Why email needs a zero-trust security model
Email threats have moved past a content-centric approach (aimed at delivering malicious links and attachments) to more sophisticated gambits. Almost 90% of email attacks manipulate sender identity to fool recipients and initiate social engineering attacks. A comparable percentage are malwareless: They do not contain attachments or files that would ordinarily set off malware-scanning alarms. These emails’ lack of identifiably malicious content means they can easily bypass most current email defenses.
The problem is not getting any easier to solve. Multiple email security providers have reported a surge in Coronavirus-themed phishing attacks since the beginning of this global crisis. Many of these attacks take advantage of the fact that employees are working from home, in environments where they may be more distracted, and with potentially less-secure networks and computer hardware.
Meanwhile, the phishers continue to iterate their attacks with extreme rapidity. According to Google, 68% of phishing attempts have never been seen before — and the average phishing campaign lasts only 12 minutes. That’s because criminals have automated phishing to avoid detection.
The end result means that phish are getting through existing defenses.
Types of identity-based email attacks
In fact, there are three types of identity-based attacks, each of which exploits a unique vulnerability in content-centric email defenses:
- Exact-domain attacks (aka domain spoofing): Emails that directly impersonate a trusted sender by putting their domain in the “From” field of a message
- Untrusted-domain attacks (aka domain impersonation): Emails that are sent from slightly altered “lookalike” or “cousin” domains
- Open-signup attacks (aka user impersonation or friendly-from): Emails that show a legitimate sender name in the “friendly from” field but are sent from an account created on a free consumer webmail service like Gmail or Yahoo
Why we need a zero-trust approach to email security
For email, the zero-trust model means not allowing delivery of messages unless they originate from a sender who can be authenticated and who has been granted explicit permission to deliver messages to that inbox.
AI/ML solutions can be effective when it comes to identifying trends in social engineering and malicious content, but they don’t provide much usable information when it comes to sender identity, due to the rapidity with which email attackers mutate their identities.
Instead, with a zero-trust approach, you focus on definitively identifying trusted senders. Once you do that, you can flag or block everything else: You don’t have to worry about finding, analyzing, or scoring the infinite variety of possible malicious senders.
Think of it this way:
- A traditional login system positively identifies known, trusted users (and doesn’t make you worry about analyzing the infinite variety of possible bad logins).
- Similarly, a zero-trust email security system positively identifies known, trusted senders (and doesn’t make you worry about analyzing the infinite variety of possible bad senders).
Benefits of the Valimail approach
Valimail offers a unique, market-leading solution that provides email security through a zero-trust approach to sender identity.
Built on open standards like DMARC, DKIM, SPF, and BIMI, as well as proprietary, patented technology, Valimail validates every message in real time, with powerful automation, to make sure every message originates from a known, trusted sender.
In addition, Valimail provides granular, policy-based controls based on roles and risk appetite for your organization, so you decide how you want to handle untrusted services, senders, and contacts — quarantine, delete, or simply monitor. For inbound email, policy controls can be applied company-wide or on an individual or group basis, depending on your organization’s and each group’s particular needs.
For more information, download our short white paper: Applying a zero-trust model to email security.