls. Successful credential phishing attacks can lead to email account takeover (ATO), enabling hackers to appear as legitimate insiders, facilitating BEC, data exfiltration, and ransomware.
As the report states, email continues to be the backbone of enterprise communications and is considered the most critical infrastructure to daily operations for most. Cloud-delivered email infrastructure has rapidly become the preferred approach to enable email communications, with over 2.3m companies depending on Microsoft 365. For many, handing over email infrastructure to a cloud service provider means transferring and trusting email security and resilience to the provider. Yet as phishing, which was involved in 43% of breaches in the past year, continues at epidemic levels, over two-thirds (69%) of respondents to an ESG research survey report say that email security has become one of their top 5 cybersecurity priorities, with 18% citing email security as their most important cybersecurity priority. While cloud-delivered email providers promise security and resilience, most fall short of what many security and IT teams would consider adequate. Further, adversaries are capitalizing on these homogenous security systems to bypass controls. As a result, ESG research found that 62% of organizations are re-evaluating all security controls currently available natively, with many turning to third-party email security and resilience solutions to supplement native controls. Organizations that are planning to move or have recently moved to cloud-based email should strongly consider the use of third-party email security solutions to ensure that critical email infrastructure and data are adequately secured against the expanding email threat landscape.    Unpacking Microsoft 365 native security controls in E3 and E5 While Microsoft has invested significantly in strengthening security controls for Microsoft 365 (M365), organizations report continuing gaps in the controls included in both E3 and E5 licensing bundles.    Email security While EOP provides many valuable security features, it is limited in its ability to protect against more sophisticated email attacks, such as social engineering (or “spear-phishing”), business email compromise, account takeover, and many types of ransomware. Detecting these types of more sophisticated attacks requires both behavioral analytics and a contextual understanding of individual communication activities, which don’t exist in EOP. So, while native controls are effective at detecting mass/generic phishing campaigns, they are less effective at detecting highly targeted attacks. For example, EOP uses block lists to detect spam and known malware. Safe Links (available in E5) rewrites URLs and checks them against known lists of malicious URLs before allowing the user to visit the link. Microsoft 365 E5 bundle includes additional security features by adding the Microsoft 365 Defender endpoint security solution. Additional protection against phishing and ransomware is provided through more advanced malicious URL and attachment protection, including link re-writing and attachment sandboxing. Both approaches, however, can still be vulnerable to new URLs and attacks without “payloads.” Microsoft Defender depends on multiple scan engines to detect malware attachments and malicious URL links, leveraging both signature matching and machine learning to perform behavioral analysis. Because BEC and ATO impersonations often contain no malicious links or attachments, these threats can commonly escape this approach.    Data loss prevention Minimal data loss protection capabilities are included in the E3 bundle, relying on end-users to manually label documents as sensitive to protect them. Relying on end-users to accurately and consistently classify content puts organizations at risk. On the other hand, applying blanket policies and blocking sensitive information is highly disruptive to users’ productivity and can be an immense burden on security teams. Further, companies that opt for applying a default classification to all documents and emails end up with the same label being applied to everything, while lacking any new visibility into sensitive data. As a result, organizations most often resort to tracking and post remediation instead of proactive detection and real-time response. Additionally, E3 lacks capabilities natively to detect and manage insider risk (for example, preventing data theft by departing employees). Native controls also often lack the ability to properly classify non-Microsoft data and files, requiring admins to use workarounds to achieve consistent protection.  Data loss prevention is included in the E5 bundle for emails, Teams, and files. Advanced email encryption functionality is also provided, as well as email retention policies. Customer keys for Office 365 are also supported, and some level of insider risk management capabilities is also included.    Context matters in data loss prevention M365 Email DLP capabilities are, however, not context-aware (meaning that they lack context between parties exchanging email), resulting in an inability to proactively identify wrong recipients or unintended inclusion of attachments. M365 detection instead utilizes a rules-based approach to define DLP policies and classify data (regex pattern matches, proximity of certain keywords to the matching patterns, exact data matching, and fingerprinting). These techniques alone are often unable to detect when email recipients are misaddressed or when wrong attachments are involved.  Additionally, because these capabilities rely on rule-based techniques or trainable classifiers to align specific data types with DLP policies and to label data (using Azure Information Protection), effectively detecting sensitive information in unstructured data can be problematic (legal, mergers and acquisitions, work orders, bidding documents, and other non-Microsoft formatted files), resulting in users exfiltrating sensitive data and additional false positives. While encryption is often mistakenly perceived as a solution to solve for misdirected emails, recipients included by mistake can still often decrypt emails to gain access to sensitive data. User experience/friction when encrypting emails can also be a barrier to use. 
Email security has long been focused on inbound filtering and the monitoring of user activities looking for well-known patterns of misuse. Yet email usage patterns are more often unique to individual users, those that they communicate with, what they communicate, and how they communicate. This individual usage context is required to detect and stop many of today’s more sophisticated attacks such as spear phishing, BEC, and ATO.  Much of this personal context can be derived through behavioral analytics of historical email, including the analysis of who, what, and when emails were sent in the past. When individual historical patterns, along with context, can be matched against future activity, modern email threats can be detected and stopped, often with little to no user or administrator involvement.  Microsoft 365, the dominant cloud-delivered email solution adopted today, may lack critical security controls needed for certain organizations, therefore motivating many to add supplemental security solutions to close gaps. Whether in the planning stage, implementation stage, or post-implementation, third-party email security controls should be considered with all cloud-delivered email solutions.  To learn more, download the full report.
