Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing
Attackers are Using Microsoft Forms to Exfiltrate Data
Friday, February 22nd, 2019
Attackers are using Microsoft Forms links to get past email URL protection and steal sensitive information. We were alerted to this new tactic by one of our clients in the financial services sector. They recently received a spear phishing email containing a Forms link. In an attempt to protect firms from credential pharming and malware, several email security providers including Proofpoint, Mimecast and O365 Advanced Threat Protection re-write and scan URLs within emails to verify that the URL is safe to visit. The effectiveness of this approach has been questioned before, and now a new vulnerability involving the use of Microsoft Forms is being exploited by attackers. How are they exploiting Microsoft Forms? Microsoft Forms is an online tool for creating quizzes and surveys and automatically collecting the results. Forms were fully released to enterprise users of Office 365 in 2018. Here’s how they work You create a survey or quiz via Microsoft Forms and distribute it to your audience by embedding a link in an email. To fill out the form, a recipient will click the link within the email and be directed to a Microsoft Form containing fields that capture whatever data the form is designed to collect. Crucially, because the links direct users to a genuine Microsoft site, Forms links are trusted by the URL protection from Secure Email Gateways and ATP. Attackers have become aware of this and are now using authentic Microsoft Forms to collect sensitive information from unwitting targets. Any data input into the form is automatically sent to attackers, bypassing security defenses.
Many enterprises have become overly reliant on URL protection to prevent spear phishing attacks. To make things worse, with URL protection in place, employees begin to trust the links they receive in their inbox and become less vigilant to attacks. As attackers become more sophisticated they are finding simple ways to get past URL protection. Instead of focusing on the URL or on other payloads that can be sent in a spear phishing email, enterprises should aim to identify the actual impersonation behind the attack. This will not only reduce their vulnerability to attacks like this one, but also protect them from zero-payload attacks such as Business Email Compromise. We have reported this attack to Microsoft and have recommended that unique client IDs are used in the Forms URLs to allow enterprises to build custom policies to warn users when the client IDs do not match. We will update you when we hear from Microsoft.
Read Blog Post
Tessian Culture
Building a Bold and Beloved Brand
By Kelli Hogan
Wednesday, December 12th, 2018
Cybersecurity has an image problem. To many, it simultaneously conjures up feelings of stale corporate software and cliched messaging rife with anonymous hacker and military-grade defense references. It’s also an incredibly crowded space with over 2,500 brands and platforms competing for every business’s budget. Most of these solutions are invisible to end users and have zero margin for error. Let that sink in for a minute. With that said, cybersecurity, specifically information security, is now seen as essential to an enterprise’s overall operations and bottom line; today CISOs report into Boards of Directors. The increasing responsibility (due in part to stringent data protection policies like GDPR), heightened risks of processing and storing sensitive data and the fact that no organization appears to be safe from a data breach has given information security a new purpose and place within the structure of a business. So is cybersecurity the place to begin or evolve your career in marketing or design? Compared to consumer tech, it doesn’t ostensibly offer the same opportunities to flex creative muscles or deviate from rigid B2B tactics. But because of the inherent challenges and the growing need for every business to adopt a comprehensive cybersecurity strategy, this is the space for creative disruption and fresh perspectives. At Tessian, we’re building a world-class Marcomms team with the ambition of bucking convention and reimagining B2B, SaaS and cybersecurity marketing. We’re proving it can be creative and calculated, inspiring and effective. Tessian’s mission is to keep the world’s most sensitive data and technology systems secure. Our job is to build a brand that embodies this mission, and more importantly, that captures the market’s attention and turns users into satisfied customers. Marcomms at Tessian is a multidisciplinary function comprised of wildly talented communications generalists, specialists and designers. Nearly everything we do is cross-functional, which means we collaborate with every internal team—with Engineering and Data Science to ensure we authentically communicate our technology and product offering; with Client Development to capture customer success stories; with Business Development to create compelling content and execute exclusive events that help nurture leads and gain new customers. Our core objective is filling the top of the funnel and delivering pipeline to the sales team. Our targets are big. We deliver them through a variety of strategic channel activities including events, digital marketing, content creation and PR. We have the freedom and drive to constantly experiment, measure and refine our efforts in order to optimize performance. We move fast, and our work satisfies the analytical and big picture thinker in each of us. I left Google a year ago to take some time off and carefully consider my next career move. I had a decade of experience in consumer brand and product marketing, working with incredible creative talent on exciting technology. I loved it and learned a lot. But over time I was missing a few things—real autonomy and accountability. I wanted to help build something from the ground up and to be responsible for delivering exceptional and sustainable results. I got my chance by joining Tessian. In just three months, I have learned so much, acquired more responsibility than I could imagine and, most importantly, I’ve started to assemble an extraordinary team of brilliant people from