Hornetsecurity and Vade Email Filtering – Stronger Together

Vade joining the Hornetsecurity group has brought big benefits to customers from both sides, with the combination of filtering technologies high up on the list. In this article, we’ll look at how our filtering has been enhanced and what this means for mailboxes protected by Vade or Hornetsecurity now.

Email Filtering Basics 

Email has been around since 1971 and has been a mainstay of business communications for at least three decades. And for all that time, spam/junk mail has been a constant scourge in our inboxes, as has phishing and malware-laden emails trying to trick us into opening a dangerous attachment or clicking a link. As such, filtering is required to intercept these unwanted messages and keep email viable. 

A reasonable question might be: why is this the case? Why hasn’t this been fixed? There are several contributing factors, starting with the technical foundations. When the email protocols the world still runs on were invented, security wasn’t even a consideration and thus every addition that has been made is a “bolt-on”, not part of the foundations. The 24/7/365 nature of emails also means that new security features must be introduced gradually, which means they’re optional, which limits the adoption and stretches it out over many years.  

Another contributing factor is there’s big money to be made in malicious emails. Spam works because even if only 1 in 10,000 people fall for it, if you can send millions of emails quickly, you’ll still have a high enough hit-rate to make money. Phishing emails sent with attachments or links to trick business users into handing over their credentials is still the main vector for organizations to be compromised. Once attackers have this first foothold in the network, they further compromise systems, quickly leading to ransomware, or other cyber-attack flavors.  

The third factor that makes email filtering challenging is ever changing nature of the attacks. Because there’s now so much money involved, the attackers can dedicate resources to tweak the type of emails, the language used (including help from AI), using LLMs for high-quality translations into languages where social engineering via email is relatively unknown, add QR codes or images and other “innovative” ways of fooling us. And just like a marketing agency, they fine-tune their approaches with A/B testing – send a batch of 5000 emails with one variant of the attack and another 5000 with the second flavor. Now gather the click-through rate and analyze, pick the approach that was most effective, and send this to a million potential victims in a few minutes.  

The final factor is the speed of change. Once upon a time when an email server was compromised and started sending out spam, protection services would pick up on this, and block that sending IP address. Today, many spam/phishing networks use botnets to send their emails, with the sending IP address changing every time a home router is restarted for example. Or they keep changing their IP address by routing through proxies to further confuse receiving mail servers as to the authenticity of the sending server. 

Furthermore, if your email filtering is “too effective”, it might start blocking legitimate emails, leading to false positives and business interruptions. Finding this balance in the ever-changing world of new attack variants is difficult.  

Vade and Hornetsecurity each have leading technologies in managing these factors and walking the fine line of reducing false positives, whilst letting through a minimum amount of dross (false negatives) but by combining the filtering engines, a much stronger solution emerges. 

Benefits for Vade Customers 

The layered approach to identifying malware in email attachments is now stronger than ever. Known malware is quickly identified with signature-based antivirus engines, but the addition of Sandbox detection significantly enhances the detection of new or slightly altered malware variants. Any email attachment that we’ve never seen before is opened in an automated sandbox and its behavior is analyzed. If it’s a PDF or Word document for example, does it have macros in it, do they attempt to run obfuscated code, do they reach out to Command and Control (C2) servers? The engine looks at hundreds of signals to quickly render a verdict if this file is benign or malicious. 

When it comes to phishing emails there’s the run of the mill, high volume types (“your FedEx delivery has been delayed, click here to schedule redelivery”), and then there’s tailored attacks that are handcrafted for a specific company or even a particular set of users. These are caught by the Spear Phishing detection that Vade customers inherit from Hornetsecurity, which relies on behavioral and content analysis.  

Overall, filtering of emails relies on layers, each focusing on a particular signal in each email, The integration adds another 40+ layers to the combined filtering engine improving the detection of various threats.  