Spear Phishing
We Analyzed 2 Million Malicious Emails. Here’s What We Learned.
By Maddie Rosenthal
24 September 2021
Over a 12-month period, Tessian Defender detected nearly 2 million malicious emails, all of which slipped past Secure Email Gateways (SEGs) and native tools to land in employees’ inboxes. This represents a lot of risk. So, to help you understand what you’re up against and – more importantly – how to protect your organization, we analyzed them to identify the what, how, who, why, and when of today’s threat landscape. Here’s what we found out….
1. Cybercriminals have a type ❤
When it comes to who they target, bad actors cast a wide net, but do seem to have an affinity for Retail, Manufacturing, F&B, R&D, and Tech. But still, across all industries, Tessian flagged 14 malicious emails a year, per employee. That means that, without Tessian, each employee would have to successfully identify 14 carefully crafted emails a year in order to avoid a breach. That’s just too much risk. In terms of company size, bad actors will take whatever they can get.  Wondering why they don’t focus exclusively on the “big fish” (i.e. enterprise)?  Because smaller companies – who generally have less money to spend on cybersecurity – are often easier to infiltrate. This can be a foothold for lateral movement, especially for companies with large supply chains. Interestingly though, regardless of industry or company size, attacks look just about the same.  Across the board, display name spoofs are the most commonly used impersonation tactic.  Payloads are more often delivered via URLs than attachments. And keywords related to wire transfers are more frequently seen than keywords related to credentials.  This reinforces just how effective these tactics are, regardless of how much budget an organization has allocated to cybersecurity.    2. Most malicious emails don’t contain attachments 📎 While attachments are listed first in frameworks like MITRE, most bad emails don’t actually contain attachments. That’s why it’s important to train employees to spot a variety of different malicious payloads, including zero payload attacks. Zero payload attacks don’t rely on a malicious payloads like attachments or links. The attacker simply persuades the victim to action a request.  Zero payload attacks can be just as devastating as malicious payload attacks, and traditional antivirus and anti-phishing software – which often rely solely on keyword detection and deny/allow lists – struggle to detect them. But what about when bad actors do leverage attachments? Download the full report to see which file extension type is most common, and to download an infographic to share with your employees.   3. You’re most likely to be phished between 2PM and 6PM 🐟
We’re often told that bad actors borrow best practice from marketers. If that’s the case, most phishing attacks would land in employees’ inboxes around 10 AM on Wednesdays.  Our analysis tells a different story.  The most malicious emails are delivered between 2PM and 6PM, with very little fluctuation day-to-day (except over the weekend). This isn’t an accident.  Since employees are more likely to make mistakes when they’re stressed, tired, and distracted, the second half of the work day is a bad actor’s best bet. (Hello afternoon slump!) Help your employees stay alert by letting them know when they’re most likely to receive a phishing email, what they look like, and what to do if and when they do spot something suspicious.   There are dozens more insights in the report, including: Which brands are the most frequently impersonated in attacks What keywords appear most frequently in subject lines and body copy Which industry is most frequently compromised in ATO attacks Download it now while it’s ungated!
Spear Phishing
What is a Software Supply Chain Attack?
17 September 2021
A cybersecurity breach on a single company is bad, but when an attack affects potentially hundreds of businesses in that firm’s supply chain, the results can be catastrophic.  Known as ‘software supply chain attacks’ these types of threats hit hard, spread quickly, and can devastate thousands of organizations simultaneously. Broadly speaking, a software supply chain attack involves inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software. This article will look at some recent examples of software supply chain attacks, consider the different forms such attacks can take, and explore how both software vendors and their customers can avoid falling victim to this especially damaging security threat. Examples of software supply chain attacks First, to understand how software supply chain attacks work, let’s consider two recent high-profile examples. The SolarWinds attack The SolarWinds attack was first discovered in December 2020, after a cybersecurity company, FireEye, discovered that some of its software tools had been stolen.  When investigating the theft, FireEye learned that the attackers had gained access to its systems via a third-party software product called Orion; a network monitoring tool supplied by Texas-based software company SolarWinds. An update to Orion, released nine months earlier, in March 2020, had granted the attackers access to FireEye’s systems. This update enabled the cybercriminals full access to FireEye’s private data, enabling them to exfiltrate the company’s security tools. But FireEye wasn’t the only company affected by the hack. FireEye reported its discovery to the National Security Agency (NSA), the U.S. intelligence service tasked with defending the country against cyber threats. This was when the devastating impact of the SolarWinds attack became apparent. The NSA revealed that it also used SolarWinds—together with the U.S. Treasury, the Department for Homeland Security, and the National Nuclear Security Administration. In fact, twelve U.S. Federal Government departments were compromised by the malicious SolarWinds update, along with thousands of other organizations around the world.  