By now, the news about what happened at Silicon Valley Bank (SVB) leading up to its collapse and takeover by the US Federal Government is well known. The rapid speed with which the collapse took place was surprising to many and the impact on organizations, both large and small, is expected to last a while.

Unfortunately, where everyone sees a tragic situation, threat actors see opportunity. We have seen this time and again - in order to breach trust and trick unsuspecting victims, threat actors overwhelmingly use topical events as lures. These follow the news cycle or known high profile events (The Super Bowl, March Madness, Tax Day, Black Friday sales, COVID-19, and on and on), since there is a greater likelihood of users falling for messages referencing what’s top of mind at any given moment.

The SVB news cycle makes for a similarly compelling topical event that threat actors can take advantage of; and it's crucial that organizations bolster their awareness campaigns and technical controls to help counter the eventual use of these tactics in upcoming attacks. It’s tragic that even as the FDIC is guaranteeing that SVB customers’ money is safe, bad actors are attempting to steal that very money!

In anticipation of future phishing attacks taking advantage of the SVB brand, Cloudforce One (Cloudflare’s threat operations and research team) significantly increased our brand monitoring focused on SVB’s digital presence starting March 10, 2023 and launched several additional detection modules to spot SVB-themed phishing campaigns. All of our customers taking advantage of our various phishing protection services automatically get the benefit of these new models.

Here’s an actual example of a real campaign involving SVB that’s happening since the bank was taken over by the FDIC.

A frequent tactic used by threat actors is to mimic ongoing KYC (Know Your Customer) efforts that banks routinely perform to validate details about their clients. This is intended to protect financial institutions against fraud, money laundering and financial crime, amongst other things.

On March 14, 2023, Cloudflare detected a large KYC phishing campaign leveraging the SVB brand in a DocuSign themed template. This campaign targeted Cloudflare and almost all industry verticals. Within the first few hours of the campaign, we detected 79 examples targeting different individuals in multiple organizations. Cloudflare is publishing one specific example of this campaign along with the tactics and observables seen to help customers be aware and vigilant of this activity.

The phishing attack shown below targeted Matthew Prince, Founder & CEO of Cloudflare on March 14, 2023. It included HTML code that contains an initial link and a complex redirect chain that is four-deep. The chain begins when the user clicks the ‘Review Documents’ link. It takes the user to a trackable analytic link run by Sizmek by Amazon Advertising Server bs[.]serving-sys[.]com. The link then further redirects the user to a Google Firebase Application hosted on the domain na2signing[.]web[.]app. The na2signing[.]web[.]app HTML subsequently redirects the user to a WordPress site which is running yet another redirector at eaglelodgealaska[.]com. After this final redirect, the user is sent to an attacker-controlled docusigning[.]kirklandellis[.]net website.

Campaign Timeline

2023-03-14T12:05:28Z		First Observed SVB DocuSign Campaign Launched
2023-03-14T15:25:26Z		Last Observed SVB DocuSign Campaign Launched

The included HTML file in the attack sends the user to a WordPress instance that has recursive redirection capability. As of this writing, we are not sure if this specific WordPress installation has been compromised or a plugin was installed to open this redirect location.

<html dir="ltr" class="" lang="en"><head>
    <title>Sign in to your account</title>
    
    <script type="text/javascript">
    window.onload = function() {
        function Redirect (url){
            window.location.href = url;
        }
        var urlParams = new URLSearchParams(window.location.href);
        var e = window.location.href;
        
       
        Redirect("https://eaglelodgealaska[.]com/wp-header.php?url="+e);
    }
</script>

na2signing[.]web[.]app	Malicious Google Cloudbase Application.
eaglelodgealaska[.]com	Possibly compromised Wordpress website or an open redirect.

*[.]kirklandellis[.]net		Attacker Controlled Application running on at least docusigning[.]kirklandellis[.]net.

1. Cloudflare Email Security customers can determine if they have received this campaign in their dashboard with the following search terms:

   SH_6a73a08e46058f0ff78784f63927446d875e7e045ef46a3cb7fc00eb8840f6f0

   Customers can also track IOCs related to this campaign through our Threat Indicators API. Any updated IOCs will be continually pushed to the relevant API endpoints.

2. Ensure that you have appropriate DMARC policy enforcement for inbound messages. Cloudflare recommends [p = quarantine] for any DMARC failures on incoming messages at a minimum. SVB’s DMARC records [v=DMARC1; p=reject; pct=100] explicitly state rejecting any messages that impersonate their brand and are not being sent from SVB’s list of designated and verified senders. Cloudflare Email Security customers will automatically get this enforcement based on SVB’s published DMARC records. For other domains, or to apply broader DMARC based policies on all inbound messages, Cloudflare recommends adhering to ‘Enhanced Sender Verification’ policies across all inbound emails within their Cloudflare Area 1 dashboard.

3. Cloudflare Gateway customers are automatically protected against these malicious URLs and domains. Customers can check their logs for these specific IOCs to determine if their organization had any traffic to these sites.

4. Work with your phishing awareness and training providers to deploy SVB-themed phishing simulations for your end users, if they haven’t done so already.

5. Encourage your end users to be vigilant about any ACH (Automated Clearing House) or SWIFT (Society for Worldwide Interbank Financial Telecommunication) related messages. ACH & SWIFT are systems which financial institutions use for electronic funds transfers between entities. Given its large scale prevalence, ACH & SWIFT phish are frequent tactics leveraged by threat actors to redirect payments to themselves. While we haven’t seen any large scale ACH campaigns utilizing the SVB brand over the past few days, it doesn’t mean they are not being planned or are imminent. Here are a few example subject lines to be aware of, that we have seen in similar payment fraud campaigns:

   “We’ve changed our bank details”“Updated Bank Account Information”“YOUR URGENT ACTION IS NEEDED -Important - Bank account details change”“Important - Bank account details change”“Financial Institution Change Notice”

6. Stay vigilant against look-alike or cousin domains that could pop up in your email and web traffic associated with SVB. Cloudflare customers have in-built new domain controls within their email & web traffic which would prevent anomalous activity coming from these new domains from getting through.

