TREND REPORT:

HOW MODERN EMAIL PHISHING

ATTACKS HAVE
ORGANIZATIONS ON THE HOOK
 INTRODUCTION TO EMAIL
I.
PHISHING MITIGATION
Phishing has evolved from a mere nuisance into a
global epidemic in which organizations of all sizes and
across all industries are being negatively impacted
at high frequency. In 2016 alone, the SANS Institute
revealed that 95% of all cyberattacks began with spear-
phishing; the Ponemon Institute reported 86% of all
phishing attacks contain ransomware, and the Anti
Phishing World Group (APWG) discovered a 65% increase
in phishing attacks compared to the previous year,
totaling 1,220,523 attacks wordwide.
Of all attack vectors, email remains the most commonly
exploited for a variety of reasons. Malicious emails
continue to easily bypass legacy SPAM Filters, firewalls,
and gateway security scans that still inexcusably rely on
signatures and email content scanning when analyzing
messages.
Secondly, due to human nature, it takes only a few
unaware or preoccupied users to download or click on
a malicious email link or attachment to inadvertantely
provide attackers with access to sensitive corporate
networks and data.
Thirdly, a report from FireEye cites the average time
from breach to detection being 146 days globally, and
a colossal 469 days for the EMEA region, which means
early detection and alerts are as important as ever.
In the midst of phishing attacks becoming
exponentially more sophisticated and targeted, the
majority of email security providers continue to offer
signature-based and behavioral signature solutions
that scan links and attachments; determine domain
reputation and verify sender-receiver relationship,
among other futile safeguards.
1. https://www.sans.org/reading-room/whitepapers/analyst/trenches-2016-survey-security-risk-financial-sector37337-
2. http://www.pymnts.com/fraud-attack/2017/phishing-attacks-hit-new-record-in2016-/
3. https://www.csail.mit.edu/System_predicts_85_percent_of_cyber_attacks_using_input_from_human_experts20%
Adam Conner-Simons, MIT CSAIL (04.18.2016)
Artificial Intelligence predicts
cyber-attacks significantly
better than existing systems
by continuously incorporating
input from human experts. - MIT
Knowing that the use of signature and rules-based
solutions continue as the status quo, attackers often
find their hacking tools and techniques relatively
unchallenged by defenses that are limited to following
rules that hackers can easily subvert through spear-
phishing and social engineering. Although there is almost
universal agreement by malware researchers to ditch
YARA Rules and regular expressions, many email security
solutions are lagging in doing so. In the meantime,
many mid-sized and large organizations are investing
millions in security awareness and training to help
employees identify and report phishing emails in real-
time. But what most of the cybersecurity industry and
many organizations dont yet fully realize, is that to truly
minimize the risk of email phishing attacks, machines
and humans must continuously work together.
IRONSCALES combines human intelligence with machine
learning. By ditching rules-based email security,
IRONSCALES expedites the time from phishing attack
discovery to enterprise-wide remediation from months
or weeks to minutes or seconds, with minimal security
team involvement needed.
2
 IRONSCALES EMAIL
II.
PHISHING REPORT
IRONSCALES analyzed data from more
than 100 of its customers and 500,000
mailboxes across four continents spanning
2016 - 2017 to better understand trends in
email phishing, attacker patterns, phishing
tools & techniques, and hacker preferences.
In total, more than 8,500 verified attacks
that bypassed spam filters were evaluated.
The following highlights the key takeaways,
with analysis and details about how
IRONSCALES technologies can expedite the
mitigation and remediation of attacks once
discovered.
A. Spear Phishing Increasingly Laser Designated
THE KEY FINDINGS:
Approximately 77% of attacks targeted
10 mailboxes or less
One-third (33%) of attacks targeted just
one mailbox.
AFFECTED MAILBOXES PER ATTACK
More than 10
mailboxes
22.6%
77.4%
10 mailboxes
and less
Analysis:
We know that attackers target specific individuals who
they deem most susceptible to social engineering
attacks. As to why attackers are finding it increasingly
beneficial to target attacks on fewer mailboxes, we can
summize that it is likely due to:
1. Attackers preference of staying under the rader (e.g.
-The less people targeted, the fewer conversations, as a
result of less alarm bells raised).
2. More sophisticated targeting allows for tailored
messages to certain projects and jobs.
3. Hyper-personalized targeting has proven effective
at tricking people susceptable to emails written with a
personal touch.
Benefits:
IRONSCALES combination of human intelligence and
machine learning technology is the perfect anectdote
to combat the number of complex and micro-targeted
spear-phishing attacks that easily bypass rule-based
spam filters.
Our automatic incident response technology, IronTraps,
empowers phishing-vigilant employees to seamlessly
report attacks in real-time with a simple click of a
button, triggering an immediate enterprise-wide
remediation response that significantly reduces the
time malicious emails lie idle in employees inboxes.
Federation, our real-time actionable intelligence
sharing network, records and shares attack signatures
instantaneously with all other users, permanently
immunizing those organizations from this specific type
of phishing attack.
3
B. Blast Attacks Becoming More Micro-Targeted as The Analysis:
Attackers Test Drip-Campaign Attacks Attack duration is defined as the amount of time
that it takes an attack to stop perpetrating. Phishing
emails, comprised of the same attack, can be repeated,
THE KEY FINDINGS: repurposed and sent multiple times per year. These
findings suggest that:

1. A majority of attackers have a limited threshold for

More than 47% of email phishing attacks
attack duration.
lasted less than 24 hours.