All the attackers had to do was insert malicious code into SolarWinds’ software update, and let SolarWinds distribute the malware among the companies downstream in its supply chain. This ease of distribution is what makes supply chain attacks so effective for the attackers, and so devastating for the victims. The Kaseya attack  In response to SolarWinds, President Biden enacted his Executive Order on Improving the Nation’s Cybersecurity. But in July 2021, less than two months after Biden’s order passed, another colossal software supply chain attack occurred, this time originating from Miami-based software firm Kaseya. Like SolarWinds, Kaseya provides network monitoring tools and it sits at the start  of a very long supply chain. The Kaseya attack started when ransomware gang REvil inserted malicious code into an update for Kaseya’s Virtual System Administrator (VSA) software. After updating VSA with the malicious code, Kaseya’s customers found their systems were inaccessible due to ransomware. REvil claimed that over one million companies had been affected, whereas Kaseya put the number between 800 and 15,000. Either way, the attack caused havoc for thousands of people, and its effects were felt far and wide. Even a Swedish supermarket chain had to temporarily close when its payment processing equipment malfunctioned due to the attack. The Kaseya ransomware is another example of how software supply chain attacks can grow almost exponentially around the globe. Hack one Miami-based software company, and the next day a Swedish supermarket could be considering whether to pay you a ransom to decrypt its files. Types of software supply chain attacks Software supply chain attacks are just one type of supply chain attack (we’ll look at another type of supply chain attack below). But there are also different subtypes of software supply chain attacks that security-conscious organizations need to understand. The National Institute of Standards and Technology (NIST) identifies six types of software supply chain attacks: Design: Malicious actors can hijack a product’s initial design process to install or corrupt software. In 2016, a U.S. manufacturer shipped phones with malicious software that recorded users’ phone calls and texts. Development and production: Threat actors persist in an upstream company’s networks and infiltrate its downstream customers. The SolarWinds attack is an example of this type of supply chain attack. Distribution: The initial attack occurs between the manufacture of a product and its acquisition by end-users. For example, a 2012 investigation found pre-installed malware apps on retail desktop and laptop computers. Acquisition and deployment: Software companies can be acquired or influenced by malicious actors to spy directly on end-users. NIST cites a 2017 incident involving Kaspersky Antivirus. Maintenance: Backdoors can be embedded in routine updates, allowing cybercriminals to access the computers that install them. Both SolarWinds and Kaseya attacks leveraged this technique. Disposal: Improper wiping of hardware can lead to “data spillage,” enabling downstream actors purchasing or disposing of the equipment to access software or information on the device. How to prevent software supply chain attacks Two main actors in the supply chain can help detect and prevent software supply chain attacks:  The upstream companies who distribute software into the supply chain (vendors) The downstream organizations who purchase and use that software (customers) Here’s how each of these parties can defend against this type of threat. Vendors Vendors developing commercial software must be extremely diligent before releasing their products into the supply chain. Apply strong security standards at every stage of production as well as across your organization. Ensure your systems aren’t vulnerable to cyberattacks like phishing, SQL injection, or man-in-the-middle attacks. Carefully vet and document any third-party code employed in your development process. Maintain a library of any open-source code libraries you use. Carefully monitor any changes or security updates to the code. Implement a cyber security framework to ensure your organization meets good cybersecurity standards. Customers Once compromised software is installed on a company’s systems, there’s little they can do to stop the damage. As such, organizations must do everything reasonably possible to avoid installing compromised software or acquiring compromised hardware. Here’s some of the things you can do to mitigate that risk. Implement a cyber supply chain risk management (C-SCRM) program so you can fully account for all suppliers and products in your supply chain. Engage with your software suppliers to understand how they identify vulnerabilities and prevent cyber risks. Request a software component inventory from your software suppliers and consider changing suppliers if they cannot provide one. Monitor and defend endpoints to contain the spread of any malware infections. Implement a cyber security framework to ensure your organization meets good cybersecurity standards and can respond effectively to email supply chain attacks. Software supply chain attacks: just one type of supply chain attack Attacking software is just one of several ways cybercriminals can leverage the interconnected nature of supply chains. Another is email-based supply chain attacks, this is when cybercriminals hack vendors’ email accounts to deliver highly convincing phishing emails. Email-based supply chain attacks are sometimes called Account Takeover attacks. The Nobelium email campaign, conducted by the same actors who hit SolarWinds, is an example of an email supply chain attack: 150 government agencies, think tanks, and NGOs, received phishing emails after the cybercriminal hacked email provider Constant Contact. The good news is that email-based supply chain attacks, while potentially devastating, are avoidable by using an effective email security tool like Tessian. Tessian scans inbound emails to detect anomalies such as malicious links, inauthentic sender addresses, and signs of inconsistent language or behavior that suggest an email’s sender is not who they say they are. Read more about how Tessian’s machine learning-powered technology helps detect and defend against email-based supply chain attacks and other phishing threats.
Human Layer Security Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
16 September 2021
Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020.  The FBI said there were more than 11 times as many phishing complaints in 2020 compared to 2016. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the top “action variety” seen in breaches in the last year and 43% of breaches involved phishing and/or pretexting. The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks. But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020. ⚡  Want to learn how to prevent successful attacks? Check out this page all about BEC prevention. How phishing attacks are delivered 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email. According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files (sent via email) were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020: IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required
The prevalence of phishing websites Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites. Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%). Here you can see how phishing sites have rocketed ahead of malware sites over the years.
Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%). Further reading: ⚡ How to Identify a Malicious Website The most common malicious attachments Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails: Windows executables (74%) Script files (11%) Office documents (5%) Compressed archives (4%) PDF documents (2%) Java files (2%) Batch files (2%) Shortcuts (>1%) Android executables (>1%) You can learn more about malicious payloads here. The data that’s compromised in phishing attacks The top three “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Medical (treatment information, insurance claims) When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach RiskIQ estimates that businesses worldwide lose $17,700 every minute due to phishing attacks—and that top companies lose $25 per minute to cybercrime. IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses.  Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM. And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach. That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing. On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million. According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries Last year, Public Administration saw the most breaches from social engineering (which caused 69% of the industry’s breaches), followed by Mining and Utilities and Professional Services. But, according to another report, employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.  According to yet another data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing But there’s another way in which phishing impacts organizations differently across industries—resilience. Some industries are more susceptible to phishing than others. By considering factors like awareness, susceptibility, and reporting rate Cofense estimates the following ranking of industries according to their resilience to phishing attacks: Agriculture Mining Professional services Finance Utilities Retail Trade Construction Public Entertainment Information Manufacturing Transport Education Other services Real estate Healthcare Management Administrative Accommodation As noted, healthcare has been hit particularly hard by phishing and other cybercrimes throughout the pandemic. According to the HIPAA Journal, an average of 58.8 data breaches occurred among U.S. healthcare providers between August 2020 and July 2021—around 3.70 million records were breached per month. Many of these breaches were caused, directly or indirectly, by phishing. In July 2021, one phishing attack on an Orlando-based family physicians’ practice affected nearly half a million individuals. Phishing by country Not all countries and regions are impacted by phishing to the same extent, or in the same way. Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country: United States: 74% United Kingdom: 66% Australia: 60% Japan: 56% Spain: 51% France: 48% Germany: 47% Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country: United Kingdom: 69% Australia: 66% Japan: 66% Germany: 64% France: 63% Spain: 63% United States: 52% As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime. The most impersonated brands New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020. In order of the total number of instances the brand appeared in phishing attacks: Microsoft (related to 43% of all brand phishing attempts globally) DHL (18%) LinkedIn (6%) Amazon (5%) Rakuten (4%) IKEA (3%) Google (2%) Paypal (2%) Chase (2%) Yahoo (1%) The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information. But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams. Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported: Over than 450 COVID-19-related financial support scams More than one million reports of “suspicious contact” (namely, phishing attempts) More than 13,000 malicious web pages (used as part of phishing attacks) The rates of phishing and other scams reported by HMRC more than doubled in this period.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%. Further reading: ⚡ COVID-19: Screenshots of Phishing Emails ⚡How Hackers Are Exploiting the COVID-19 Vaccine Rollout ⚡ Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Phishing and the future of work The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious. New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong. According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office Furthermore, an August 2021 survey conducted by Palo Alto Networks found that: 35% of companies reported that their employees either circumvented or disabled remote security measures Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue Further reading: ⚡ The Future of Hybrid Work  ⚡ 7 Concerns Security Leaders Have About Permanent Remote Working
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. Further reading: ⚡ Tessian Defender: Product Data Sheet  
Human Layer Security Spear Phishing
Legacy Phishing Prevention Solutions vs. Human Layer Security
By Jessica Cooper
27 August 2021
Phishing – in its many varieties – is the threat most security leaders are concerned about protecting their organizations against. Why? Because attacks are frequent, hard-to-spot, time-consuming to investigate, and expensive to recover from.  And legacy solutions like Secure Email Gateways (SEGs), sandboxes, DMARC, and security awareness training out there just aren’t enough. With these methods, users aren’t engaged in a meaningful way and unknown anomalies aren’t accounted for. But there’s a better way.  This blog evaluates the shortcomings of legacy phishing prevention solutions, and proposes a different approach: Human Layer Security. Note: This article is based on an extensive whitepaper available for download. The whitepaper provides greater depth as it compares Human Layer Security with the legacy security solutions discussed here. The problem with SEGs & native tools SEGs lack the intelligence to learn user behavior or rapidly adapt.  The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective. They can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud. Worse still, SEGs don’t address other entry points like Microsoft SharePoint, OneDrive, and ShareFile, which are some of the most hacked cloud tools.  What about native controls like Microsoft ATP? O365’s native security controls do protect users against bulk phishing scams, spam, malware, and domain spoofing. And these tools are great when it comes to stopping broad-based, high-volume, low-effort attacks – they offer a baseline protection.  But, today’s email attacks have mutated to become more sophisticated and targeted.  Attackers use automation to make small, random modifications to existing malware signatures and use transformation techniques to bypass these native O365 security tools. Unsuspecting – and often untrained – users fall prey to socially engineered attacks that would be hard for even a security expert to spot.  To learn more about why Office 365 accounts are vulnerable to attack, click here. Why sandboxes fail to detect phishing attacks One of the primary ways sandboxes can fail is in phishing attempts.  Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection.  Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence. There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create. This is not an option in today’s modern enterprises where real-time communication and collaboration is paramount. Why DMARC isn’t enough Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both SPF and DKIM to verify whether or not an email was actually sent by the owner of the domain that the user sees.  In order for DMARC to pass, both SPF and DKIM must pass, and at least one of them must be aligned. While impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address domain impersonation attacks (i.e. sending from a domain that looks like the target being abused – e.g. vs., or display name impersonation (i.e. modifying the “From” field to look as if it comes from the target being abused). The other misunderstood aspect of DMARC is that enabling DMARC on your domain protects your domain from being used in a phishing attack. But to protect your organization against phishing and spear phishing attacks, all domains used in communication with your employees should have DMARC enabled on them.  But still, only one-third of businesses employ DMARC.  This makes the security of your organization dependent on other companies communicating with your organization and vulnerable to supply chain risk, especially since DMARC records are publicly available, meaning attackers can easily identify and target domains that are not registered, and thus are vulnerable to impersonation. Finally, in addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, and other third-party email services. But it’s a challenge to then retrofit them all with DMARC. Want to learn more? We explore the limitations of DMARC in more detail here. The limitations of security awareness training Security Awareness Training (SAT) is seen as a “quick win” when it comes to security – a box-ticking exercise that companies can do in order to tell their shareholders, regulators and customers that they’re taking security seriously.  Sadly, the evidence of these initiatives being conducted is much more important than the effectiveness of them.  And engagement is a big problem. Too many SAT programs are delivered once or twice a year in lengthy sessions. This makes it really hard for employees to remember the training they were given, and the sessions themselves have to cram in too much content to be memorable.  It’s also difficult for security leaders to trains their employees to spot today’s sophisticated attacks. That’s because SAT platforms rely on simulating phishing threats by using pre-defined templates of common threats. This is a fair approach for generic phishing awareness (e.g. beware the fake O365 password login page), but it’s ineffective at driving awareness and preparing employees for the highly targeted and continuously evolving phishing threats they’re increasingly likely to see today (e.g. an email impersonating their CFO with a spoofed domain). We explore the pros and cons of phishing awareness training here. What is Human Layer Security?  The only question left to answer is: When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox? The answer is Human Layer Security (HLS). SEGS and native tools like O365 provide basic phishing protection, but organizations need an intelligent solution like Tessian to detect and prevent advanced inbound attacks like BEC, ATO, and CEO Fraud that make it through inbuilt bulk phishing and spam filters. Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats.  Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification.