7. Ensure any public facing web applications are always patched to the latest versions and run a modern Web Application Firewall service in front of your applications. The campaign mentioned above took advantage of WordPress, which is frequently used by threat actors for their phishing sites. If you’re using the Cloudflare WAF, you can be automatically protected from third party CVEs before you even know about them. Having an effective WAF is critical to preventing threat actors from taking over your public Web presence and using it as part of a phishing campaign, SVB-themed or otherwise.

Cloudforce One (Cloudflare’s threat operations team) proactively monitors emerging campaigns in their formative stages and publishes advisories and detection model updates to ensure our customers are protected. While this specific campaign is focused on SVB, the tactics seen are no different to other similar campaigns that our global network sees every day and automatically stops them before it impacts our customers.

Having a blend of strong technical controls across multiple communication channels along with a trained and vigilant workforce that is aware of the dangers posed by digital communications is crucial to stopping these attacks from going through.

Learn more about how Cloudflare can help in your own journey towards comprehensive phishing protection by using our Zero Trust services and reach out for a complimentary assessment today.

There is an implicit and unearned trust we place in our email communications. This realization — that an organization can't truly have a Zero Trust security posture without including email — was the driving force behind Cloudflare’s acquisition of Area 1 Security earlier this year.  Today, we have taken our first step in this exciting journey of integrating Cloudflare Area 1 email security into our broader Cloudflare One platform. Cloudflare Secure Web Gateway customers can soon enable Remote Browser Isolation (RBI) for email links, giving them an unmatched level of protection from modern multi-channel email-based attacks.

Research from Cloudflare Area 1 found that nearly 10% of all observed malicious attacks involved credential harvesters, highlighting that victim identity is what threat actors usually seek. While commodity phishing attacks are blocked by existing security controls, modern attacks and payloads don’t have a set pattern that can reliably be matched with a block or quarantine rule. Additionally, with the growth of multi-channel phishing attacks, an effective email security solution needs the ability to detect blended campaigns spanning email and Web delivery, as well as deferred campaigns that are benign at delivery time, but weaponized at click time.

When enough “fuzzy” signals exist, isolating the destination to ensure end users are secure is the most effective solution. Now, with the integration of Cloudflare Browser Isolation into Cloudflare Area 1 email security, these attacks can now be easily detected and neutralized.

Why do humans still click on malicious links? It’s not because they haven’t attended enough training sessions or are not conscious about security. It’s because they have 50 unread emails in their inbox, have another Zoom meeting to get to, or are balancing a four-year old on their shoulders. They are trying their best. Anyone, including security researchers, can fall for socially engineered attacks if the adversary is well-prepared.

If we accept that human error is here to stay, developing security workflows introduces new questions and goals:

• How can we reduce, rather than eliminate, the likelihood of human error?

• How can we reduce the impact of human error when, not if, it happens?

• How can security be embedded into an employee’s existing daily workflows?

It’s these questions that we had in mind when we reached the conclusion that email needs to be a fundamental part of any Zero Trust platform. Humans make mistakes in email just as regularly — in fact, sometimes more so — as they make mistakes surfing the Web.

For IT teams, that is the question they wrestle with daily to balance risk mitigation with user productivity. The SOC team wants IT to block everything risky or unknown, whereas the business unit wants IT to allow everything not explicitly bad. If IT decides to block risky or unknown links, and it results in a false positive, they waste time manually adding URLs to allow lists — and perhaps the attacker later pivots those URLs to malicious content anyway. If IT decides to allow risky or unknown sites, best case they waste time reimaging infected devices and resetting login credentials — but all too common, they triage the damage from a data breach or ransomware lockdown. The operational simplicity of enabling RBI with email — also known as email link isolation — saves the IT, SOC, and business unit teams significant time.

For a Cloudflare Area 1 customer, the initial steps involve enabling RBI within your portal:

With email link isolation in place, here’s the short-lived life of an email with suspicious links:

Step 1: Cloudflare Area 1 inspects the email and determines that certain links in the messages are suspicious or on the margin

Step 2: Suspicious URLs and hyperlinks in the email get rewritten to a custom Cloudflare Area 1 prefix URL.

Step 3: The email is delivered to the intended inboxes.

Step 4: If a user clicks the link in the email, Cloudflare redirects to a remote browser via <authdomain>.cloudflareaccess.com/browser/{{url}}.

Step 5: Remote browser loads a website on a server on the Cloudflare Global Network and serves draw commands to the user's clientless browser endpoint**.**

By executing the browser code and controlling user interactions on a remote server rather than a user device, any and all malware and phishing attempts are isolated, and won't infect devices and compromise user identities. This improves both user and endpoint security when there are unknown risks and unmanaged devices, and allows users to access websites without having to connect to a VPN or having strict firewall policies.

Cloudflare’s RBI technology uses a unique patented technology called Network Vector Rendering (NVR) that utilizes headless Chromium-based browsers in the cloud, transparently intercepts draw layer output, transmits the draw commands efficiency and securely over the web, and redraws them in the windows of local HTML5 browsers. Unlike legacy Browser Isolation technologies that relied on pixel pushing or DOM reconstruction, NVR is optimized for scalability, security and end user transparency, while ensuring the broadest compatibility with websites.

Let’s look at a specific example of a deferred phishing attack, how it slips past traditional defenses, and how email link isolation addresses the threat.

