In the past, implementing email security meant integrating a secure email gateway to block emails that were sent from bad domains or included malicious attachments. The organizational infrastructure was likely on-premises, and all of the devices were company-managed, with limited entry and exit points into the network. Of course, business has changed quite a bit since then — especially in the aftermath of the pandemic.
As companies adapt to a newly distributed workforce, employees are experiencing more freedom which is beneficial in many ways, allowing them to work from wherever they choose and spend more time with their families. But this freedom has also opened your organization up to new attack methods and allowed cybercriminals to take advantage of the altered and oftentimes remote-first work environment.
The new business world is entirely cloud-based — or at least moving in that direction. Email, particularly, is in the cloud, with most organizations using Google Workspace or Microsoft 365 for email and allowing employees to access it from their personal laptops and mobile phones. In fact, recent research shows that 92% of organizations are either already using cloud email or have plans to do so. This shift has come with increased functionality and productivity, alongside decreased costs, but it also means that the attack surface has expanded exponentially.
Typical email threats like spam, phishing campaigns, and malware downloads are still prominent, but there is an increasing shift to more sophisticated cloud-based attacks. There are two major trends in attacker strategy: inbound email attacks that use social engineering to complete their scams and email platform attacks that infiltrate email environments.
Inbound Email Attacks are Evolving
Cyberattacks are becoming more sophisticated every day. We’re seeing an increasing shift to targeted attacks like business email compromise, supply chain fraud, internal account compromise, and more. These socially-engineered attacks rely heavily on human behavior and can manipulate users into providing private data and unauthorized access to valuable financial assets.
Unfortunately, traditional tools are largely incapable of detecting these attacks because they are text-based and lack traditional indicators of compromise. Without protection, organizations are vulnerable to devastating financial losses, with nearly $2.4 billion lost in 2021 alone, making up 35% of all cybercrime losses. And when it comes to exposed losses, the number has climbed to $43 billion over the past five years.
Email Platform Attacks are Emerging
But in addition to the problem of these increasingly sophisticated inbound email attacks, there is a new category of emerging attacks that target email platforms through new entry points, or side channels. These email platform attacks infiltrate cloud email platforms through indirect channels such as access abuse over a third-party app API, stolen account tokens of a third-party application, over-provisioning of compromised accounts, and more. Take the News Corp attack that occurred earlier this year, for example, where attackers installed an Azure application into the Microsoft 365 tenant, which shipped logs of searches and emails to an external server on a nightly basis. And because the application had direct access to the tenant with zero side effects, it went unnoticed for an entire year!
Unfortunately, this is only one example of what increasingly sophisticated attackers can do — and how they can use these side channels to infiltrate email environments, ultimately causing financial losses, data breaches, and reputational damage. With dozens of new ways in, these emerging platform attacks could be more impactful than inbound email attacks, and they’re just starting to be discussed.
Expanding the Definition Of Cloud Email Security
So what do we do? How do we stop the increasing breadth (and depth) of email attacks? To combat new and evolving cyberattacks, it’s critical that we expand our definition of cloud email security. Modern attacks require a modern solution, and basic inbound email security no longer provides enough protection.
To protect our organizations from the threats of today and the future, we must invest in AI-based technology. It is only by understanding the normal behavior of every internal and external identity in the cloud ecosystem and taking those behavioral learnings to create relationship graphs that we can create a normal baseline. From there, security tools must be risk-aware, taking these learnings to accurately analyze the risk of every single event and precisely detect anomalies — blocking and remediating those that deviate.
When a cloud-native security tool is in place — one that understands identity, context, and risk — organizations are truly protected from both inbound email threats and email platform attacks. Ensuring that we prioritize that as a security community has never been more important as we work together to stay one step ahead of cybercrime.