Email delivered threats such as phishing, malware attachments and Business Email Compromise (BEC) are still the number one favorite attack vector for cyber criminals. And they’re not letting up, with new flavors of attacks being tested every day. It just takes one legitimate looking email to sneak through into a user’s mailbox, and an unsuspecting user to click a link or open an attachment to open a door into your business for the bad guys.

In this article we’ll explain and provide a comparative analysis of the two main approaches to email security. We’ll then look at a few fictitious companies that suit one approach over the other and finally demonstrate how a hybrid approach, such as the one deployed by Hornetsecurity 365 Total Protection, offers the best of both worlds.

Email security isn’t a new problem. Even a decade ago when most businesses were still running their own email servers, they either had to install software on their edge servers to filter out the dross or subscribe to a hosted service to filter the incoming email feed before it reached said servers.

Today most organizations rely on hosted email, with Microsoft 365 and Google Workspaces being the most popular options. This provides the foundation for the two different approaches: Secure Email Gateway is the single point cloud service where all the incoming emails to your organization are filtered, and clean emails are delivered to your mailboxes.

The other approach is using Application Programming Interfaces (APIs) in the email cloud service to detect and respond to email threats, often called Integrated Cloud Email Security (a term coined by Gartner in 2021). This isn’t an either / or proposition either, you can combine both techniques, something called Hybrid Cloud Email Security.

This is the older of these two methods, having its roots in the appliances or hosted services that businesses used a decade or two ago. They filter incoming and (often) outgoing emails, removing spam, malware, and other threats, sometimes also providing data loss prevention by identifying sensitive data in outgoing emails. They can also encrypt outgoing emails with standard TLS (formerly SSL) encryption, as well as other approaches such as DNS-based Authentication of Named Entities (DANE), Mail Transfer Agent-Strict Transport Security (MTA-STS) and venerable encryption protocols such as S/MIME and PGP.

Secure Email Gateway

An in-depth exploration of DANE and MTA-STS are beyond the scope of this article but suffice to say that they make sure that traffic between mail servers on the internet are always protected with TLS encryption, and not susceptible to attackers changing IP addresses in the DNS infrastructure.

Not all Secure Email Gateway servers are created equally, and their defense mechanisms vary. Often, they apply advanced threat protection features such as opening attachments in sandbox environments to identify signs of malicious activity or use Machine Learning (ML) to identify potentially misleading or dangerous language in the text of a phishing email.

Once an email has been deemed safe and delivered to user’s inboxes, these gateways have no way to remediate threats if it’s later discovered that the message was malicious.

A big benefit of Secure Email Gateways is that all external email pass through them (if used for outgoing filtering as well), enabling easy archiving and journaling opportunities, to fulfil compliance regulatory requirements, as well as enabling e-discovery. These gateways also employ current technologies for identifying spam, phishing and spoofing and protecting organizations email reputation such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

They can also apply corporate template signatures to all outgoing emails, and because they’re a separate service they can provide continuity if Exchange Online or Google Workspaces is having an outage, providing webmail access, and queuing of emails until service is resumed. Depending on the service, there may limited integration with other security tools and services – if for example a user’s workstation becomes infected with malware, it’d be nice to easily know if they received any suspicious emails in the last few hours.

Finally, as a central service, they can provide excellent reporting and statistics on traffic volumes, threats detected, and actions taken.

They require some setup, and they’re not easy to “try out” in a proof of concept, because you must redirect your organization’s email domains (company.com) to the Secure Email Gateway service by changing the Mail eXchanger (MX) DNS entry. This will tell every email server on the planet where to send any emails for your domain, so you can’t do a test setup with just a few users for example.

The rise of large scale, cloud hosted email services such as Microsoft 365 and Google Workspaces have also spawned new integration points that weren’t available in the old on-premises world. The lifeblood of cloud services are APIs and the ease with which they facilitate integration between different services, and email is no exception.

These cloud services can easily integrate AI and ML for threat detection into user’s mailboxes (temporarily blocking access to delivered emails until scanning is complete), and unlike a gateway, they have continuous access to the entire platform, so that if an email is later identified as malicious, they can reach into mailboxes and delete or quarantine them “after the fact”.

Their ability to provide archiving is controlled by the APIs that the cloud provider offers, in fact, all their flexibility is entirely dependent on what the provider chooses to expose. They generally offer email authentication standards configuration (SPF, DKIM, DMARC) but this again depends on the underlying APIs.

Because they’re dependent on the cloud platform, they can only offer limited support for continuity in the case of an outage, and they don’t manage email encryption with PGP or S/MIME. Integrated Cloud Email Security services also don’t manage routing of emails, instead relying on the cloud platform for handling this. Reporting is likewise dependent on the APIs offered, but integration with other security tools is often excellent (as long as those tools are also cloud services). Being integrated “into the mailbox itself” means they can provide excellent data loss prevention services. If you have a large tenant, your provider must take into account API throttling limits as you can’t overwhelm the capacity of the platform with too many simultaneous requests.

