Security Experts:

Learn to Use This First: Four Fundamental Tactics to Protect Email Ecosystems

There is a great line in the movie Braveheart where Uncle Argyle says to young William, “First, learn to use this, then I’ll teach you to use this.” He is of course talking about William’s mind over his sword, but it is a prophetic statement when applied to email security. Too often organizations are entering into an email ecosystem they are not prepared to safely use. It is our responsibility as security professionals to help with this.

As email security is an ever-changing landscape, focusing on the most relevant issues in the threat landscape is where organizations need to start.

So, which email tactics are the most relevant and pressing issues to focus on? Based off insights from Cofense, these three types of attacks were the most prevalent from 2021:  

• Credential Phishing

• Business Email Compromise (BEC)

• Malware

According to the analysts in Cofense’s Phishing Defense Center, credential phishing makes up about 70% of all attacks with BEC trailing behind at 7%, and malware (along with a few others) making up the rest. When you look at those numbers and combine it with what is given up during a successful credential phishing attack, it becomes clear that stopping credential attacks needs to be a top priority. This is not to say that BEC and malware attacks aren’t important to stop; they certainly are. Successful ones, much like resulting ransomware attacks, are often very lucrative for the attacker and terribly painful for the victim.  

For all three of these attacks, there are a few fundamental tactics organizations should do to ensure they are protecting their email ecosystem.  

Training Users

Credential phishing attacks seek to steal usernames and passwords and are most often executed using fake representations of real login pages. Training users is therefore critical and is the first – and best – step to keeping an enterprise safe. Training on real tradecraft is key, since there is a tendency in the industry to focus on volume over quality. In other words, don’t waste your employees’ time with training simulations that are not relevant; get to the heart of what they need to know.  

This is also true for BEC and malware threats. Attachments from outside unknown parties are always suspicious, and someone asking for gift cards, wire transfers, romance scams or other financial transactions on behalf of a company executive should never go unchecked. All these attack types are first and foremost addressed by training employees.  


The second approach is to ensure employees can report a threat when they see it. Your Security Operations Center (SOC) can’t respond to what they can’t see, so a reporting capability enables your SOC to get that needed visibility into what is coming at you via email. Reporting capabilities are vital so select one that is easy to deploy, supports the range of platforms in your organization, is able to provide feedback to users when they report simulations, and most importantly, provides the complete email to the SOC’s abuse box for analysis 

Rapid Response

The third approach is to build a rapid response capability that allows you to orient and respond quickly to a real threat. If you can both identify ‘bad’ and respond to ‘bad’, thus neutralizing or limiting the threat, you position your organization to survive an attack. This is not limited to just the reporter of a potentially malicious email, but to all recipients of that email. Most attacks send more than one email into a company, so if you have found one, you probably have more. Finding the others is important since you don’t want threats lying around user’s inboxes.

Post-Delivery Analysis

Finally, positioning capabilities that can evolve and proactively detect threats reduces the risk even more. Secure Email Gateways or SEGs are one method, but we continually see threats make it through these gateways, thus mandating the need for post-delivery analysis and response capabilities. Every SEG on the market today has weaknesses. Traditionally, companies have stacked SEGs in series to increase the probability that one will identify a threat. A post-delivery analysis solution, powered by knowledge of what gets through all SEGs is more functionally effective, as well as cost effective.

Understanding the most prevalent threats is important to determine where to place your limited energy and resources. All types of email attacks are dangerous, but with well–executed training, reporting, analysis, detection, and response capabilities in place, you reduce your risk of succumbing to any of the email attack approaches we’ve discussed.

view counter
Keith Ibarguen is Chief Product Officer at Cofense, and has more than 25 years of technical and managerial experience, most recently serving as Chief Engineer for the Law Enforcement and Domestic Security Division at the MITRE Corporation. He has worked to develop and enable novel solutions across a number of MITRE Sponsor and internal programs throughout his career, leveraging his expertise in cyber operations and enterprise cyber security, software development, enterprise IT design and deployment. Throughout his years of service, he has led activities with the DoD, the Intelligence, and Law Enforcement Communities as well as partnered with numerous not for profit and commercial firms.