As organizations look to adopt new security principles and network architectures like Zero Trust, adversaries continually come up with techniques to bypass these controls by exploiting the most used and most vulnerable application – email. Email is a good candidate for compromise because of its ubiquity and ability to be bypassed pretty easily by a motivated attacker.

Let’s take an example of a “deferred phishing attack”, without email link isolation.

Attacker preparation: weeks before launchThe attacker sets up infrastructure for the phishing attempt to come. This may include:

• Registering a domain

• Encrypting it with SSL

• Setting up proper email authentication (SPF, DKIM, DMARC)

• Creating a benign web page

At this point, there is no evidence of an attack that can be picked up by secure email gateways, authentication-based solutions, or threat intelligence that relies solely on reputation-based signals and other deterministic detection techniques.

Attack “launch”: Sunday afternoonThe attacker sends an authentic-looking email from the newly-created domain. This email includes a link to the (still benign) webpage. There’s nothing in the email to block or flag it as suspicious. The email gets delivered to intended inboxes.

Attack launch: Sunday eveningOnce the attacker is sure that all emails have reached their destination, they pivot the link to a malicious destination by changing the attacker-controlled webpage, perhaps by creating a fake login page to harvest credentials.

Attack landing: Monday morningAs employees scan their inboxes to begin their week, they see the email. Maybe not all of them click the link, but some of them do. Maybe not all of those that clicked enter their credentials, but a handful do. Without email link isolation, the attack is successful.

The consequences of the attack have also just begun – once user login credentials are obtained, attackers can compromise legitimate accounts, distribute malware to your organization’s network, steal confidential information, and cause much more downstream damage.

The integration between Cloudflare Area 1 and Cloudflare Browser Isolation provides a critical layer of post-delivery protection that can foil attacks like the deferred phishing example described above.

If the attacker prepares for and executes the attack as stated in the previous section, our email link isolation would analyze the email link at the time of click and perform a high-level assessment on whether the user should be able to navigate to it.

Safe link - Users will be redirected to this site transparently

Malicious link - Users are blocked from navigating

Suspicious link - Users are heavily discouraged to navigating and are presented with a splash warning page encouraging them to view in the link in an isolated browser

While a splash warning page was the mitigation employed in the above example, email link isolation will also offer security administrators other customizable mitigation options as well, including putting the webpage in read-only mode, restricting the download and upload of files, and disabling keyboard input altogether within their Cloudflare Gateway consoles.

Email link isolation also fits into users’ existing workflows without impacting productivity or sapping their time with IT tickets. Because Cloudflare Browser Isolation is built and deployed on the Cloudflare network, with global locations in 270 cities, web browsing sessions are served as close to users as possible, minimizing latency. Additionally, Cloudflare Browser Isolation sends the final output of each webpage to a user instead of page scrubbing or sending a pixel stream, further reducing latency and not breaking browser-based applications such as SaaS.

Existing Cloudflare Area 1 and Cloudflare Gateway customers are eligible for the beta release of email link isolation. To learn more and to express interest, sign up for our upcoming beta.

If you’d like to see what threats Cloudflare Area 1 detects on your live email traffic, request a free phishing risk assessment here. It takes five minutes to get started and does not impact mail flow.

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware. It’s likely true that they have spent considerable time, money, and staffing on their Secure Email Gateway (SEG) to stop phishing, malware, and other email-borne threats. Despite this, it’s also true that email continues to be the most frequent source of Internet threats, with Deloitte research finding that 91% of all cyber attacks begin with phishing.

If anti-phishing and SEG services have both been around for so long, why do so many phish still get through? If you’re sympathetic to Occam’s razor, it’s because the SEG was not designed to protect the email environments of today, nor is it effective at reliably stopping today’s phishing attacks.

But if you need a stronger case than Occam delivers — then keep on reading.

The most prominent change within the email market is also what makes a traditional SEG redundant – the move to cloud-native email services. More than 85% of organizations are expected to embrace a “cloud-first” strategy by 2025, according to Gartner®. Organizations that expect cloud-native scale, resiliency, and flexibility from their security controls are not going to get it from legacy devices such as SEGs.

When it comes to email specifically, Gartner® notes that, “Advanced email security capabilities are increasingly being deployed as integrated cloud email security solutions rather than as a gateway” - with at least 40% of organizations using built-in protection capabilities from cloud email providers instead of a SEG, by 2023. Today, email comes from everywhere and goes everywhere – putting a SEG in front of your Exchange server is anachronistic; and putting a SEG in front of cloud inboxes in a mobile and remote-first world is intractable. Email security today should follow your user, should be close to your inbox, and should “be everywhere”.

Apart from being architecturally out of time, a SEG also falls short at detecting advanced phishing and socially engineered attacks. This is because a SEG was originally designed to stop spam – a high-volume problem that needs large attack samples to detect and nullify. But today’s phishing attacks are more sniper than scattergun. They are low volume, highly targeted, and exploit our implicit trust in email communications to steal money and data. Detecting modern phishing attacks requires compute-intensive advanced email analysis and threat detection algorithms that a SEG cannot perform at scale.

Nowhere is a SEG’s outdated detection philosophy more laid bare than when admins are confronted with a mountain of email threat policies to create and tune. Unlike most other cyber attacks, email phishing and Business Email Compromise (BEC) have too many “fuzzy” signals and cannot solely be detected by deterministic if-then statements. Moreover, attackers don’t stand still while you create email threat policies – they adapt fast and modify techniques to bypass the rules you just created. Relying on SEG tuning to stop phishing is like playing a game of Whack-A-Mole rigged in the attacker’s favor.

Traditional email security defenses rely on knowledge of yesterday’s active attack characteristics, such as reputation data and threat signatures, to detect the next attack, and therefore can’t reliably defend against modern phishing attacks that continually evolve.