Their real strength shines when it comes to setup – because no infrastructure or MX records need to change, they often only take a few minutes to deploy, and they can be scoped to a set of test users easily.

API – Approach default – (most common)

API – Approach – (safe mode)

In many scenarios, a combination of these technologies, like the hybrid model developed by Hornetsecurity, provides the best protection against email borne threats. The Secure Email Gateway will block most low-level threats, whereas the Integrated Cloud Email Security can deeply analyze the text of emails and attachments, using advanced AI and ML models to identify risks. Deployment is seamless, with easy integration into Microsoft 365 and Google Workspaces.

And the strength of each gives a better experience overall, if an email isn’t identified as malicious initially, but then received by other users later and this time blocked / quarantined (perhaps due to updated signatures), the gateway can tell the integrated service to delete the already delivered emails straight away.

During outages you get the benefits of continuing email access, reporting is even more comprehensive as not only incoming and outgoing emails are included, but also internal emails between employees which do not pass through the Secure Email Gateway. Data loss prevention is more comprehensive, with deep analysis of emails by the Integrated Cloud Email Security service, and the option to instruct the gateway to encrypt particularly sensitive emails based on the results.

Finally, because of the API driven nature of the Integrated Cloud Email Security they can extend beyond emails and mailboxes, such as managing permissions for attachments saved to OneDrive for Business from Outlook for example.

Hybrid (MX+API) – Approach – (safe mode)

Hornetsecurity’s hybrid technology enables it to leverage gateway technology to provide solutions such as its Spam & Malware Protection, Signature & Disclaimers, Email Encryption, Archiving, and Continuity Service in addition to featured powered by integrated cloud technology such as Advanced Threat Protection, AI Recipient Validation, and 365 Extended Email Protection.

As always in IT, the right solution depends on the specific needs and existing environment of an organization. We’ll look at four different fictitious companies, and their situation and recommend an email hygiene solution to suit.

GlobalTech Inc. is a large multinational corporation that has diverse email services across different countries, including on-premises, Google Workspace and Microsoft 365. In this mixed, complex environment, a single, cloud based Secure Email Gateway service, integrating the different email domains will provide comprehensive control and reporting.

They’ll need to meet varying regulatory requirements in different regions, so enabling data loss prevention and email encryption through the gateway will be crucial. If there are email system outages, they’ll rely on the gateway’s continuance services to minimize business impact. Depending on IT needs, they may also add Integrated Cloud Email Security to their Microsoft 365 and / or Google Workspace tenants.

GlobalTech email system

FinSecure Corp on the other hand relies on secure email communications with their clients. They’ve used S/MIME for many years to ensure end to end protection and non-repudiation of emails (proving that the sender of an email hasn’t been spoofed) and rely on DANE to mitigate the risk of criminals performing attacker-in-the-middle attacks against their email infrastructure. They will rely on a Secure Email Gateway service to enforce email encryption policies, and to demonstrate compliance with stringent regulations that are common for financial services firms.

FinSecure Corp

Our third example is CloudInnovate, a tech startup in Silicon Valley, relying exclusively on SaaS cloud services for collaboration and email. They’re growing rapidly and require an easy to integrate service for their cloud-first strategy. They’ll use an Integrated Cloud Email Security service for Microsoft 365 for easy scaling and providing advanced AI and ML protection against emerging threats.

CloudInnovate

Finally, TechGen Robotics, a leading robotics research and development company, operates at the forefront of innovation in autonomous systems and AI technologies. They have a lot of sensitive intellectual property, and are financially successful, making them targets for BEC attacks as well as industrial espionage. They’ll use both technologies together to ensure encryption of all sensitive emails (and attached documents), along with deep data loss prevention inspection to protect their IP.

They’ll need the advanced protection in their Integrated Cloud Email Security to identify and stop sophisticated attacks, and use the encryption provided by the gateway to protect communications end-to-end. They need the email continuity provided by the gateway in case of a service provider outage, whilst relying on the advanced protection of the API solution to inspect emails and attachments, including when those are saved in cloud storage.

TechGen Robotics

Hornetsecurity’s cutting edge email security solutions relies on providing both a Secure Email Gateway and Integrated Cloud Email Security for complete protection. As you have seen, both approaches have their strengths and weaknesses and by combining them, you truly get the best of both worlds, and the cleanest possible email feed.