Spear Phishing DLP Compliance
5 Cyber Risks In Manufacturing Supply Chains
26 August 2021
When it comes to supply chain risks, cybersecurity and data loss are top of mind for security analysts and other professionals.  The EU Agency for Cybersecurity (ENISA) notes that there has been a marked increase in such attacks since early 2020—and that most supply chain attacks target data (mainly personal information and intellectual property). Manufacturers are typically involved in long and complex supply chains with many actors, making them particularly vulnerable to disruption and malicious activity in the supply chain.  You must protect against these risks. Keep reading to learn more, including prevention tips.  5 manufacturing supply chain cyber risks First, let’s look at five crucial supply chain cyber risks for manufacturers.  We’ll then consider how manufacturers can improve their supply chain cybersecurity, referencing some real-life examples. 1. Intellectual property theft One major concern for manufacturers is that third parties in their supply chain may abuse their access to intellectual property and other valuable or sensitive data. According to research by Kroll, guarding against supply chain IP theft is a priority for nearly three-quarters of companies. Even if all your supply chain partners are legitimate, there is always the possibility that a rogue employee could steal your IP or trade secrets and pass them on to your competitors. Don’t believe us? Check out these 17 examples of real-world insider threats.  2. Supply chain attacks Supply chain attacks leverage security vulnerabilities to steal data and spread malware such as ransomware. Some recent high-profile supply chain attacks include the attacks on software companies Solarwinds and Kaseya. These incidents involved software vendors pushing compromised updates to their customers, resulting in widespread malware infections. There’s a reason that supply chains are particularly vulnerable to cyberattacks. The more organizations are involved in a manufacturing process, the greater the likelihood that one of the members will fall victim to a cyberattack and spread malware to their business partners. But that doesn’t mean that the chain is “only as strong as its weakest link.” A well-defended organization can stop a supply chain attack in its tracks.  Case study: supply chain attack Here’s an example of a supply chain attack that leveraged email in an attempt to undermine a company’s security defenses. This type of threat is known as an “account take over” (ATO) attack. The cybercriminals targeted a medium-sized construction firm by first infiltrating one of the company’s trusted vendors. The attackers managed to take over the email account of one of this vendor’s employees. By reading the employee’s emails, the criminals learned that the employee was in contact with several high-ranking staff members at the construction firm. After observing the employee’s communication patterns and email style, the attackers then used the mailbox to send phishing emails to a targeted group of individuals at the construction firm. The phishing emails encouraged the recipients to click a link to a cloud storage folder, claiming that the folder contained a request for a proposal. Clicking the link would have downloaded malware onto the recipient’s device. Protecting against supply chain attacks Protecting against supply chain attacks requires a comprehensive cybersecurity policy, including staff training, network defenses, and security software. Implementing email security software is a vital part of your defensive strategy in the case of email-based supply chain attacks, such as the one above. The case study above is a real-life example of how Tessian, a comprehensive email security solution driven by machine learning, can help thwart supply chain attacks.  Tessian Defender scans inbound emails for suspicious activity. The software also learns your employees’ communication patterns to understand what constitutes “normal” email activity. In the attack described above, Tessian noted several subtle signs—including the sender’s location and choice of cloud storage platform—suggesting that the email could be part of a supply chain attack. Tessian alerted the employee to the potential danger, and the supply chain attack was averted.  It’s important to note that legacy email security software, which normally operates on a “rule-based” basis, can fall short when it comes to sophisticated account take-over attacks like this.  Tessian was not the only security product this construction firm was running. But it was the only one to spot the attack. 3. Compromised hardware and software Malicious actors can compromise hardware and software during the manufacturing process, creating vulnerabilities that are passed on down the supply chain or to equipment end-users. Hardware can be tampered with at any stage in the supply chain. As a manufacturer, you might obtain compromised hardware—or malicious actors could interrupt the manufacturing process downstream, tampering with products to install rootkits or other technologies. But as a manufacturer, you must also protect against threats in your own portion of the supply chain—where internal or external actors could interfere with the products or components you create. Case study: compromised software In August 2020, reports emerged that Chinese phone manufacturer Transsion had shipped thousands of mobile devices containing pre-installed malware that signed users up to