What’s needed is forward-looking security technology that is aware not only of yesterday’s active phishing payloads, websites, and techniques — but also has insight into the threat actors’ next moves. Which sites and accounts are they compromising or establishing for use in tomorrow’s attacks? What payloads and techniques are they preparing to use in those attacks? Where are they prodding and probing before an attack?

Cloudflare Area 1 proactively scans the Internet for attacker infrastructure and phishing campaigns that are under construction. Area 1’s threat-focused web crawlers dynamically analyze suspicious web pages and payloads, and continuously update detection models as attacker tactics evolve – all to stop phishing attacks days before they reach the inbox.

When combined with the 1T+ daily DNS requests observed by Cloudflare Gateway, this corpus of threat intelligence enables customers to stop phishing threats at the earliest stage of the attack cycle. In addition, the use of deep contextual analytics to understand message sentiment, tone, tenor and thread variations allows Area 1 to understand and distinguish between valid business process messages and sophisticated impersonation campaigns.

While we are big believers in layering security, the layers should not be redundant. A SEG duplicates a lot of capabilities that customers now get bundled in with their cloud email offering. Area 1 is built to enhance - not duplicate - native email security and stop phishing attacks that get past initial layers of defense.

The best way to get started with your SEG replacement project is deciding whether it’s a straight replacement or an eventual replacement that starts with augmentation. While Cloudflare Area 1 has plenty of customers that have replaced their SEG (more on that later), we have also seen scenarios where customers prefer to run Cloudflare Area 1 downstream of their SEG initially, assess the efficacy of both services, and then make a more final determination. We make the process straightforward either way!

As you start the project, it’s important to involve the right stakeholders. At a minimum, you should involve an IT admin to ensure email delivery and productivity isn’t impacted and a security admin to monitor detection efficacy. Other stakeholders might include your channel partner if that’s your preferred procurement process and someone from the privacy and compliance team to verify proper handling of data.

Next, you should decide your preferred Cloudflare Area 1 deployment architecture. Cloudflare Area 1 can be deployed as the MX record, over APIs, and can even run in multi-mode deployment. We recommend deploying Cloudflare Area 1 as the MX record for the most effective protection against external threats, but the service fits into your world based on your business logic and specific needs.

The final piece of preparation involves mapping out your email flow. If you have multiple domains, identify where emails from each of your domains route to. Check your different routing layers (e.g. are there MTAs that relay inbound messages?). Having a good understanding of the logical and physical SMTP layers within the organization will ensure proper routing of messages. Discuss what email traffic Cloudflare Area 1 should scan (north/south, east/west, both) and where it fits with your existing email policies.

Step 1: Implement email protectionHere are the broad steps you should follow if Cloudflare Area 1 is configured as the MX record (time estimate: ~30 minutes):

• Configure the downstream service to accept mail from Cloudflare Area 1.

• Ensure that Cloudflare Area 1’s egress IPs are not rate limited or blocked as this would affect delivery of messages.

• If the email server is on-premises, update firewall rules to allow Cloudflare Area 1 to deliver to these systems.

• Configure remediation rules (e.g. quarantine, add subject or message body prefix, etc.).

• Test the message flow by injecting messages into Cloudflare Area 1 to confirm proper delivery. (our team can assist with this step.)

• Update MX records to point to Cloudflare Area 1.

Here are the steps if Cloudflare Area 1 is deployed downstream from an existing email security solution (time estimate: ~30 minutes):

• Configure the proper look back hops on Cloudflare Area 1, so that Cloudflare Area 1 can detect the original sender IP address.

• If your email server is on-premises, update firewall rules to allow Cloudflare Area 1 to deliver to the email server.

• Configure remediation rules (e.g. quarantine, add subject or message body prefix, etc.).

• Test the message flow by injecting messages into Cloudflare Area 1 to confirm proper delivery. (our team can assist with this step.)

• Update the delivery routes on your SEG to deliver all mail to Cloudflare Area 1, instead of the email servers.

Step 2: Integrate DNSOne of the most common post-email steps customers follow is to integrate Cloudflare Area 1 with their DNS service. If you’re a Cloudflare Gateway customer, good news – Cloudflare Area 1 now uses Cloudflare Gateway as its recursive DNS to protect end users from accessing phishing and malicious sites through email links or web browsing.

Step 3: Integrate with downstream security monitoring and remediation servicesCloudflare Area 1’s detailed and customizable reporting allows for at-a-glance visibility into threats. By integrating with SIEMs through our robust APIs, you can easily correlate Cloudflare Area 1 detections with events from network, endpoint and other security tools for simplified incident management.

While Cloudflare Area 1 provides built-in remediation and message retraction to allow customers to respond to threats directly within the Cloudflare Area 1 dashboard, many organizations also choose to integrate with orchestration tools for custom response playbooks. Many customers leverage our API hooks to integrate with SOAR services to manage response processes across their organization.

How will you know your SEG replacement project has been successful and had the desired impact? We recommend measuring metrics relevant to both detection efficacy and operational simplicity.

On the detection front, the obvious metric to measure is the number and nature of phishing attacks blocked before and after the project. Are you seeing new types of phishing attacks being blocked that you weren’t seeing before? Are you getting visibility into campaigns that hit multiple mailboxes? The other detection-based metric to keep in mind is the number of false positives.

On the operational front, it’s critical that email productivity isn’t impacted. A good proxy for this is measuring the number of IT tickets related to email delivery. The availability and uptime of the email security service is another key lever to keep an eye on.

Finally, and perhaps most importantly, measure how much time your security team is spending on email security. Hopefully it’s much less than before! A SEG is known to be a heavy-lift service deployment to ongoing maintenance. If Cloudflare Area 1 can free up your team’s time to work on other pressing security concerns, that’s as meaningful as stopping the phish themselves.

