I’m expecting this email” was the message we received for an email restore request.
Let me explain to give you a better context. Cybersecurity is about layers; no single solution will stop a cyber attack. A recent article says that phishing emails initiate 90% of all cyber-attacks. An advanced email protection system is one of the layers we have in place. Using AI and machine learning algorithms, it checks every message coming in. If it believes it to be malicious, the workflow quarantines it and sends the end user a message similar to this one.
Request to Restore
If the user believes the message to be legitimate, they will ask for it to be released. Our team will then receive the request. From there, we will review the message and the analytic data. Often, we will sandbox it and open the email to see what will happen if we go through the process. Below is the Anatomy of a quarantined message and the steps we take to confirm its legitimacy.
Reason for Detection
The first step is discovering why the system marked the message as malicious. In this case, there were several “red flags.” These will aid us in our investigation. Some key characteristics will tell us whether this is a pause for further investigation or a false positive.
- Non-Acii characters: Ascii characters are universal for electronic communication. Using similar non-ASCII characters helps disguise domain names as legit domains you would recognize. To the human eye, it’s almost indistinguishable.
- Credential Harvesting is the method a cybercriminal will use to redirect you to a website that looks familiar to you, only to get you to type in your credentials. Then, use those credentials to further a cyber attack.
- Sender Reputation: Is this the first time this person has communicated with anyone in your organization
How far did your email travel?
It is pretty fascinating to look at this map when analyzing an email. In a digitially connected world it is possible that your emails can come from anywhere. The longer we do this, the better we get at spotting patterns and knowing what is normal.
For instance, 99.99% of our clients’ emails originate from the top left quadrant of this map. This is where Redmond, Washington, is home to Microsoft Data Centers. They generally will end up where the end-user receives the message.
However, in our example, the message originated from England. While that by itself doesn’t disqualify the message from being legit, it allows us to ask further questions like, “Where does your lawyer live?”
Sometimes, on this map, we will see an envelope in red. That indicates the sender was using a VPN, which means there is a better-than-average chance it is a malicious email.
Now, it is time to play in the sandbox.
Usually, our above analysis allows us to conclude whether the email is legit or not, but in this particular case, we still were unsure, so we dived a bit deeper and sandboxed the message.
Sandbox is a term for a safe place to explore without the risk of damage. In other words, we can open this message in a sandbox, and it is protected from executing any malware that might be in it.
In this instance, the analyst clicked on the links supplied in the email to follow its path to see what the result would look like
We are not afraid to say No!
From our time in the sandbox, we have learned that this message is legitimately a malicious email. We must let the end user know we are denying the request to restore.
I am a firm believer in giving people the “WHY”. It would be easy for my team to reply and say we are not restoring this email. But that may leave a taste of resentment and anger like “How are they not to allow me to have that message? It’s my lawyer, and they expect my response. It belongs to me.”
So, instead, my team is instructed to respond with an explanation and sources for our findings. It’s hard to tell the CEO of your largest client ‘NO,’ but it’s easier to follow up with why it’s ‘NO.
At the end of the day, Our job is sometimes to save people from themselves.
Want to know more about our Process click here to book an appointment
