Recent Posts

Recent Blog Posts

The PhishLabs Blog

Why Some Phishing Emails Will Always Get Through Your Spam Filter

Posted by Dane Boyd on Sep 15, '16

Frustrating, isn’t it?

It seems like no matter what you do, a few phishing emails always find their way into your users’ Why_Some_Emails_Will_Always_Get_Through_Your_Spam_Filter.jpginboxes. You’ve tweaked your spam filter, and you’re scanning every attachment… But nothing seems to work.

Is it you? Are you making some glaring mistake?

Probably not.  We've discussed before why your users keep falling for phishing scams, and there's more to it. 

The fact is that no matter how good your security, a small percentage of phishing emails will always reach your user’s inboxes. 

The Volume is Immense

We’ve talked about this before, but here’s a quick reminder. Based on research into the volume of email, spam, and malicious attachments/URLs, the users at a 5,000-strong company are collectively faced with 14,400 malicious emails in their inboxes every year.

Unfortunately these figures are predicted to go up, not down, and with phishing continuing to yield big results for threat actors we can’t expect this trend to run its course anytime soon.

And it’s not just about numbers…

(Some) Threat Actors are Smart

Now you would think that with so many security experts and vendors bent on the idea of the perfect spam filter, we wouldn’t have to worry about phishing anymore.

But here’s the thing.

The cyber crime industry is huge, and threat actors can make big money. That’s an incentive to get really good at what they do, wouldn’t you say?

And it turns out there are plenty of ways to fool spam filters.

For instance, even fairly low-level threat actors can effectively ‘spoof’ an email account, meaning that they can make their phishing emails appear to be from someone else. And we’re not just talking about changing the name attached to their account, with a small amount of effort they can make it look extremely convincing.

Specifically, using open source software such as PHP Mailer allows threat actors to manually type in both ‘To’ and ‘From’ addresses. Once the email is delivered, the recipient will be viewing an email that looks very much as though it’s from the email account listed in the ‘From’ field, regardless of where it actually came from.

Pretty easy, right?

Of course these types of emails can be blocked by your spam filter, as they will typically fail certain technical checks. But unless the person configuring the filter really knows that they’re doing, there’s a good chance these emails will make it through.

Unfortunately, it gets worse. Threat actors have other techniques open to them that are just as difficult to spot, and often don’t fail those checks.

For instance, threat actors often hijack mail servers and use them until the provider cottons on to their game. At that point, they’ll simply hijack a different mail server and keep on keeping on.

Or how about hijacking home computers?

No doubt at some point you’ve received an extremely dubious email from a close friend or relative. This usually happens because they’ve opened a malicious attachment or URL, a threat actor has taken control of their PC, s/he has used the victim’s email account to send out phishing emails to their entire address book.

Most of the time these emails are obvious, and aren’t much to be concerned about. But this technique can be used by more experienced threat actors to send highly convincing spear phishing emails, particularly since they can use the victim’s own sent emails to inform the tone/content of their campaign.

Do any of your users login from home, or occasionally email the office from their home accounts? That’s going to be difficult to catch if their home PC is compromised, right?

And that’s still not the extent of the problem.

By far the simplest way for threat actors to send convincing emails is to use throw-away email domains, free email addresses, and ISP access accounts, all with fake, forged, or stolen IDs. Once again, even when the provider catches on, all they have to do is move to a new account.

All these techniques combined are a nightmare for administrators trying to protect their users from phishing.

Tactics and Content Change Constantly

If you learned anything from the last point, let it be that threat actors have lots of options.

Content and subject line filtering are two more tools in the network administrators kit for blocking phishing emails, but threat actors have taken to switching up their tactics constantly. They aim for as little consistency as possible, and constantly switch up the length, format, and content of both subject lines and email content.

Some even make use of filter-evading scripts, which automatically randomize the subject lines, source addresses, and source domains of their emails, making it much harder for spam filters to identify bulk emails.

And, of course, hackers have a wide range of tactics at their disposal. From malicious URLs and attachments to pure social engineering attacks such as business email compromise (BEC), they’ll try everything in the book to get past your filters.

Don’t forget, the financial incentive is there, and they can make a lot of money from figuring out how to game the system.

But in the end, it boils down to this: How can you expect to filter an email that comes from a legitimate domain, has a plausible subject line, and doesn’t obviously contain malicious attachments?

If it looks like a duck, swims like a duck, and quacks like a duck, your spam filter will almost certainly treat it like a duck, and not a malicious phishing attack.

Get With the Program

We don’t want you to think we have a problem with technical security controls. On the contrary, these controls are essential to maintaining a low threat profile.

But you can’t rely on them 100%, and anyone who says you can is seriously deluding themselves.

What we are saying is that in addition to your security controls, you must accept that some phishing emails will reach your user’s email inboxes, and act accordingly.

By providing the proper training and reinforcement, you can dramatically improve the security behaviors of your users, and turn what used to be a liability into your last line of defense against threat actors.

So instead of obsessing over the last 0.1% of phishing emails that make it through your filter, start building up your human firewall.


Need to develop a training program that successfully prepares users to cope with sophisticated spear phishing attempts? Attend the webinar Why People Are Your Network's Greatest Vulnerability.

Attend this webinar to learn:

  • How and why your employees will be exposed to social engineering attacks. 
  • The reasons your users don’t recognize phishing emails.
  • The anatomy of a spear phishing email.
  • The most common types of spear phishing emails, how and why they’re effective, and the corresponding levels of success of each type.

Topics: Phishing, Spear Phishing, security awareness training

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events

Calendar_Mock_

Posts by Topic

see all