The reason we are articulating a SEG replacement plan here is because many of our customers have done it already and are happy with the outcomes.

For example, a Fortune 50 global insurance provider that serves 90 million customers in over 60 countries found their SEG to be insufficient in stopping phishing attacks. Specifically, it was an onerous process to search for “missed phish” once they got past the SEG and reached the inbox. They needed an email security service that could catch these phishing attacks and support a hybrid architecture with both cloud and on-premises mailboxes.

After deploying Cloudflare Area 1 downstream of their Microsoft 365 and SEG layers, our customer was protected against more than 14,000 phishing threats within the first month; none of those phishing messages reached a user’s inbox. A one-step integration with existing email infrastructure meant that maintenance and operational issues were next to none. Cloudflare Area 1’s automated message retraction and post-delivery protection also enabled the insurance provider to easily search and remediate any missed phish as well.

If you are interested in speaking with any of our customers that have augmented or replaced their SEG with Cloudflare Area 1, please reach out to your account team to learn more! If you’d like to see Cloudflare Area 1 in action, sign up for a Phishing Risk Assessment here.

Replacing a SEG is a great project to fit into your overall Zero Trust roadmap. For a full summary of Cloudflare One Week and what’s new, tune in to our recap webinar.

-

¹Gartner Press Release, “Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences”, 11 November 2021

²Gartner, “Market Guide for Email Security,” 7 October 2021, Mark Harris, Peter Firstbrook, Ravisha Chugh, Mario de BoerGARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Since our founding, Cloudflare has been on a mission to take expensive, complex security solutions typically only available to the largest companies and make them easy to use and accessible to everyone. In 2011 and 2015 we did this for the web application firewall and SSL/TLS markets, simplifying the process of protecting websites from application vulnerabilities and encrypting HTTP requests down to single clicks; in 2020, during the start of the COVID-19 pandemic, we made our Zero Trust suite available to everyone; and today—in the face of heightened phishing attacks—we’re doing the same for the email security market.

Once the acquisition of Area 1 closes, as we expect early in the second quarter of 2022, we plan to give all paid self-serve plans access to their email security technology at no additional charge. Control, customization, and visibility via analytics will vary with plan level, and the highest flexibility and support levels will be available to Enterprise customers for purchase.

All self-serve users will also get access to a more feature-packed version of the Zero Trust solution we made available to everyone in 2020. Zero Trust services are incomplete without an email security solution, and CISA’s recent report makes that clearer than ever: over 90% of successful cyber attacks start with a phishing email, so we expect that over time analysts will have no choice but to include email in their definitions of secure access and zero edges.

If you’re interested in reserving your place in line, register your interest by logging into your Cloudflare account at dash.cloudflare.com, selecting your domain, clicking Email, and then “Join Waitlist” at the top of the page; we’ll reach out after the Area 1 acquisition is completed, and the integration is ready, in the order we received your request.

If you’re already managing your authoritative DNS with Cloudflare, as nearly 100% of non-Enterprise plans are, there will just be a single click to get started. Once clicked, we’ll start returning different MX records to anyone trying to send email to your domain. This change will attract all emails destined for your domain, during which they’ll be run through Area 1’s models and potentially be quarantined or flagged. Customers of Microsoft Office 365 will also be able to take advantage of APIs for an even deeper integration and capabilities like post-delivery message redaction.

In addition to routing and filtering email, we’ll also automagically take care of your DNS email security records such as SPF, DKIM, DMARC, etc. We launched a tool to help with this last year, and soon we’ll be making it even more comprehensive and easier to use.

As we wrote in the acquisition announcement post on this blog, we’re excited to integrate email security with other products in our Zero Trust suite. For customers of Gateway and Remote Browser Isolation (RBI), we’ll automatically route potentially suspicious domains and links through these protective layers. Our built-in data loss prevention (DLP) technology will also be wired into Area 1’s technology in deployments where visibility into outbound email is available.

In addition to integrating directly with Zero Trust products, we’re excited about connecting threat data sources from Area 1 into existing Cloudflare products and vice versa. For example, phishing infrastructure identified during Area 1’s Internet-wide scans will be displayed within the recently launched Cloudflare Security Center, and 1.1.1.1’s trillions of queries per month will help Area 1 identify new domains that may be threats. Domains that are newly registered, or registered with slight variations of legitimate domains, are often warning signs of an upcoming phishing attack.

Cloudflare has been a happy customer of Area 1’s technology for years, and we’re excited to open it up to all of our customers as soon as possible. If you’re excited as we are about being able to use this in your Pro or Business plan, reserve your place in line today within the Email tab for your domain. Or if you’re an Enterprise customer and want to get started immediately, fill out this form or contact your Customer Success Manager.

Email Security has certainly come a long way. With cloud messaging now the standard versus the legacy on premise approach (Lotus Notes anyone?) the strategy of securing these clouds has also experienced a revolution. Gone are the days of the Secure Email Gateway (SEG) being an option. Cloud-native email protection with multiple deployment options are now changing the game. With winter in our minds, it’s time to start talking about “ICE.”

“ICES” (Integrated Cloud Email Security) solutions appeared for the first time in the recently-published Gartner 2021 Market Guide for Email Security (ID G00735200).

