Email security is still evolving: Understanding new threats and defensive measures

Email security is still evolving: Understanding new threats and defensive measures

Email technology has weathered countless changes yet remains a cornerstone of communication. However, its widespread use and inherent reliability make it an attractive target for cybercriminals, driving them to devise new and sophisticated attacks. Mike Britton, CISO at Abnormal Security, analyses the landscape of current threats and how CISOs can prepare for the next wave.

Mike Britton, CISO, Abnormal Security

Despite being around for decades, email has hardly changed since its inception. Aside from the move from on-prem to cloud, the average business in 2024 is likely using email broadly the same way as when it first started, and it continues to be the top digital communications tool across all industries. 

However, email’s ubiquity also means it remains a top target for cybercriminals. Not only is it the broadest and easiest way to target employees, but it’s also inherently trusted, which makes it the perfect channel for delivering social engineering attacks.

Our research found that the volume of phishing attacks targeting organisations in the US increased by 112.4% over the last year, with a 91.5% increase for European enterprises.

But it’s no longer just traditional phishing attacks that are on the rise. The increasing adoption of cloud-based services, SaaS applications and other emerging technologies like Generative AI have further complicated the email landscape, introducing a variety of new and sophisticated email attack tactics.

Email isn’t going away anytime soon and if it remains a central element of business communication, it will be essential to keep track of shifting attack trends. 

How email attacks are evolving

Cybercriminals are constantly changing their attack methods to evade detection and will often exploit legitimate technologies to disguise their activity.

For example, we have recently seen a substantial rise in file-sharing phishing attacks, whereby threat actors use popular file-hosting or e-signature solutions – like Dropbox or Docusign – as a disguise to manipulate their targets into revealing private information or downloading malware.

The consumerisation of SaaS has been an asset to the criminal world, where attackers can exploit free trials and freemium models to launch these kinds of attacks without exposing their true identities. 

The increased accessibility of AI is another factor which complicates the threat landscape. Commercial LLM tools like ChatGPT can now be used to quickly write personalised and perfectly written phishing emails, free of the typos, grammatical errors and unnatural language that once characterised these attacks. By weaponising Generative AI tools, threat actors have made it even harder for both humans and traditional email security systems to detect malicious intent.

Leveraging AI isn’t the only way that cybercriminals are improving their efficiency. There has also been a rise in Phishing-as-a-Service (PhaaS), where cybercriminal groups offer subscription-based services that make launching phishing campaigns easier and more cost-effective for other threat actors.

Just as businesses might outsource their email marketing, this commodification of phishing has lowered the barriers to entry, enabling even less skilled attackers to execute successful campaigns with minimal effort.

In addition, Vendor Email Compromise (VEC) attacks have also surged. Recent data from Abnormal Security reveals that 89% of organisations have encountered a VEC attack in the past year. These social engineering attacks exploit trusted relationships within supply chains, where attackers spoof or compromise a vendor’s email account to impersonate them and target other businesses. 

This strategy is particularly effective because it leverages the pre-existing trust between the target and their vendor, making email attacks unlikely to raise alarms. While organisations may be confident in their own security, in reality, they may only be as secure as their weakest vendor.

Defensive strategies are keeping up  

Many of these attack tactics have evolved specifically to counter mainstay email defences such as traditional Secure Email Gateways (SEGs), which rely on detecting known threat signatures, like malicious attachments and links. However, by leveraging modern social engineering tactics that intentionally omit these traditional indicators of compromise, attackers are easily able to bypass SEG detection.

Fortunately, there has been some significant progress by the email security technology market to counter this. 

The integration of behavioural analysis and AI in email security solutions is one of the most notable shifts we’ve seen in recent years. Unlike traditional methods that rely on content or domain-based filtering, these advanced systems analyse communication patterns and behaviours within an organisation. 

By establishing a baseline for normal behaviour, AI-driven solutions can identify anomalies that suggest potential threats. This approach is particularly effective in detecting advanced attacks like BEC and VEC that often rely on mimicking legitimate correspondence.

AI excels at crunching through large volumes of data quickly to spot patterns, which means these tools can detect even the subtlest signs of phishing and other malicious activities. For instance, even if an email is not malicious, if an employee’s communication suddenly changes in tone or content, or if an unfamiliar sender tries to impersonate a trusted contact, Machine Learning algorithms can flag these emails for closer examination. This proactive approach significantly reduces the likelihood of malicious emails reaching users’ inboxes.

However, we find defensive strategies often move much more slowly than offensive ones, and many organisations still rely on traditional tools that are increasingly inadequate for the job. While solutions like SEGs will keep out large volumes of basic email scams and spam, they are at a growing risk of being bypassed by more advanced attacks. 

Preparing for the next wave of email threats  

There can be a tendency to see email as an ‘outdated’ threat, leading to complacency among organisations, which may prioritise risks perceived to be more modern, cloud and AI security. To effectively counter email threats, organisations must shift this mindset and continue to prioritise email security measures. If email remains a primary mode of business operations, it will also remain one of the most significant security risks they face.

The future of email security will be shaped by the on-going evolution of attacker tactics. One area to watch closely is the continued growth of AI-driven attacks. Most attackers have yet to go beyond scratching the surface of AI, as traditional methods continue to yield high returns.

This will change as the return on investment (ROI) for older tactics declines, pushing cybercriminals towards more innovative strategies. To stay ahead, organisations must focus on innovation in email security, prioritising proactive measures like behavioural analysis and AI-enhanced threat detection.

Ultimately, transitioning from reactive to proactive strategies will be crucial. Organisations must invest in tools that anticipate and neutralise threats before they hit employee inboxes. Many businesses put their stock in email security awareness training, and while this is useful, it should be the last line of defence, not the first. The key is to stop attacks from ever reaching their intended victims. 

As email continues to serve as a primary attack vector, CISOs and security teams must adopt new technologies and foster a culture of continuous improvement to avoid falling victim to the next wave of email-based attacks.

Browse our latest issue

Intelligent CISO

View Magazine Archive