Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Cross-Vector Threats: The Web Begins Where Email Ends

You Can Only Detect Something as Malicious if It’s Malicious at the Time You Are Looking at It

You Can Only Detect Something as Malicious if It’s Malicious at the Time You Are Looking at It

I don’t intend to be a purveyor of the obvious, but I keep overhearing discussions where “email threats” and “web threats” and “email security” and “web security” are discussed as if they were separate concepts. It’s a habit of speech rooted in a legacy mindset that doesn’t make much sense in today’s threat context, where multi-step execution of threats across such traditional boundaries is the rule. Some taxonomies of “cross-vector” threats also discuss endpoints, firewalls, user deception (“social engineering”), et al., but for the moment let’s just consider email-to-web crossover.

When pressed, most people seem to get that email security and web security aren’t really separate domains anymore, if they ever really were. However, many don’t seem to talk and deploy security in a manner consistent with that view. This “silo-izing” of solutions by threat vector continues to influence how many people think about their security, to the detriment of that security. Ninety percent of breaches may begin with an email, but today most of the action happens well after an inbound email has been scanned and delivered. To be effective in stopping such threats requires a holistic view of all elements at each step along the threat’s path, including being able to associate data which may have occurred in the “email” phase with the “web” phase.

Security industry segments conversation

I believe many continue to be induced to think and talk this way by a good part of the security industry. While everybody owns up to the importance of layered security, Miles’ Law applies: Where you stand depends on where you sit. Different segments of the security industry still tend to narrow the conversation, with anti-virus companies talking about file-based malware as an end in itself, anti-spam vendors talking about the virtues of scanning at the time of delivery, email and web gateway providers pushing an email-centric or web-centric view, etc. What’s frequently missing is the recognition that they are all really talking about the same problem, and that problem doesn’t respect these separate fiefdoms.

All threats are cross-vector threats

Let’s recognize that, today, nearly all threats with any chance of success are cross-vector threats. That’s what any dialog needs to contemplate, and what security defenses need to focus on. As a case in point, consider that scanning emails as they arrive may have once seemed adequate, but you can only detect something as malicious if it’s malicious at the time you are looking at it. A standard evasive tactic today switches embedded URLs from a benign to a malicious destination well after delivery. The email security industry has created the concept of “time-of-click” protection, which is a way of saying that email security without an integrated and robust web security capability is a failed concept. In its ideal form such a defensive capability would equate to robust web protection that is fundamentally a continuation of the analysis begun by the “email security.” Emails which may be carrying some form of ill-intentioned attachment also cross over frequently and quickly into a complex series of Web and internet communications.

Necurs’ latest spam

Examples abound of this crossover. I’ve been looking at the Necurs botnet’s most recent email activity, and they fit the mold. One large campaign is sending emails with a business focus using the tried-but-true “Unpaid invoice” subject line and an Excel Web Query (.iqy) attachment, which when opened in Excel downloads a PowerShell script, which in turn downloads another script, which then downloads what appears to be an Excel file, which then downloads an encrypted binary, which converts to the remote access trojan FlawedAmmyy. Similar to what I pointed to above, the basic intention is to appear as benign as possible at the moment of the email security scan, and what ensues is more “web” than email. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.