In terms of the broader landscape, two trends carried over from the 2020 Market Guide:

1. Cloud adoption continues to grow; and

2. Phishing, ransomware and account takeover attacks continue to increase.

Gartner estimates that 70% of organizations now use cloud suites, primarily Microsoft 365 and Google Workspace. Even though these cloud email providers have provided built-in email hygiene and protection capabilities, email continues to be a significant attack vector, with phishing, ransomware and Business Email Compromise attacks resulting in large financial losses. Gartner cautions that, “Continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”

In this year’s report, Gartner introduced a new category, Integrated Cloud Email Security (ICES), positioning it as the predominant defense against phishing threats slipping past traditional security controls. Although specific vendor capabilities vary, ICES can offer several advantages over traditional SEGs: advanced threat detection, ease of use, and improved visibility and response. Area 1 Security is pleased to be recognized as a Representative Vendor for this growing new category.

One of the challenges of sophisticated phishing attacks is that there is often no link or attachment to scan for malware. Instead, attacks use social engineering to lure victims into sending money or sharing credentials. Other advanced attacks embed malicious links or weaponized documents behind layers of benign content, making detection difficult.

And as Gartner notes, “As built-in security from Microsoft and Google has improved, threat actors are also getting more sophisticated, often targeting them using fake login pages as a way of harvesting credentials.” And, “Many ransomware-as-a-service gangs use email as the initial entry point. Beyond malware, business email compromise and account takeover threats continue to rise, with significant financial losses as a result.”

Gartner explains that, “To combat these, [ICES] email security solutions use a variety of more-advanced detection techniques, including NLU, NLP, social graph analysis (patterns of email communication) and image recognition.”

With the majority of organizations using cloud email providers, ease of use and ease of integration are important when adding solutions for advanced threat detection. As an ICES solution, Area 1 Horizon™ can integrate with email providers via API, offering flexibility and faster time to value. (More on that flexibility part later.)

Gartner indicates that more customers will opt for API-based solutions in the future, predicting that the number of anti-phishing solutions delivered via API integration with the email platform will increase more than 4x by 2025.

Detection is only one piece of the puzzle; broad visibility and fast response are also necessary for an effective cybersecurity program.

Building on the advantages of APIs just mentioned, ICES solutions allow easy integration of email events into security information and event management (SIEM) or security orchestration, analytics and reporting (SOAR) systems via API. This allows for increased threat visibility and better coordinated response. Many ICES also offer built-in response capabilities or managed services offerings.

With all the advantages of ICES, it appears that traditional email security systems, many of which are still hardware-based/hosted hypervisors, are having a hard time keeping up. In our experience, many, if not most, of our customers have existing SEGs but come to us to eliminate the security gap left by SEGs missing threats.

Gartner seems to agree, noting that “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”

Gartner also predicts that nearly half (40%) of all organizations will switch to using built-in protection capabilities from cloud email providers and ICES rather than a SEG by 2023. This is an increase of nearly 150%.

We are pleased to be recognized in the Gartner first-time ever Integrated Cloud Email Security (ICES) category, and believe that we offer the most effective (and only preemptive) email security to defend organizations against advanced threats.

As an ICES, Area 1 Horizon uses a variety of more-advanced detection techniques, including NLU, NLP, social graph analysis (patterns of email communication) and image recognition to preemptively detect and stop advanced threats.

However, unlike many other ICES vendors with API-only integration options, Area 1 can be deployed via API as well as inline as the MX record holder, simultaneously ensuring protection across the entire cycle: pre-delivery, at-delivery and post-delivery. With a focus on providing comprehensive security, our flexible deployment options and direct integration make our solution easy to evaluate and prove business value.

For better visibility and faster response, the Area 1 Horizon platform also comes with built-in response with message retraction, and we easily integrate with SIEMs and SOARs for a cohesive extended detection and response (XDR) strategy.

As typical of their Market Guides, Gartner provides security practitioners with a short list of recommended vendor criteria.

We believe that Area 1 successfully maps to every single recommendation, as detailed below:

In addition, Area 1 Security supports 16 out of the 19 key features Gartner calls out for all email security vendors.

In short, Area 1 offers seamless, deep integration with cloud email providers like Microsoft 365 and Google Workspace for better security. And while many prefer to deploy us just with their email provider for a modern, cloud-first architecture, we also “play nICE” with SEGs, too.

To request a complimentary copy of the Gartner 2021 Market Guide for Email Security, click here.

To assess whether Area 1 Security can help address gaps in your current email security defenses, contact us for a free Phishing Risk Assessment, here.

Gartner, “Market Guide for Email Security,” Mark Harris, Peter Firstbrook, Ravisha Chugh, Mario de Boer, 7 October 2021.

Gartner Disclaimer:Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

AMERICA! WE HAVE A 2021 MARCH HACKNESS CHAMPION! (Granted, it’s a phishy title that no organization really wants to win).

A Cinderella story. The underdog. The New Kid on the Block is … the World Health Organization!

Although the WHO won’t want you to get fooled (with phishing) again, they are the undisputed March Hackness Champion of 2021!

Truly, what a difference a year makes. The COVID-19 pandemic changed the world, including the world of Phishing and cyberattack lures. Our researchers identified over 2 million Phishing spoofs (out of more than 22 million) that specifically exploited the WHO brand between May 2020 to February 2021.

For example, in this phishing message from last year, the attacker lures victims by posing as the WHO, claiming to offer safety measures on how to stop the spread of the virus. We see Display Name Spoofing, where the true sender is actually this alansariornan[.]com domain.

In an attempt to add legitimacy to the phishing example above:

• The attacker added the logo for the WHO in the body of their message. This is a common tactic, which Area 1 uses to help detect malicious messages (more specifically, our advanced computer vision algorithms and statistical models essentially train computers to interpret and understand digital images).

• The attacker also used a fairly sophisticated technique to avoid detection by abusing the legitimate service, Appspot.com, to host their phishing site. Appspot is a cloud computing platform for developing and hosting web apps in Google-managed data centers, so naturally, those domains are commonly whitelisted — and the corresponding links are not typically evaluated.