different disciplines, each of whom challenges me and makes me better at my job. Our goals for 2019 are bold and courageous. To achieve them, we are looking for key talent to round out our capabilities. Check out the open roles at tessian.com/careers. In the meantime, meet our Marcomms team and hear what they think of Tessian— “As a creative graduate having worked for independent studios and within in-house teams, building a design career at Tessian has been decidedly different. Cybersecurity companies face an uphill struggle when constructing the visual narratives that power their brands—the sector is filled with overly complex explanations of technology and iconographic cliché; the shield, the padlock, the lightning strike. Design at Tessian is instead always evolving and growing, and allows you to work in all areas of the company, integrating with sales to produce pitch decks, or with client development to produce workflow diagrams, or with operations and recruitment for branded collateral and event organization.” – Leon Brown, Designer “I joined Tessian in September 2017 as the first marketer, and it’s been astonishing to see how the team has grown. When I joined it was crucial to quickly kick-start new marketing channels, and show in a very quick way the positive impact marketing has on the company and how it aligns to business goals. Then it was about building a marketing function and processes which could scale. We now focus on hiring specialists and ensuring everyone in the team is aware of the direction they are moving in and how they can get to their desired destination. I truly believe you need to hire people smarter than you and get out of the way – it’s important to allow people to be effective and perform to achieve the best results. I thoroughly enjoy working at Tessian. Marketing has always been a passion of mine, but marketing for- and at- Tessian is a whole other feeling. It’s a joy to work with such clever and driven individuals to really understand how, as a team, we can optimise our key marketing activities to the point where we can make accurate predictions on how many leads, MQLs or even revenue each channel can generate. There are some unique challenges working in a startup, but they’re also some of the biggest selling points; there may not always be a set process or structure for things, but for the right hire it can be invigorating to set up the infrastructure for the marketing team. It’s something you will keep optimising; nothing is ever stagnant. Everything is possible, which can sound terrifying, but it’s one of the most exciting things about working at Tessian. We never say something can’t be done, but rather always work together to figure it out. We learn from every failure as much as we do success.” – Chandni Trehan, Marketing Manager “Joining Tessian has made moving from Los Angeles to London more than worth it. (Even in winter.) During the universally stressful college senior job search, my motto was high growth and high impact. After graduating from UCLA, I joined Tessian as the second full-time hire on the marketing team. In under six months, I’ve been given the chance to forge my own path: come up with an idea, organize the plan of action and execute. I own the space in which I operate, while working closely and cross-functionally with every team in the office, which offers both breadth and depth, as I continue to learn and grow alongside some of the sharpest, savviest people I’ve ever known. What’s it like being at Tessian, in one word? Meaningful. Every day, we walk into work with the knowledge that what we do matters. And that’s as hard to find as it is fulfilling. While rapid growth can sometimes translate to high pressure, I’m constantly grateful to be here alongside the inspirational people that I look up to in every way on our journey to make a difference.” – Bianca Butler, Marketing Associate “With nearly 4 years in brand strategy, I’ve been fortunate enough to work on brand building challenges in luxury retail, FMCG and, more recently, consumer technology. Working across categories has given me a varied and colourful marketing perspective, but I was looking for a role that would take me to the front line of marketing, a position where I could have a daily impact and to be in a team where we feel ownership over the brand we build. Tessian has been exactly that. The work is dynamic, immediate and tangible and gives instant results. Tessian manages to gather incredible minds from an endless range of interesting backgrounds. It’s a pleasure to work in such an energetic environment, and the excitement and dedication is infectious.” – Karina Ferdi, Marketing Executive “Before joining Tessian I helped run CyLon, a cybersecurity startup accelerator in which Tessian participated. I worked with the then-5-person team for a year and a half. After I saw the team leave the office one day to play rounders after work, I knew I wanted to join the team. As reductive as that may seem, it represented a culture where everyone was not just part of a company, but also a friendship group. I finally joined in December 2017, as the company’s first designer. What I instantly saw was where there could have been an informal division between the commercial and technology, there was respect. Everyone buys into the same vision and believes we are building something game-changing. Over the last year, my design journey has been incredibly diverse. I’ve been part of the company rebranding, have created exhibition stands and even outfitting our 11,000 sq ft office.” – Shane Wickramasuriya, Design and Brand Lead  
Read Blog Post
DLP
Bupa Fined £175,000: The Risks and Costs of Unauthorized Emails
Thursday, October 18th, 2018
As the recent Bupa data breach highlighted, the sending of unauthorized emails – an email that is intentionally sent to an unauthorized recipient, such as an employee’s personal email account – can have a detrimental financial and reputational impact upon an organization. The global insurance and healthcare group’s failure to prevent the exfiltration and attempted sale of over half a million international health insurance customers’ personal information led to a £175,000 fine and a damning evaluation of its negligent security practices.
