Phishing and email attack campaigns are the leading method of intrusion that malicious actors are using in 2023. The methods vary, from something as simple as a message that you won the lottery to incredibly intricate social engineering schemes involving months of recon and targetting. So how have email providers and applications helped to stem the flow of the massive onslaught of phishing emails and how will the adapt in the future? Lets talk about that.
The Past
The most used method of malicious thing detection being used at the moment is "Signatures". What this means is that when a malicious peice of software is identified, it gets flagged and it's signature is added to a global repository so things like your virus scanner or an email provider can see that signature and stop that malicious software from ever being sent or landing on your system. While this is a method that has worked for a very long time (since the 80s), it has some shortcomings. If an attacker is smart, they will modify the malicious payload so that it won't match the signature that's in detector databases. Sometimes a minor change like modifying the "From" section of code will be enough for detectors to miss the poisoned program. Also, using hard coded signatures of each malicious piece of software that exists in the wild takes up an insane amount of space (storage) so companies like Talos (Cisco's security and threat data provider) have petabites of signature libraries that they manage. This all creates a game of whack-a-mole where security providers are constantly creating and pushing new signatures for every new variant of what are usually only a handful of active software threats being used all over the world. They tend to trend with emerging technologies and new attack vectors.
The Present
I've had the great pleasure of being at some conferences recently and speaking to some great innovators in this field so let me go over where we are now and what emerging new idiologies are being worked on to help protect your inbox in the near future. Here are some new tactics being used by companies to protect your in-box.
NLA (Natural Language Analysis)
Now that "AI" (Machine Learning) is becoming something that is accessable and usable by everyday users, companies have started integrating it into products for analysis and detection of indicators of malicious intent. What machine learning systems really excel at are looking at huge data sets and breaking them down and grouping them. If a security team works with the data set to group malicious attempts together, the system gets very good at spotting those types of emails based solely on the body of the message. A classic example is the "prince" email scam where the sender is posing as a prince and offering you a great deal of money if you pay for postage or some variation on that. Machine learning systems have gotten incredibly good at spotting this sort of thing and many other variations, even if the malicious actor changes words or details.
Detonation Chamber
For me this is the most interesting development as I've been using a version of this tech for years but up until now it has been a very involved thing to set up and use properly. The idea is that you create an isolated "detonation chamber" where you can feel safe executing something like an extension that someone attached to an email and the system does everything that would happen to your computer if you clicked on the link. Not only is the chamber isolated and made for one time use but it also creates a report of all the malicious things the attachment did. The reports include any changes made to the system, background programs spun up, firewall changes made, registry changes made and screenshots of anything that might have been opened like a website. These newer email systems and programs are capable of running attachments through detonation chambers EVERY time a suspected phishy email is sent to you and testing them before something bad gets to your inbox.
These are only 2 of the newer methods of spotting phishing email that exist right now and are being implimented by the most cutting edge tech companies, lets hope the major corporations catch up soon.