As mentioned, driving down the False Negative (FN) and False Positive (FP) rates is paramount in a reliable email hygiene solution, customers now benefit from the Self learning algorithms inherited from Hornetsecurity to achieve this.  

An important way to identify unusual email interactions is mapping all normal email connections using a graph database, which lets the engine trigger anomaly detections as a barrier protection for first encounters with new senders, we call this Social-Graph based First encounter barrier protection. 

Pre-Delivery URL Scanning has been added to real-time URL (links in emails) and time-of-click scanning,  to ensure that malicious links are detected before they reach users, providing an extra layer of defense. 

A specific challenge for all email hygiene solutions is encrypted / password protected files. It’s common for criminals to present some pretext for why the attachment is protected with a password (according to the military, the best way to get someone to read a document is to mark it as “Secret”) and giving the password in the email. This presents a challenge for many email filters as they normally can’t unencrypt / open the attachments. The Encrypted File Analysis feature enables the engine to analyze the body of the email and try to unlock the attachment using anything that looks like a password followed by the attachment scanning process outlined above.  

The integration of two advanced email filtering technologies also adds DMARC-based detection which is the combining part of the DNS record trifecta. Remember those email security “bolt-ons” mentioned above? Well, there are three DNS records that every organization should use to improve their email security, and if all emailing organizations did, spam and phish emails would be caught much more easily. Sender Policy Framework (SPF) tells receiving email servers which servers are allowed to send email for your domain(s), and Domain Keys Identified Mail (DKIM) signs each outgoing email with a key, allowing receiving email servers to verify that the email comes from your domain, and hasn’t been tampered with in transit. DMARC finally brings the two together to tell receiving email servers what to do when an incoming email fails either the SPF, DKIM or both checks.  

Related to the above DNS records is DNS-based Authentication of Named Entities (DANE) based detection. The three records are very important for verifying emails, and thus criminals try to find ways around them, and one way is spoofing (tricking DNS servers to respond with the attackers’ records rather than legitimate ones) DNS records. DANE binds digital certificates to DNS records and works in tandem with Domain Name System Security Extensions (DNSSEC) to ensure that the DNS records for your organization’s domain aren’t tampered with. Outbound email security is also strengthened with improved DKIM signatures and an upgrade to Transport Layer Security (TLS) version 1.3, ensuring that outgoing emails are secure and trustworthy.

Benefits for Hornetsecurity Customers 

As a result of this integration, Hornetsecurity customers also enjoy excellent additional benefits thanks to the Vade filtering technologies.  

The huge scale of their scanning engine brings strong improvements in the detection rate for the Info-Mail (Spam) filter. This enhanced detection also brings more granularity for administrators to fine tune based on additional verdicts for Info-Mail.  

Real-time detection gains improvements based on the analysis of 60 – 90 billion data points per day, across 1.4 billion mailboxes (yes, you read that correctly). The importance of these huge numbers can’t be emphasized enough. Modern email cybersecurity hygiene is a big data /ML problem, and the bigger your data set, the better your results filters will be. 

Previously, Ex-Post Deletion allowed administrators to manually flag and remove malicious emails that bypassed initial filtering. Now, the integration brings a significant efficiency gain with fully Automated Ex-Post Deletion for existing customers. 

A favored tactic of criminals is using images with text both in emails and in target websites to trick scanning engines. The enhanced phishing detection now includes AI-driven computer vision, which can accurately identify these threats. Finally, there’s Machine Learning (ML) applied to URL Analysis at real-time, asynchronous and time of click for links in emails and attachments.  

Conclusion  

Email hygiene filtering is an ever changing, challenging field in cybersecurity and something every organization should outsource to experts who focus on it. These experts need to operate on a huge scale to be able to effectively gather signals across emails from the entire internet to quickly catch new attacks. The marriage of two advanced scanning technologies truly brings the best of both tech stacks, combining into a powerful, easy to configure, low administrative overhead, and superior solution.