The loss of consumer data can also result in: • Breaching contracts or non-disclosure agreements • The loss of IP and proprietary research • Breaching data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches) Despite such demonstrably damaging ramifications, many organizations do not have sufficiently secure networks and, as a result, lack the necessary visibility over how sensitive data is processed and stored. Before they know it, sensitive data is shared, stolen and sold; the damage is done. For large organizations like Bupa, monitoring thousands of employees and hundreds of thousands of email communications containing millions of pieces of data can seem an insurmountable and relentless task. In 2018, it is estimated that 124.5 billion business emails were sent every day with each employee sending an average of 31 each. These figures are only expected to increase (by at a rate of 3% per annum over the next few years) as corporate email networks grow in size and importance. Organizations that possess large amounts of highly sensitive patient or consumer data like Bupa have a duty to prevent this kind of data breach from happening. If they cannot monitor or control employee behaviour, they must take the necessary steps to find and invest in an approach and solution that can prevent unauthorized emails from being sent. It’s crucial to be proactive – rather than reactive – to address this kind of threat As such, we recommend enterprises employ an email security platform that offers comprehensive protection against the sending of unauthorized emails. Tessian Enforcer, for example, uses machine learning to understand human conversation patterns in order to detect, flag and prevent anomalous emails, which may contain sensitive data, from being sent to unauthorized or personal email accounts.
Read Blog Post
Why Rule-Based Approaches to Spear Phishing is Failing
Wednesday, September 19th, 2018
  Introducing Defender Business Email Compromise scams were responsible for over $5.3 billion in global losses from 2013 to 2017. According to the FBI, these types of attacks are also becoming more prolific, jumping 2,370% from 2015 to 2016 alone. Most enterprises have anti-spam and anti-phishing filters in place to protect their emails. Unfortunately, bad actors are outpacing these safeguards and are finding more intelligent ways to break through to their targets. This is where Tessian comes in. Since 2013, we have been developing machine intelligent technology to prevent threats that rule-based legacy gateways and platforms cannot. Tessian Defender is our latest advancement. Defender protects from threats executed by humans rather than just code, using the Tessian’s Parallax Engine and natural language processing technology to keep the most sensitive data and systems private and secure. The Problem Spear phishing is effective because of its highly targeted approach. When it successfully dupes individuals into sending money, sharing data, or downloading malware, it brings significant reputational and monetary risk. Defender protects against these threats through comprehensive safeguards against weak and strong-form impersonation alike. Weak-form impersonation can generally be detected and prevented through the rule-based controls that many enterprises already use. Often this is done by authenticating SPF, DKIM, and DMARC records to estimate the legitimacy of the sender. This entails cross-referencing IP addresses, scouring for invisible signatures, and linking senders to their domain names and broader email protocols. Rule-based defences also perform checks to find matches with known display names, modifications to “reply-to” addresses, and newly registered domains. Unfortunately, this is not enough. These systems are limited in scope and not always implemented. DMARC authentication, for example, only protects a domain against direct impersonation, where a bad actor is trying to spoof someone’s actual email address. It fails to address domain or display name lookalike impersonation. Furthermore, global DMARC adoption rates are low. Legacy technology stacks find it difficult to query large datasets in real-time, which means it is often a challenge for systems to quickly recognise and filter phishing emails. Even where these systems are sufficient, weak-form spear phishing is now evolving into a more advanced threat: strong-form spear phishing. This type of spear phishing subverts legacy email security systems by turning to tactics that are difficult for humans and rule-based email security processes to detect. Traditional, pre-defined rule sets cannot fend off strong-form spear phishing because of the almost infinite number of domain and sub-domain, display name and address, and freemail permutations impersonation allows for. Even where they do detect certain impersonations, legacy systems cannot capture the evolving dynamics of email networks, with enterprises developing new relationships every day over email. A rule set would need to constantly be updated in order to remain effective. This is time consuming and resource intensive and inefficient. The Solution Tessian Defender is specifically designed to tackle strong-form impersonation spear phishing. Due to the complexity of strong-form impersonation techniques, having an understanding of email relationships based on historical data and user behavior is critical. Using stateful machine intelligence, Tessian has developed a new approach to thwart spear phishing. Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat? Tessian Defender also uses natural language processing (NLP) to understand content within an email and will automatically classify its intent, so it can provide more context to the end user within a warning message, and also highlight the specific risk to security teams.  