subscription services without their consent. The pre-installed malware, known as Triada, automatically downloads and installs a trojan called “xHelper” that cannot be easily removed by users. The program covertly submits requests for subscription products at the user’s expense. Transsion blamed a malicious actor in its supply chain for installing Triada on its devices—but the culprit has yet to be discovered. Defending against software compromise One step towards to avoiding any type of malicious actor in your supply chain is conducting thorough due diligence. Identify and document all supply chain partners—as mentioned, you could be accountable for their malicious or negligent activity. Integrating cybersecurity measures into your quality assurance regime may also be a way to prevent upstream malicious actors from tampering with firmware before your manufacturing process takes place. And as we’ve seen, it’s crucial to protect your own systems from cyberattacks—which means ensuring the security of key communications channels like email. 4. Downstream software or hardware security vulnerabilities It’s vital to protect data against access by other parties in your supply chain. But even if you could trust your supply chain partners not to steal your data, you must also ensure that they don’t make it accessible to unauthorized third parties. No matter how much work you put into protecting your own systems from unauthorized access, your efforts could be rendered futile due to software or hardware vulnerabilities among other parties downstream. 5. Legal non-compliance In addition to maintaining poor cybersecurity practices that directly impact your own organization’s security, third parties in the supply chain may follow poor information security practices for which you could be liable. Case study: third-party legal non-compliance In 2019 a U.K. pharmaceuticals company was fined after a third-party contractor left documents containing personal information publicly accessible in unsecured containers.  Under the GDPR, “data controllers” are responsible for many of the actions of their service providers. As such, the pharmaceuticals company was deemed liable for the error. The firm received a fine and engaged in a drawn-out legal battle with the U.K.’s data regulator. Mitigating poor security practices among third parties Research is crucial to ensure you’re working with reputable third parties that will undertake compliant and responsible data protection practices. Contracts stipulating particular security measures are also important. Such agreements can also contain contractual clauses that serve to indemnify your company against legal violations by the other party. Under some data protection laws, including the GDPR and the upcoming Colorado Privacy Act, service providers processing personal information on another company’s behalf are required to submit to audits and inspections. Routinely inspecting the data security practices of your vendors and other service providers is an excellent way to ensure they are meeting their compliance obligations on your behalf. How to prevent manufacturing supply chain risks   In general, manufacturers can manage cyber risks in supply chains via a robust and comprehensive cybersecurity program. Here are some key cybersecurity principles for supply chain management from the National Institute for Standards and Technology (NIST): Assume your systems will be breached. This means considering not only how to defend against breaches, but determining how you will mitigate breaches once they have occurred. Think beyond technology. Cybersecurity is also about people, processes, and knowledge. Cybersecurity also means physical security. Threat actors can use physical security vulnerabilities to launch cyberattacks. Implementing a cybersecurity framework is key to defending against supply chain threats. Manufacturers of any size can work towards cybersecurity framework compliance, implementing controls according to their resources and priorities. The NIST Cybersecurity Framework Version Manufacturing Profile: NISTIR 8183 Revision 1 is an excellent starting point for manufacturers. For more information about the NIST framework, read our article on NIST and email security. More specifically, manufacturers should be taking the following steps to protect their data and systems in supply chains: Identify and document all supply chain members Conduct careful due diligence on parties in the supply chain Require supply chain partners to contractually agree to maintain good cybersecurity and data protection practices Ensure inbound communications (particularly via email) are scanned for signs of phishing and other social engineering attacks Scan outbound communications to prevent data loss Ensure all employees are aware of the risks and their responsibilities Email is a key supply chain vulnerability Of all the risks inherent to working in a supply chain, cyberattacks are perhaps the most critical in the current climate.  As ENISA notes, most supply chain attacks use malware to target company data. We also know that 96% of phishing attacks—which are the primary means of infecting business networks with malware—take place via email. The bottom line: email security is a crucial step for manufacturers to defend against supply chain cyber risks.  Find out more about how Tessian can help with the resources below. ⚡ Tessian Platform Overview ⚡ Customer Stories ⚡ Book a Demo
Spear Phishing
How Does Tessian Help Prevent Ransomware Attacks?