Let’s start with a classic, the Nigerian prince scam, also known as an advance-fee scam. These try to make victims believe that they are the recipients of a large amount of money (emotion trigger: greed), but to receive it, they must pay a fee (“transfer fee” or “handling fee”). Here’s a simple example:

Note the use of gift cards – criminals can’t use the standard international bank transfer system (Swift) as their funds would be blocked very quickly, and asking normal users to transfer crypto currency is also a dead giveaway – thus, the gift card request, a very common tactic.

A second clue in this email is the poor use of grammar and English, which is always a sign of something fishy but will likely be less prevalent in the coming months as generative AI tools become commonplace. Does this email really sound like it would have been sent by someone at JP Morgan Chase bank with the last name Angel?

Next is the phishing category, starting with a spoofing email. Spoofing is using various techniques to make it appear as if the email is coming from one sender when, in fact, it’s sent from an attacker’s email address. In this example that’s American Express, amex.com. This email also employs the tactic of making the entire email into an image, to make it harder for anti-spam engines which analyze text. Having SPF and DMARC records in place will block this particular spoofing technique.

The link shown in the image isn’t the one that an unwary user will open if they click it, which is why it’s important to train users to hover over suspicious links before clicking them (which is easier on computers than on smartphones).

Humans, including security experts, are poor at identifying malicious URLs (because they were never designed to be an indication of trustworthiness), but the fact that the link text you’re seeing on the screen doesn’t match the actual link target is enough to know that it’s a scam.

If you do click, you’re taken to a phishing page with a sign-in prompt, which looks like it’s an American express site.

Note the scroll bars however, it’s a webpage, made to look like a browser (within the real browser), which you can tell from the scroll bars on the right and at the bottom. Again, the actual domain that the victim is entering their credentials into isn’t the one shown on the page.

Another flavor is impersonation, the email below again purports to be from American Express, but the sender is secureAmex@wsfax.com, whilst the display name of the sender is “American Express”. This email isn’t about triggering greed, but rather concern about the “important information” relating to your account.

Here’s another one from Canada Revenue Agency / Agence du revenu du Canada, again with the actual sending email address being different. This one appeals to greed, with the promise of a refund, clicking the link leads to a credential harvesting page.

We have all become accustomed to receiving a lot of packages, and after the Covid-19 pandemic, it has become ubiquitous. In our data, DHL has been the leading company impersonated for a long time, but they were recently replaced by Fedex.

Here are two examples of DHL impersonation emails where the display name doesn’t match the sending email address, with links to click to “update your address”. Note the misspelt word “Packagging” as well as using “Hello Dear” as an introduction, unlikely from a shipping company.

Phishing emails frequently use attachments to spring their trap; here’s one purporting to be from DocuSign.

The PDF attachment, obviously not a scanned fax page, looks like a DocuSign document – clicking the link for View Pending Document will lead to a phishing page. The use of a DocuSign-looking page is appealing to the familiarity of the process. many of us are asked to electronically sign documents using DocuSign, so we’re less likely to be suspicious of this request.

As mentioned, QR codes have become very popular in phishing emails. There are two reasons for this: firstly, email hygiene solutions were slow to incorporate technology to spot these in emails, scanning the code, following the link, and inspecting the target web page for signs of maliciousness. Hornetsecurity has had QR code scanning in place since early 2023.

Secondly, and possibly the reason why we’re still seeing large volumes of malicious emails with QR codes, is that they move the attack from an often managed, locked down, secured computer endpoint, where most business users read their emails, to a personal smartphone with minimal protection.

Scanning a QR code with your smartphone is second nature for most of us, especially as their use in society is so common, and people don’t expect a bad result from doing it.

Here are three examples of phishing emails with QR codes as the link instead of the traditional weblink or button to lure a victim.

This QR code leads to a phishing site where the victim enters their credentials to “update their password” but instead, they hand over their username and password for criminals to use in further attacks.

This second example is similar but focuses on the victim updating the Multi-Factor Authentication (MFA) which is about to expire. Note the misspelling of “mult-factor”.

The urgency of this email, with the 24-hour deadline, is again creating a sense that the user must do something about this now or risk losing access and not being able to do their job.

Both of these are particularly insidious because the legitimate set-up process for MFA with Microsoft Entra ID, either with Microsoft’s Authenticator app or a third-party app, involves scanning a QR code. It’ll seem quite normal for end-users to scan a QR code again as part of MFA.

Key here is education of the business staff by the IT / security teams. If there are no legitimate business processes that involve scanning QR codes sent through emails, it is essential to inform everyone to avoid scanning any QR code that they receive in an email.

Additionally, it is recommended to follow up with Security Awareness training, including simulated phishing emails, to test staff and help them sharpen their instincts.

If you do have legitimate business processes that involve QR codes, look to see if they can be sent in some other way than via email, and if they can’t, clarify to everyone that this process does use QR codes, and here’s how that flow works, but don’t scan any outside of this procedure.

