Karl Knowles is Global Head of Cyber at international law firm HFW. Tessian’s Customer Success Manager, Amelia Dunton, spoke to Karl about building defense and depth to combat advanced inbound attacks.
Tell us a bit about your role as Head of Cyber at HFW—What do you think companies should be most aware of when it comes to email security, specifically inbound email attacks?
One of the first things we need to consider is that email isn’t going anywhere—despite the fact that everybody wants it to go somewhere. It does seem to be the main preference of communication, and for all different businesses and industries—not just in legal.
But since the pandemic, there’s been a huge spike in email threats, as we all know. In fact, Mimecast pushed out a report where they had detected a 64% increase in email attacks as people move towards more hybrid environments.
And what we’ve seen, and what we continue to see, are increased impersonation attacks… You have to see Microsoft, Google, Dropbox—they’re all being impersonated on a daily basis. In fact, impersonation attacks account for nearly half of our email attacks that we receive. And then, of course, we’ve got the issues around domain spoofing and account takeovers all becoming more sophisticated—more difficult to see.
And certainly, you need to be conscious at all times when you receive an email. You need to take a breath—you need to take a bit of time, and you have to look at it. But that’s not always the case, and it’s never as easy as just having that taking that time, taking that moment. Because, as you know, the domain impersonations are very realistic. Some of the emails have been crafted better, so you need something else to help you with that.
Regarding inbound attacks specifically, is there a vulnerability gap when relying solely on a secure email gateway (SEG)?
Well firstly, it’s about evolving threats. And as we evolve our defenses, we’ve got to remember our adversaries are doing the same. Their TTPs are changing all the time, so we need to be on our toes. And we’ve seen the examples of this, as I mentioned before, with the amount of impersonation attacks—where people email from other locations purporting to be from areas where they are registered. And this is where we need to be warning our users.
But we’ve also seen new domains being spun up. Why shouldn’t you be allowed to create a domain if you know how? It doesn’t mean to say that just because you’re creating an email domain, you’re going to use it for nefarious reasons. But the secure email gateway itself won’t just put that domain on a blacklist—and nor should it. Because, just because a domain’s been spun up, it doesn’t mean to say it’s malicious.
So that’s where you need something like Tessian Defender to kick in—because the SEG isn’t going to block it. It’s going to say, “Well, actually, just because you’re new, doesn’t mean to say you’re malicious.” But then what Defender will do is, it will just prompt you as you receive that email to say: “Hey, you know this is the first time your organization has seen this new domain?” So it just acts as a bit of a pause.
But this will also pick up when your normal sender’s domains come from a different location. As I said before with account takeovers, you can be communicating with an organization from Hong Kong, and you can have regular emails—maybe a dozen a day—and all of a sudden, an email comes from that domain—but it’s not in Hong Kong, it’s in The Netherlands.
So you need something to do that—because the secure email gateway isn’t always going to pick that up. So you need a bit of a: “Hey, do you realize that this email has come from a completely different location to where that domain normally sends its emails from?”