Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly

How Many Layers Does Your Email Security Need?

At least one more layer than the attacker can defeat. Here's how to improve your odds by turning on little-used or newer capabilities to block email-targeted malware.

Most IT people find email gateways justifiably boring. They’ve been around almost as long as email, after all. Everybody has one. You probably only notice them when they miss obvious spam or block legitimate mail.  For everything else, you probably figure email gateways are all pretty much the same, and as long as you checked the box, you are free to think about something else. Out of sight, out of mind, right?

The only problem is, that’s likely completely wrong.

If your email gateway rarely catches your attention, it’s likely because it is so easily and completely fooled by targeted threats that it never lets out a whimper. Ask yourself this: how would you know if your email gateway was missing new custom malware?

Consider the current state of the threat environment your email gateway faces. In addition to phishing and mass malware attacks distributed via botnets -- which are pretty easy to see and interdict at the gateway -- we have targeted attacks using new malware. According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks. Targeted attacks have adapted precisely to evade traditional methods most email gateways use to try to block unknown malware, such as the following techniques:

● AV engines may miss attacks because they use new or highly obfuscated malware, for which no signature exists.

●  Spam filters may miss attacks because they are one-off, low volume, or they have few suspicious traits to analyze.

● Sender reputation filters often miss attacks that come from newly created or spoofed email addresses, or from IP addresses with no "bad" history.

● Blanket policy rules that block all unusual and risky email attachment types (such as .EXE and .LNK) cannot be used on the malicious .DOC, .PDF, .XLS, and .PPT files favored by targeted attacks, as these are common business documents.

● URL filters may miss attacks because the malicious URL is hidden inside a PDF file, or within macros hidden inside document files.

● Web scanners are sometimes evaded by sending a harmless URL, but then placing malicious code behind the URL later after it has already passed the gateway.

Even newer methods such as sandboxes are limited in their protection against targeted malware. Unfortunately, targeted malware often contains countermeasures that delay execution or prevent discovery in a virtual machine environment. 

Let’s return to the earlier question, “How would you know if your email gateway was missing new malware?” There are several methods of varying efficacy. You might have endpoint whitelisting that spots something unusual. An Endpoint Detection and Response (EDR) solution is another method growing in popularity. Perhaps you get breached and conduct a forensic investigation back to the patient-zero compromised user account, time and date.

The news isn’t all bad. There are some advanced techniques that secure email gateways can use to block obfuscated, targeted PDF and Microsoft Office docs. No single technique is completely effective, but the more of these you can leverage, the better your chances.

First off, techniques like Sender Protection Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) are designed to validate the identity of the sender, protecting against spoofed emails that appear to come from a friendly sender. However, very few organizations bother to turn these capabilities on. Be sure to use the same technologies when sending your own email.

Secondly, your gateway needs to extract and explode all the elements of an email attachment to be able to deeply analyze it for malicious intent. There could be executables and macros hidden inside office documents. There may be buffer overflow exploits hidden inside PDFs, or JavaScript inside a .ZIP file. Deep analysis rules can be applied to score all the traits of a file for risk. Risk points can be assigned for hundreds of reasons, including the presence of obfuscation techniques, encryption, known exploits, and buffer overflows. This can create a statistical picture of a file’s malicious intent and block never-before-seen malware. In many ways, this is more robust than sandboxes because it’s not dependent on a fragile environment or finicky timing of file execution. Also, the very techniques used to evade or obfuscate end up exposing the malware to deep analysis rules.

Finally, it is essential to ensure URLs are scanned at time of click. In practical terms, this means that URLs contained in emails must be rewritten with pointers that force them to go through a cloud-based web gateway whenever they are clicked upon. This ensures security scans at any time, and on any device the recipient uses to read email, including mobile devices. 

So, how many layers does your email security need?

Email is a hotbed of hacking innovation. Traditional or incompletely implemented secure email gateways make you vulnerable to targeted attacks. Organizations can improve their odds markedly by turning on little-used or newer capabilities to block targeted malware.  

You always need at least one more layer of email security than the attacker can defeat.

Related content:


Chris Harget is a 20-year veteran in the IT security industry as a product manager and product marketing manager for leading innovators such as Trustwave, Blue Coat, Citrix and McAfee. He has trained thousands of technology professionals on desktop, network, email, web and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/6/2016 | 3:33:47 PM
Re: Could you send that email again? I never got it.
Lots of useful tactics in your comment.

Blocking all attachments goes too far, for most users we talk to.

Too much of their business (with insiders and outsiders) uses email to send docs. Add in the risk of email account takeover of a trusted business partner, and they really need a way to deeply scan office docs and PDFs for new, one-off, targeted malware. 
User Rank: Ninja
6/6/2016 | 1:55:39 PM
Could you send that email again? I never got it.
Here's just a few things your email gateway should include...






Challenge / Response

Reject All File Attachments

Strip HTML

Strip URLs

Spoof Filtering

Reverse DNS Mismatch Check


GeoIP Filtering

Word based filtering

SPF Filtering


Heuristic Filtering

Bayesian Filtering

MX Lookup Verification

Mime Header Check

IP Reputation Check

Open Relay Check


Signature Matching

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/6/2016 | 12:03:45 PM
The spam industry
"According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks."

I wouldn't say that that's the only -- or even the most significant -- cause.  I think it has more to do with how the spamming industry has changed dramatically over the past six years, being whittled to a shadow of its former self by in-fighting and better enforcement.  Brian Krebs has written on this in depth in his book, Spam Nation.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177