This last example introduces a wrinkle with the QR code being blue on a red background, no doubt to bypass email hygiene solutions (Hornetsecurity ATP isn’t fooled and caught these). Note the clumsy grammar “failure to secure your update Mailbox will lead to deactivation”.

If you scan the QR code you’re taken to a credential harvesting page, gathering Microsoft login credentials.

The key in all these examples to convey to your staff is to be aware of triggering emotions, unusual requests, unusual processes (this isn’t how I normally reset my password), bad spelling and grammar and for QR codes, don’t scan them unless it’s part of a known business process.

Phishing remains the number one attack vector for criminals to establish a foothold in your organization. Even in this day and age of Teams, Slack and their cousins being used for collaboration and communication, email remains the most common way to exchange information with people outside an organization.

And it’s got inertia because it’s been there for so many decades, and everyone knows how to use email, both in their personal and work lives.

This also makes it the perfect channel for the bad guys to “show up in front of” your users, masquerading as someone trustworthy.

At the lowest level this involves impersonating a trusted company – DHL / Fedex (“we’re delivering a parcel and need you to click here to validate the address”), or your bank / credit card company (“click here to validate this anomalous transaction we’ve flagged”).

And of course, there’s the OG phishing scam – “I’m a Nigerian prince with money to give away and I just need you to help me out with the transfer”. These are sent in bulk because even if only 1 in 1,000 makes it through to a user’s inbox and only 1 in 1,000 clicks it, for each million I send, I get one hit.

Stepping it up a bit are more customized campaigns, targeting specific countries or regions, with specific lures related to current affairs and impersonating companies more likely to be trusted by the recipients in that geography.

Finally, we have spear phishing with highly customized lures, sent in much smaller volumes but where criminals have done their homework and use people and companies that your users are already collaborating with, ensuring a much higher success rate.

In all cases – if a user falls for the lure and clicks the link, or downloads the attachment, or enters their login details on the fake sign-in page, the consequences can be dire.

That single click or download can be the start of a major incident. In cybersecurity we talk about the kill chain, the steps an attacker must take to achieve their end goal, which could be theft of your intellectual property, or encryption of all files in a ransomware attack.

There are many variants, and depending on the attacker and the target, not all steps are required but generally they start with Reconnaissance to understand your business and what lures are most likely to generate a click (and your revenue to know how much they can demand in ransom for your files / systems).

This is followed by Compromise, gaining that first foothold, Moving Laterally to compromise other user accounts and systems, achieving control over the environment (“Domain dominance”), Exfiltration of data so that you can be further incentivized to pay the attacker to not have your data leaked. And if it’s a ransomware attack, this is followed by the actual encryption of your files.

And all from that single click by a user – which is why phishing is such an important attack vector to understand and defend against.

Out of the 45 billion emails analyzed  in Hornetsecurity’s Cybersecurity Report 2024, 36.4% were labelled unwanted. Out of this third, 96.4% were spam, with 3.6% classified as malicious.

In this slice of malicious emails, phishing took the top spot at 43.3% (a 4% increase over the previous year) followed by 30.5% emails with malicious URLs (an 18% increase over the previous 12 months). Where there were malicious attachments, the most common was HTML files (37.1%), followed by PDFs (23.3%) and then archives such as ZIP files at 20.8%.

All email hygiene systems follow the same basic architecture. Start by filtering out emails coming from known bad email servers and known bad domains by just refusing the connection.

Then, look at the DNS records (SPF – Sender Policy Framework, DMARC – Domain-based Message Authentication, Reporting and Conformance, and DKIM – DomainKeys Identified Mail) to filter out suspicious senders. Emails that make it through these first gates are then scanned by multiple anti-malware engines to spot any known viruses and filter those out.

In Hornetsecurity’s case, this is followed by Advanced Threat Protection, which inspects each email and its attachments in a sandbox, opening the files to look for any suspicious actions they perform, and using Machine Learning (ML) and over 500 signals to provide a verdict if the file / email is legitimate or not.

And if we later identify an email as malicious after delivery we can reach into any mailboxes where it has already been delivered and delete it.

This is an ongoing arms race, with attackers adjusting their tactics, types of attachment, obfuscating the malicious code and so forth, all to avoid detection. Our Security Lab experts, together with the ever-learning ML model tweak our detections to stop as close to 100% of all malicious emails as possible.

However, no system will catch every single bad message, and this is where the cybersecurity concept of defense in depth comes in.

In any complex IT system, you want to have multiple layers of protection, so that if the attackers penetrate one, they still have others to get through before they get to their prize. In this case, that’s your “human firewalls”, trained staff who know what signs to look for with their sharpened instincts.