• Campaigns like this use well-designed login pages in an attempt to capture login credentials, which are then sent to a remote server controlled by the attacker.

Attackers cleverly and maliciously pivoted to exploit other COVID-19 trends, such as businesses sending more sales emails, consumers shopping online more, the real estate surge, and the growth of online news content consumption.

Aside from the likes of the WHO (#1), Moderna (#25) and CDC (#48), these companies (whether they like it or not!) also made our annual phishing bracket for the first time this year:

• #7 — Marketo

• #20 — Columbia Sportswear

• #24 — UPS

• #38 — CNN

• #50 — Zoom

• #51 — Adidas

• #53 — Nike

• #63 — Zillow

Much like in the real tournament, there were several upsets in the Phishing brackets as well. Former 2017 and 2019 March Hackness bracket champion, PayPal, didn’t even crack the Sweet 16 round this time.

With the world on edge in 2020, hackers took every advantage they could to find a way into organizations. Their weapon of choice is trust. Who wouldn’t want information from the WHO about a virus that is affecting every aspect of their lives? Hackers know this, so they use it.

And as I shared in our prior Not-so-Sweet 16 post, email authentication and sender reputation standards (such as SPF, DKIM and DMARC) aren’t enough to prevent phishing attacks from reaching inboxes.

Email authentication and sender reputation were designed to help brands deliver their email messages properly — not to help defend your organization from the most sophisticated phish.

In fact, our co-founder/CSO, Blake Darché, and our principal security researcher, Javier Castro, demonstrated through the creation of a real-time, DMARC-passing attack, just how fast and easy it is for attackers to get phishing emails into your inbox.

Remember, even when you deploy DMARC for your domain:

• It’s easy it is to establish a new phishing domain that exploits trusted infrastructure

• It’s fast to set up DMARC, SPF and DKIM policies for new phishing domains in order to reach inboxes

• You need to detect phish beyond email authentication via comprehensive message analysis, computer vision, domain registration checks, and other techniques beyond email authentication.

Here are some other key insights on the past year’s contenders:

• The Top 4 “seeds” were seen in over 6 million phishing attacks.

• The Top 10 accounted for over 56% of ALL spoof- and impersonation-based phishing attacks.

• Our 64-brand bracket included 15 different industries. The most well-represented were Technology and Financial Services/Banking.

• Attackers will use what is in the headlines to make attacks land. COVID-19 and a Presidential Election heavily influenced the attack patterns of phishing attacks in the U.S. last year.

Well America, I had a great time with you for the 2021 March Hackness tournament. Will our Cinderella return to the ball next year? You’ll have to join us again to find out!

Until next time… (Dick Vitale one last time)

GOODNIGHT BABY! WE’LL BE DANCING AGAIN NEXT YEAR!

Dick Vitale impression returning in:

3…

2…

1…

OH MY, WHAT A TOURNAMENT IT HAS BEEN! SOME STUNNING UPSETS! MILLIONS OF BRACKETS BUSTED! IT’S AWESOME (and sometimes awful), BABY!

Whew… Got that out of the way.

So, what have we learned from the first two rounds of the Annual March Hackness phishing tournament?

The COVID-19 pandemic has definitely played into what attackers are using in their business.

The proof? Cinderella runs thus far for some of our (not-so-Sweet) 16 of top-impersonated newcomers: the World Health Organization (which we’ve seen daily in the news); Target (whose online sales surged by $10 billion last year); and DocuSign (whose revenue exploded by nearly 50%, thanks to post-COVID remote business). Reminiscent of Marquette’s 2013 run, in my opinion!

That said, our major players of Microsoft and Google are still accounted for — they remain attackers’ favorite brands year after year. (Case in point: our security research team recently uncovered a highly sophisticated Microsoft 365 phishing campaign targeting financial departments and unsuspecting assistants and CEOs).

But … who honestly could have predicted PayPal getting knocked out in the first round? Our 2019 March Hackness Champion goes home early! Congratulations to them for being Most Improved (aka, less spoofed)!

Remember folks, in our phishing bracket, a first round knockout is actually a badge of honor!

Which brings us into the Not-So-Sweet 16. Can the WHO continue its historic run? Can Twitter upset the Duke-esque status of Microsoft? Will Facebook survive a matchup against Amazon? Only time will tell!

The Madness is setting in!

Let’s check back with Dicky V for analysis of the perfect phishing bracket:

• OH BABY! We’ve got quite a few Juggernaut matchups! Microsoft has that champion pedigree but Twitter is a strong contender!

• Facebook vs Amazon! That’s a championship matchup in its own right … expect a lot of fireworks there!

• I like Apple’s odds of making it to the finals!

• I think our Cinderella, the WHO, might be making it to the ball!

Tune in on April 5th to see who will be crowned our OPHISHAL Champion for 2021! IT’S AWESOME BABY!

By the way, in case you’re wondering: is email authentication (SPF, DKIM, DMARC) THE winning way to stop brand spoofing and impersonation-based phishing attacks from ever reaching inboxes?

The answer is: No. Over the past year, we’ve blocked 22 million of these types of phishing attacks — and while we know all three standards can help with preventing some forms of phishing, attackers can easily bypass email authentication.

The SPF, DKIM and DMARC standards are certainly useful for validating server and tenant origins, protecting message integrity and providing policy enforcement. However, security professionals should know that:

1. Anyone can set up emails that pass email authentication.

2. Email authentication does not inspect content.

3. Email authentication does not protect against look-alike domains.

4. Email authentication does not protect against compromised domains.

5. The vast majority of organizations and domains do not use email authentication.

6. Email authentication can be difficult to set up properly.

Below is a brief description of what each standard does, what types of threats it can protect against and what types of threats it cannot protect against.

