Threat Spotlight: Post-Delivery Email Threats

What happens after a malicious email bypasses an organization’s security measures and lands in a user’s inbox can be just as important as what happens to block threats in the first place.

Email Security

Barracuda researchers recently looked at approximately 3,500 organizations to better understand threat patterns and response practices. They found that an average organization with 1,100 users will experience around 15 email security incidents per month, and on average 10 employees will be impacted by each phishing attack that manages to get through.

We also found that 3% of employees will click on a link in a malicious email, exposing the entire organization to attackers. Although these numbers may appear small, they are still significant because hackers need only one click or reply for an attack to be successful.

In addition, researchers identified actions that can make a measurable difference post-delivery. For example, our analysis found that organizations that train their users will see a 73% improvement in the accuracy of user-reported email after only two training campaigns.

Here’s a closer look at the threat patterns and response practices our researchers uncovered, and steps you can take to help improve your organization’s response to email threats post-delivery.

Highlighted Threat

Post-delivery email threats — The activities conducted to manage the aftermath of a security breach and the threats that arise post-delivery are commonly referred to as incident response. Effective incident response seeks to remediate the security threat quickly to stop the spread of the attack and minimize any potential damage.

Evolving email attacks pose a significant risk to organizations. As hackers utilize more sophisticated social engineering techniques, email threats become difficult for both technical controls and email users to detect. There is no security solution that can prevent 100% of attacks. Likewise, end-users don’t always report suspicious emails due to lack of training or negligence, and when they do, the accuracy of reported messages is low, leading to wasted IT resources. Without an efficient incident response strategy, threats can often go undetected until it’s too late.

The Details

Based on Barracuda researchers’ analysis of incidents of approximately 3,500 organizations, an average organization with 1,100 users will experience around 15 email security incidents per month. An “incident” in this case, refers to malicious email that has made it past technical security solutions and into users’ inboxes. Once identified, these incidents require prioritization, investigation to determine their scope and threat level, and if determined to be a threat, will also require remediation efforts.

There are multiple ways that organizations can identify email threats for post-delivery remediation. Users can report them, IT teams can initiate internal threat hunting, or they can also rely on a community of other organizations that remediate attacks. Threat data on previously remediated threats that is shared across organizations tends to be more reliable than user-reported data.

Our researchers found that the majority of incidents (67.6%) were discovered through internal threat hunting investigations launched by the IT Team. These investigations can be initiated in a variety of ways. Common practices include searching through message logs or running keyword or sender searches of already delivered mail. Another 24% of incidents were created from user-reported emails, 8.1% were discovered using community-sourced threat intelligence, and the remaining 0.4% through other sources such as automated or previously remediated incidents.

Incident Source

Organizations should always encourage end users to report suspicious emails, but an influx of user-reported emails can be burdensome for resource-strapped IT Teams. A good way to increase the accuracy of user reports is to provide consistent security awareness training. Our research found that organizations that train their users will see a 73% improvement in the accuracy of user-reported email after only two training campaigns.

Accuracy of User-Reported Emails

3% of users click on links in malicious emails

Once IT admins have identified and confirmed malicious emails, they need to investigate the potential scope and impact of the attack. Identifying all individuals within an organization that have received malicious messages can be incredibly time consuming without the right tools. Our research showed that on average 10 employees will be impacted by each phishing attack that manages to get through.

Additionally, 3% of employees will click on a link in a malicious email, exposing the entire organization to attackers. In other words, an average organization of 1,100 users will have around five users that will click on a link within a malicious email every month. Employees will also forward or reply to malicious messages, spreading attacks further within their companies or even externally. Although these numbers may appear small, they are not insignificant. Hackers need only one click or reply for an attack to be successful. It only takes 16 minutes for users to click on a malicious link, so fast investigation and remediation are key to keep the organization safe.

User Interaction with Malicious Emails

Malicious emails spend 83 hours in users’ inboxes before they are removed.

Email remediation can be a lengthy and time-consuming process. On average, our researchers found it takes three and a half days or just over 83 hours from the moment an attack lands in users’ inboxes, to when it is discovered by a security team or reported by end users and finally remediated. This time can be considerably shortened with focused security training that will improve the accuracy of user-reported attacks, and deployment of automated remediation tools that can automatically identify and remediate attacks freeing time of security personal.

Many security teams also use threat insights from remediated incidents to update their security policies and prevent future attacks. For example, 29% of organizations will regularly update their block lists to block messages from specific senders or geographies. However, only 5% of organizations will update their web security to block access to malicious sites for entire organizations. This small number is due to the lack of integration between incident response and web security at most organizations.

Post-Remediation Actions

How to protect against post-delivery threats

1. Train your users to improve the accuracy and volume of reported attacks—An educated email user can prevent the devastating effects of a successful email attack. Continuous security awareness training will increase the likelihood that users will report potential threats to their IT team, rather than respond, click, or forward them. End-user training should be frequent so that security best practices stay top of mind and the accuracy of reported threats keeps IT from spending too much time investigating non-malicious junk mail.

2. Rely on the community to detect potential threats—Shared threat data is a powerful way to prevent evolving threats from compromising your data and your users. Related and sometimes identical email threats will affect more than one organization since hackers frequently leverage the same attack techniques across multiple targets. Tapping into intelligence data that other organizations gather is an effective approach to defeating large-scale attacks, rather than only using threat data gathered through an organization’s individual network. Make sure your incident response solution can access and leverage shared threat data for effective threat hunting and potential incident alerts.

3. Use threat hunting tools for faster attack investigations—Uncovering potential threats as well as identifying the scope of the attack and all impacted users could take hours if not days. Organizations should deploy threat hunting tools that give them visibility into mail post-delivery. These tools can be used to identify anomalies in already delivered mail, quickly search for impacted users, and see if they have interacted with malicious messages.

4. Automate remediation where possible—Having automated incident response systems in place can significantly reduce the time it takes to identify suspicious emails, remove them from all affected users’ inboxes, and automate processes that bolster defenses against future threats. By implementing automated workflows, our Barracuda customers have slashed their response time by up to 95%, reducing the time that a threat can spread, and freeing up their IT teams to focus on other security tasks.

5. Leverage integration points—Organizations need to not only automate their workflows but also integrate their incident response with email and web security to prevent further attacks. Intelligence gathered from an incident response can also be used to enable automatic remediation and help identify related threats.

This Threat Spotlight was authored by Mike Flouton with research support from Wenting Zhang, Sheila Hara, Stephanie Cavigliano, and Olesia Klevchuk of the Barracuda Sentinel team.