By Negin Aminian
18 August 2021
Before we dig into how Tessian can help prevent ransomware attacks, let’s first define what exactly ransomware is, and explain the scope of the problem. What is ransomware? Ransomware is a type of malware that threatens to publish a victim’s data (or perpetually block access to it) unless a ransom is paid.  Most ransomware and their variants have multiple attack vectors and often the ransomware (and other malware) is distributed using email spam campaigns, or through targeted attacks. For example, a phishing  email may contain a link to a website hosting a malicious download or an attachment. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.  After a successful ransomware attack, security professionals and business executives are faced with conflicting options. Paying the ransom encourages future attacks. Yet the recovery could be far more costly than  the original demand.  You can learn more about what ransomware is in this article: What is Ransomware? How is it Delivered?  How big of a problem is ransomware?  In a word: BIG. You can’t go a day without seeing a headline related to ransomware. That’s because ransomware continues to evolve and can halt businesses, slow down productivity, and destroy an organization’s reputation overnight. These types of attacks are often subtle and highly effective, using social engineering attacks until users are tricked into clicking a phishing link or opening a file attachment. Worse still, the majority of organizations are unable to prevent ransomware early in the email cyberattack kill chain and remain vulnerable against these highly sophisticated attacks. Why? Because legacy solutions don’t effectively detect and prevent this type of threat and there can be multiple threat vectors attacking a single organization in several different ways. The chances of success (for the hacker) are high. Want to see examples of email cyber attack kills chains for ransomware? Download our Solution Brief.  To paint a more clear picture of the impact, check out these stats: A new organization will fall victim to ransomware every 14 seconds in  2019, and every 11 seconds by 2021 Ransomware damage costs will rise to $20 billion by 2021 and a  business will fall victim to a ransomware attack every 11 seconds at that  time The ransomware attack on Universal Health Services (UHS) cost them $67 million. (This is mostly due to the operational problems post attack — diverting patients to competing facilities for urgent care.)  If you’re looking for real-world examples of ransomware attacks, we share seven here: 7 (Recent) Examples of Ransomware Attacks. How does Tessian help prevent ransomware? Unlike legacy solutions, Tessian Defender is powered by machine learning and automatically detects and prevents advanced forms of phishing attacks – including those that deliver ransomware – by default.  Importantly, this happens early in the kill chain to prevent credential theft, lateral movement, exfiltration, and more. In addition to detecting and preventing threats, Tessian also provides in-the-moment training to help employees identify malicious emails, and nudge them towards safer behavior. Solution highlights include:  Threat detection Tessian’s algorithms continuously analyze and learn from email communications across its global network to build profiles and models of companies and their employees, to understand what their normal email communication looks like.  This helps catch even the most advanced forms of phishing attacks that could lead to ransomware.  Learn more about Tessian’s technology here. Rapid remediation Real-time alerts of inbound email threats to  dedicated mailboxes. Explainable machine  learning helps SOC teams understand quickly why an email has been classified  as malicious.  By aggregating similar events and grouping emails from the same compromised account, Tessian allows administrators to clawback/delete multiple  events with a single click.  Learn more about Tessian’s robust remediation tools here.  In-the-moment training Non-disruptive in-the-moment training and  awareness is provided to employees through  contextualized, easy to understand warning  messages that continually drive them  towards secure behavior.  Learn more about Tessian in the moment warnings here.  Flexible deployment and seamless integrations  Defender deploys in minutes and automatically prevents data breaches through email within 24 hours of  deployment, across all devices, desktop and mobile.  Learn more about Tessian’s integrations, compatibility, and partnerships here and see what customers have to say about deployment here.
Spear Phishing Compliance
Where Does Email Security Fit Into the MITRE ATT&CK Framework?
13 August 2021
If you’re aiming to achieve compliance with the MITRE ATT&CK Framework, email security will be among your top priorities. Why? Because securing your organization’s email is critical to detect, mitigate, and defend against some of the most widespread and harmful online threats. In this article, we’ll offer a brief overview of the MITRE ATT&CK framework, then consider which attack techniques you can mitigate by improving your organization’s email security. MITRE ATT&CK Framework 101 Here’s a brief introduction to the MITRE ATT&CK framework.  Outlining the framework is important as it’ll help you see how its components tie in with your email security program. But feel free to skip ahead f you already know the basics. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework has three iterations—ATT&CK for Enterprise, ATT&CK for Mobile, and Pre-ATT&CK. We’re focusing on ATT&CK for Enterprise, covering threats to Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments. You can check out the Mobile Matrices here, and the PRE Matric here. MITRE ATT&CK tactics, techniques, sub-techniques, and mitigations At the core of the framework is the ATT&CK matrix—a set of “Tactics” and corresponding “Techniques” used by “Adversaries” (threat actors). The ATT&ACK for Enterprise matrix includes 14 Tactics: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact Think of these Tactics as the Adversary’s main objectives. For example, under the “Collection” Tactic (TA0009), the adversary is “trying to gather data of interest to their goal.” If you want to learn more about these tactics, or see a full list of the Techniques, Sub-Techniques, and Mitigations we mention below, click here.  A set of Techniques and sometimes “Sub-Techniques” is associated with each Tactic. Techniques are the methods an Adversary uses to achieve their tactical objectives. Sub-Techniques are variations on certain Techniques. We won’t list all the MITRE ATT&CK Techniques here, but we’ll identify some relevant to email security in just a second. But first (and finally) there are “Mitigations”—methods of preventing or defending against adversaries. Examples of Mitigations include M1041: “Encrypt Sensitive Information,” and M1027: “Password Policies.” Back to email security… MITRE and Email Security Now we’ll identify the MITRE ATT&CK framework Tactics and Techniques that are relevant to email security specifically. We’ll consider MITRE’s recommended Mitigations and look at how you can align your email security program to meet the framework’s requirements. Technique T1566: Phishing “Phishing” is a MITRE ATT&CK Technique associated with the “Initial Access” Tactic (TA0001). As you’ll probably know, phishing is a type of social engineering attack—usually conducted via email—where an adversary impersonates a trusted person and brand and attempts to trick their target into divulging information, downloading malware, or transferring money. Want more information about phishing? Start by checking out What is Phishing? The MITRE ATT&CK framework identifies both targeted phishing attacks (a technique known as “spear phishing”) and more general phishing attacks (conducted in bulk via spam emails). Now let’s look at the three Sub-Techniques associated with the Phishing Technique. 