Read Blog Post
Tessian Culture, Engineering Team
Building an Email Load Tester in Node
Sunday, April 1st, 2018
At Tessian, our engineering teams work to ensure that our backend systems have the capability to handle the workloads required by our clients. We do this in lots of industry-standard ways: continuous integration pushed to a continuous-use staging environment, unit and module tests, integration tests and high-load simulations. On the Node.is team, we needed a load testing service which could replicate email traffic above and beyond the 9 am problem (when everyone logs on at work and sends replies to their emails received overnight). Off-the-shelf load testers are typically designed for REST API traffic  —  hitting a server with http(s) requests until it breaks. We needed something smarter. Something that could generate high network traffic and still have the capacity to hold a responsive SMTP conversation for each connection. Like all good engineering projects, we began with the simplest of setups: using swaks to generate and send emails (the source) and a simple instance of Haraka (an SMTP mail server) running on Node.js to receive the traffic (the sink). Running the source and sink on separate AWS compute instances gave us a trivial-to-setup, rampable load tester. Executing swaks on a single core can generate and send around 27 emails/second. Coding a simple bash script to launch swaks processes across dozens of cores (AWS compute instances can give you up to 72 virtual cores) should have provided us with a cool 27 x 72 = 1944 emails/second. Of course, it didn’t. There are some basic overheads in this simple setup. Swaks is a perl script, so each time a message is sent, a new perl process needs to be started, the script interpreted and the process terminated. On the sink side, Haraka does quite a lot of processing of each email it receives — parsing the headers and message body, checking address formats and so on — none of which we really needed for our purposes. The overall throughput came out at around 450 emails/second. Not a bad start, but we felt like we could do better. First we replaced the Haraka sink with a much simpler Node.js server. We coded a net.Server instance and implemented responses for the 4 basic SMTP commands: MAIL FROM, RCPT TO, DATA and QUIT. We didn’t include any validation of the received data — we run different tests for that — because we wanted pure performance. The server recorded various statistics along the way (clock time, data transfer rate, active connection numbers, etc) and console.log()’ed them out each time it received an email. In its entirety, the completely functional (but not exactly RFC-compliant) Node.js SMTP sink server was coded in just 9 functions and 200 lines. Back to the test. Re-running the 72-core swaks script with the new Node.js sink didn’t do much to help the maximum rate with small messages (which still peaked at around 450 emails/second); it did, however, make a big difference with larger messages. By losing the message parsing on the sink side, Node was able to make full use of its multi-connection network streaming capability and keep the maximum incoming rate for multi-megabyte messages. Looking at the server load figures, it was clear that the sink server was busy — but not too busy. The numbers of active connections were averaging just 6 with small bursts into the dozens. Time to focus on the source. Coding a new Node.js module to load and send emails over SMTP was simple enough. Around 100 lines of code later, a fully functional sending script, complete with terminal-configurable options to choose the size of message and destination server was built. Firing up an instance of it on a single core achieved a pretty smart 1426 emails/second (10K messages transferred in 7.01 seconds). We then fired up sending instances across increasing numbers of cores until we plateaued at ~4700 emails/second — more than 10x over the first setup. For context, that’s more than our company’s total current internal email traffic over a 24 hour period, squashed down to 1 second. This is one of many reasons we love using Node.js; its ease and efficiency in handling high-performance network connections is unrivaled, and without it, it’s difficult to imagine the lengths we’d need to go to in order to achieve simple high-throughput load testing of our email servers. Of course, the load tester is still being worked on (there’s more to squeeze out of it), but for now, we’re pretty happy with its performance.       #engineering
Read Blog Post
Human Layer Security, DLP, Data Exfiltration
What is an Insider Threat? Insider Threat Definition, Examples, and Solutions
By Maddie Rosenthal
Monday, June 29th, 0201
Organizations often focus their security efforts on threats from outside. But increasingly, it’s people inside the organization who cause data breaches. There was a 47% increase in Insider Threat incidents between 2018 and 2020, including via malicious data exfiltration and accidental data loss. And the comprehensive Verizon 2021 Data Breach Investigations Report suggests that Insiders are directly responsible for around 22% of security incidents. So, what is an insider threat and how can organizations protect themselves from their own people?