Well America, it’s back! That glorious time of year that has everyone asking, “Is Gonzaga actually for real this time? Have we learned nothing?!” Yes that’s right, March Madness is back!

After a LONG and hard 2020, it’s beginning to look a little more normal these days. Nothing signals normal like the return of March Madness! We can finally have the thrill and gut punching heartbreak of busted brackets, 15-seed upsets, and those weird bragging rights of “I called that upset, I just didn’t put it down on my bracket…”

We at Area 1 have been doing our own Phishing brackets over the past five years. We took a hiatus in 2020 (as did the NCAA), so today, we proudly introduce the 5th Annual March Hackness: The Phishing Tournament.

In creating their Phishing campaigns, attackers take advantage of a simple idea - Trust. Nothing speaks to that more than the brands that everyone knows and loves and interacts with in their everyday lives or see in the headlines.

We’ve analyzed over 500 different organizations — across multiple divisions (aka industries) — that have been spoofed in more than 22 million Phishing messages over the past year. From there, we’ve identified the Top 64 companies whose brands have become the go-to lures for Phishing campaigns.

Although March Madness took last year off due to the COVID-19 pandemic, attackers sure didn’t. (Just see some proof here, and here, and here…)

And now…

(Prepares best Dick Vitale voice possible) …

WE’RE BACK AT IT  BABY! OH AMERICA, ARE YOU SERIOUS? IT’S AWESOME BABY!

Wow, that takes a ton of energy to pull off!

With Area 1’s March Hackness tournament, you’ll get to see who is the latest Cinderella story to come out of nowhere and disrupt the typical “Power 5” technology brands that typically dominate the Phishing world. (Here’s looking at you PayPal, our previous 2019 champion).

Let’s see what a difference a year makes in the world of Phishing.

I’m excited, you get excited!

EVERYONE ON THEIR FEET!

LET’S SEE THAT BRACKET BABY!

• We see some (unfortunate) new players in the space this year: themes around COVID-19 made a strong impact on our Top 64 bracket.

• For example, newcomers like the World Health Organization and Centers for Disease Control make appearances for the first time, as well as pharmaceutical sweethearts, Moderna.

• Our typical heavy hitters are still accounted for, like Microsoft, Google, Facebook, and PayPal. However, how well will they survive the tournament? Can they make it to the championship?

Tune in soon to find out who cuts down the nets to evade detection in this year’s tournament!

On Sept. 8, Gartner published its latest Market Guide for Email Security (Gartner Doc ID: G00722358). Given the continued increase of phishing and advanced attacks, ongoing enterprise migration to cloud email providers and the recent transition to remote work for many organizations, we at Area 1 Security believe this is an aptly-timed update.

One new item of particular note in the report is Gartner’s new category of Integrated Email Security Solutions (IESS). While Area 1 Security was also recognized as a Representative Vendor in the Gartner 2019 Market Guide for Email Security, Gartner has now named Area 1 Security as a Representative Vendor for IESS. According to Gartner: “They [IESSs] often include other capabilities such as machine-learning-based detection trained on existing emails, image analysis, account takeover detection and image recognition of URLs to identify phishing attacks as well providing protection for internal emails and M-SOAR functionality.”

We believe, Area 1 Security, as an IESS, provides the core functionalities of a SEG, but has the advantage of being very quick and easy to deploy, without requiring changes to the email flow at the gateway through direct integrations with Office 365 and Google G Suite.

As an increasing number of threats bypass legacy Secure Email Gateways (SEGs), Area 1 Security’s customers and prospects have increasingly expressed that traditional SEGs don’t adequately address their security needs. In fact, we are often brought in to either replace or supplement SEGs such as those from Proofpoint, Agari and Mimecast.

With SEGs missing over 30 percent of phishing campaigns, IESS solutions like Area 1 Security offer an attractive SEG replacement.

• Per our understanding, Gartner advises security and risk management leaders responsible for email security to “Address gaps in the advanced threat defense capabilities of an incumbent secure email gateway (SEG) by either replacing them or supplementing them with complementary capabilities via API integration.” Some customers may decide to address these gaps by replacing an incumbent SEG with an IESS.

• Also, as noted in the report, “Integrated protection, because it has historical data on communication patterns, can use its social graph to flag anomalous messages as suspicious” and integrated solutions also “increasingly using natural language processing and understanding to identify account takeover attacks.”

• The Market Guide highlights differentiating capabilities for next-generation email security products:

Network SandboxContent Disarm and ReconstructionURL Rewriting and Time-of-Click AnalysisRemote Browser IsolationDisplay Name Spoof DetectionDomain-Based Message Authentication, Reporting and Conformance on Inbound EmailLookalike Domain DetectionAnomaly Detection

• Per our understanding, Gartner also lists additional differentiating email security capabilities such as graymail handling, data protection, and post-delivery protection and M-SOAR.

Area 1 Security believes it provides coverage across all the above differentiating capabilities (seven fully, and one in prototype / planned phase as of this quarter). The table below is a quick analysis of the key capabilities outlined within the 2020 Email Security Market Guide and how our technology fulfills each criteria. Where relevant, the matrix highlights capabilities that we believe are unique to our Area 1 Horizon™  service.

Differentiating Capabilities Matrix - Area 1 Analysis

*Bolded capabilities are part of Gartner’s key selection criteria for next-generation email security

According to Gartner, “As organizations migrate to cloud email, the need to reevaluate email security is even greater.” The rise of malware, Business Email Compromise (BEC) attacks and other sophisticated email threats also means organizations should revisit their email security architecture.

To assess whether Area 1 Security can help address gaps in your current email security defenses, contact us for a free Phishing Risk Assessment, here.- Gartner, “Market Guide for Email Security,” Mark Harris, Peter Firstbrook, Ravisha Chugh, 8 September 2020.

Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.