📎 T1566.001: Spearphishing Attachment Sub-Technique T1566.001 involves sending a spear phishing email with a malicious attachment. The attachment is malware, such as a virus, spyware, or ransomware file that enables the adversary to harm or gain control of the target device or system. A spear phishing attachment is usually disguised as a harmless Office, PDF, or ZIP file, and legacy email security software and spam filters can struggle to determine whether an attachment is malicious. The spear phishing email itself will usually try to persuade the target to open the file. The Adversary may impersonate a trusted person and can even provide the target with instructions on opening the file that will bypass system protections. For more information about malicious email attachments, read What is a Malicious Payload? 🔗  T1566.002: Spearphishing Link Alternatively to using a malicious attachment, a spear phishing email can include a link that leads to a malicious site such as a fraudulent account login page or a webpage that hosts a malicious download. Like with the “Spearphishing Attachment” Sub-Technique, the “Spearphishing Link” Sub-Technique will normally employ social engineering methods—this time as a way to persuade the target to click the malicious link. For example, the spear phishing email may be disguised as a “security alert” email from Microsoft, urging the target to log into their account. Upon following the link and “logging in,” the target’s login credentials will be sent to the adversary. We’ve written in detail about this type of attack in our article What is Credential Phishing? 📱T1566.003: Spearphishing via Service The “Spearphishing via Service” Sub-Technique uses platforms other than email to initiate a spearphishing attack—for example, a LinkedIn job post or WhatsApp message. This Sub-Technique is not directly related to email security—but email security is still relevant here. For example, if an Adversary is able to establish rapport with their target via social media, then they might follow up with a spear phishing email. ❌ Phishing Detection and Mitigation Now let’s look at which Mitigations MITRE recommends for dealing with the Phishing Technique and its three associated Sub-Techniques: M1049: Antivirus/Antimalware — Quarantine suspicious files arriving via email. M1031: Network Intrusion Prevention — Monitor inbound email traffic for malicious attachments and links. M1021: Restrict Web-Based Content — Block access to web-based content and file types that are not necessary for business activity. M1054: Software Configuration — Use anti-spoofing methods to detect invalid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures. M1017: User Training — Educate employees to help them detect signs of a phishing attack. Note: None of MITRE’s recommended Phishing Mitigations is sufficient on its own.  Antivirus Software, for example, can quarantine malicious files but is less likely to detect suspicious links. User Training helps embed a security-focused workplace culture—but you can’t expect employees to recognize sophisticated social engineering scenarios. To prevent phishing attacks, it’s vital security leaders take a layered approach, including training, policies, and technology. Your best bet when it comes to technology? A next-gen email security solution that can automatically scan internal and external email communication for signs of malicious activity based on historical analysis.  Email security software can use several methods of detecting phishing attacks. Older solutions rely on techniques such as labeling and filtering—an administrator manually inputs the domain names, file types, and subject lines that the software should block. Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound emails for signs of phishing, the software scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior. This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, access the legitimate files and links they need— while being alerted to anomalous and suspicious email content. 
These in-the-moment warnings help reinforce training, and nudges employees towards safer behavior over time.  Download the Tessian Platform Overview to learn more.  Technique T1534: Internal Spearphishing The “Internal Spearphishing” Technique is associated with the “Lateral Movement” Tactic (TA0008) and is distinct from the “Phishing” Technique. Internal Spearphishing takes place once an adversary has already penetrated your system or account. The adversary leverages existing account access to conduct an internal spear phishing campaign. Internal Spearphishing is particularly damaging because the emails come from a genuine (albeit compromised) account. This makes them virtually impossible to spot, and therefore very persuasive. Internal Spearphishing Detection and Mitigations MITRE notes that detecting an Internal Spearphishing attack (also known as Account Takeover) can be difficult. There are no mitigations associated with the “Internal Spearphishing” Technique in the MITRE ATT&CK framework. According to MITRE, the main difficulty associated with detecting and mitigating Internal Spearphishing attacks is that “network intrusion detection systems do not usually scan internal email.” The main hallmarks of a spear phishing email—such as email impersonation or spoofing—are not present once an adversary has successfully compromised an internal email account. This means legacy email security software may be unable to detect Internal Spear Phishing attacks. However, an AI-driven email security solution such as Tessian can scan internal email and will pick up on small inconsistencies in the sender’s email behavior and communication patterns. If a sender is communicating outside of their normal internal networks or writing in an uncharacteristic style, Tessian can flag this unusual behavior and notify the recipient of any suspicious emails.  Learn more about how Tessian Defender defends against internal spear phishing. Technique T1598: Phishing for Information T1598: Phishing for Information is a MITRE ATT&CK Technique associated with the “Reconnaissance” Tactic (TA0043). While Phishing involves an attempt to penetrate an organization’s defenses, Phishing for Information is a way to gather information about the target for use in an attack. As such, Phishing for Information may occur via email—or via other communications channels, such as instant messaging applications or social media. Phishing for Information Detection and Mitigations To detect Phishing for Information, MITRE suggests monitoring for suspicious email activity. Email security software can monitor signs of a phishing attack, including DKIM misconfiguration, suspicious language, or erratic communication methods. But legacy email security programs can only detect the more obvious indicators of phishing. On the other hand, Tessian is uniquely equipped to identify the subtle but distinctive signs that a sender is not who they say they are.  Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses  Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments  Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too Leveraging email security for MITRE ATT&CK framework compliance We’ve seen how email security is a major factor in meeting the MITRE ATT&CK framework requirements. To recap, Tessian can serve as a key Mitigation in respect of the following Techniques and Sub-Techniques: T1566: Phishing T1566.01: Spearphishing Attachment T1566.02: Spearphishing Link T1566.03: Spearphishing via Service T1534: Internal Spearphishing T1598: Phishing for Information Learn more about how Tessian can transform your organization’s cybersecurity program.