Importantly, there are two distinct types of insider threats, and understanding different motives and methods of exfiltration is key for detection and prevention. Types of Insider Threats The Malicious Insider
Malicious Insiders knowingly and intentionally steal data, money, or other assets. For example, an employee or contractor exfiltrating intellectual property, personal information, or financial information for personal gain.  What’s in it for the insider? It depends. Financial Incentives Data is extremely valuable. Malicious insiders can sell customer’s information on the dark web. There’s a huge market for personal information—research suggests you can steal a person’s identity for around $1,010. Malicious Insiders can steal leads, intellectual property, or other confidential information for their own financial gain—causing serious damage to an organization in the process. Competitive Edge Malicious Insiders can steal company data to get a competitive edge in a new venture. This is more common than you might think.  For example, a General Electric employee was imprisoned in 2020 for stealing thousands of proprietary files for use in a rival business. Unsurprisingly, stealing data to gain a competitive edge is most common in competitive industries, like finance and entertainment. The Negligent (or Unaware) Insider 
Negligent Insiders are just “average” employees doing their jobs. Unfortunately, “to err is human”… which means people can—and do—make mistakes. Sending a misdirected email Sending an email to the wrong person is one of the most common ways a negligent insider can lose control of company data. Indeed, the UK’s Information Commissioner’s Office reports misdirected emails as the number one cause of data breaches.  And according to Tessian platform data, organizations with over 1,000 employees send around 800 misdirected emails every year. We’ve put together 11 Examples of Data Breaches Caused By Misdirected Emails if you want to see how bad this type of Insider Threat can get. Phishing attacks Last year, 66% of organizations worldwide experienced spear phishing attacks. Like all social engineering attacks, phishing involves tricking a person into clicking a link, downloading malware, or taking some other action to compromise a company’s security. A successful phishing attack requires an employee to fall for it. And practically any of your employees could fall for a sophisticated spear phishing attack. Want to know more about this type of Negligent Insider threat? Read Who Are the Most Likely Targets of Spear Phishing Attacks? Physical data loss  Whether it’s a phone, laptop, or a paper file, losing devices or hard-copy data can constitute a data breach. Indeed, in June 2021, a member of the public top-secret British military documents in a “soggy heap” behind a bus stop. Looking for more examples of Insider Threats (both malicious and negligent?) Check out this article: 17 Real-World Examples of Insider Threats How can I protect against Insider Threats? As we’ve seen, common Insider Threats are common. So why is so hard to prevent them? Detecting and preventing Insider Threats is such a challenge because it requires full visibility over your data—including who has access to it. This means fully mapping your company’s data, finding all entry and exit points, and identifying all the employees, contractors, and third parties who have access to it. From there, it comes down to training, monitoring, and security. Training While security awareness training isn’t the only measure you need to take to improve security, it is important. Security awareness training can help you work towards legal compliance, build threat awareness, and foster a security culture among your employees. Looking for resources to help train your employees? Check out this blog with a shareable PDF. Monitoring Insider Threats can be difficult to detect because insiders normally leverage their legitimate access to data. That’s why it’s important to monitor data for signs of potentially suspicious activity. Telltale signs of an insider threat include: Large data or file transfers Multiple failed logins (or other unusual login activity) Incorrect software access requests Machine’s take over Abuse by Service Accounts Email Security The vast majority of data exfiltration attempts, accidental data loss incidents, and phishing attacks take place via email. Therefore, the best action you can take to prevent insider threats is to implement an email security solution. Tessian is a machine learning-powered email security solution that uses anomaly detection, behavioral analysis, and natural language processing to detect data loss. Tessian Enforcer detects data exfiltration attempts and non-compliant emails Tessian Guardian detects misdirected emails and misattached files Tessian Defender detects and prevents spear phishing attacks How does Tessian detect and prevent Insider Threats? Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects the content and metadata of inbound emails for any signals suggestive of phishing—like suspicious payloads, geophysical locations, IP addresses, email clients—or data exfiltration—like anomalous attachments, content, or sending patterns. Once it detects a threat, Tessian alerts employees and administrators with clear, concise, contextual warnings that reinforce security awareness training
Read Blog Post
Page