2. There is an increasing preference for Blast campaigns

targeting less than 10 mailboxes at a time.
Nearly 65% of email phishing attacks
lasted for less than 30 days. 3. Malware drip campaigns are successfully beating
traditional spam filters and, once they do, the attacks
continue to perpetrate for long periods of time.
Of the email phishing attacks that
lasted more than 30 days, 35% spanned With 35% of email phising attacks lasting for 12 months
for 12 months or more. or more, malware drip campaigns are having success
beating email security safeguards. This is most likely
because drip campaigns can easily defeat signature-
based email security solutions by using polymorphism
Percentage of
all attacks ATTACK DURATION (ONE YEAR)
techniques, changing email artifacts like the sending IP,
subject lines and elements of the email body.
60%
Benefits:
50% IRONSCALES technology provides 365/7/24 actionable
intelligence that combines the attack findings of users
40% and security analysts with our advanced machine
learning technology. For our users, the probability for
30%
detecting morphed attacks is scientifically higher when
20%
using machine learning technologies vs signature based
solutions. As a result, detection rates are vastly improving,
10% while detection times and response times decrease.

0%

Days 30 60 90 120 150 180 210 240 270 300 330 360

4
C. Machine Learning Expedites Detection to The Key Analysis:
Remediation from Months to Seconds Today, sophisticated malware often comes with a delayed
execution mechanisim built in to help avoid dynamic
analysis, such as Sandbox Solutions, which look for
THE KEY FINDINGS: malicious patterns and behaviors in an isolated virtual
environment. Because of delayed execution, overburdened
security teams, too many false positives and a lack of
55% of attacks were discovered in incident response technology, the average time from
one minute or less detection to enterprise-wide remediation for phishing
email attacks worldwide ranges from weeks to months

Benefits:
75% of attacks were discovered in less IRONSCALES expedites attack discovery by combing
than 5 minutes human intelligence with machine learning, thereby
accelerating the mitigation and remediation processes
through automated response technology. The rapid
detection and remediation times are primarily the
False positive rate was as low as 2% result of:
on user reported attacks
1. IronSchool IRONSCALES user awareness training, puts
employees through vigorous gamified simulations of
experiential learning.
DETECTION TIME
2. IronSights IRONSCALES inline email security
More than technology, visually flags any malicious impersonation/
1 min spoofing attempts.

3. IronTraps IRONSCALES automated incident response

technology, automatically analyzes and remediates
44.7% incoming threats in real-time.

55.3%
4. Federation IRONSCALES real-time actionable
intelligence plugin for IronTraps, automatically protects
all other IRONSCALES users from ongoing phishing
attacks verified by trusted security analysts.

Less than
1 min 5. Integrations with Sandbox/Multi AV partners, such as
Check Points SandBlast, further help expedite detection
times by automating forensics.

Percentage of
all attacks DETECTION TIME (FIRST 30 MINUTES)

50%

40%

30%

20%

10%

0%
Minutes 0 5 10 15 20 25 30

5
D. Majority of Targeted Attacks Bypass Email Filters The Analysis:
Although brand spoofing attacks are on the rise,
IRONSCALES sees a low number of these attacks
THE KEY FINDINGS: because spoofs are more likely to be picked up by
traditional spam filters. However, email impersonations,
such as BEC and CEO fraud, are increasingly bypassing
Almost 95% of email phishing attacks traditional email security controls, especially those that
were highly-targeted campaigns, with target internal executives versus large brands.
the majority impersonating internal
commmunications teams or individuals Benefits:
(i.e. CEO fraud). IRONSCALES IronSights automatically discovers,
mitigates and remediates impersonation, CEO fraud
For every 5 brand spoofed attacks and brand spoofing attacks that bypass spam filters
identified by spam filters, approximately by inspecting and analyzing all emails at the mailbox
20 spear- phishing attacks bypassed level using deep scans and machine learning. Acting
the safeguard and went undetected. as an employees virtual security analyst, IronSights
validates sender reputation and authenticity, while also
assessing behavioral patterns in search of anomalies in
Top 10 Most Remediated Departments
communications.
MOST REMEDIATED DEPARTMENTS
All suspicious emails are visually flagged as soon as the
Operations
email hits the inbox, and a button inside the Outlook
Finance
toolbar enables instant notification to security teams
Sales
for further investigation or immediate remediation.
IT

Human Resources

Customer Service

Production

R&D

Logistics

Marketing

Management

Automated
Remediations 5% 10% 15% 20% 25% 30% 35%

Top 10 Most Spoofed Brands

10 MOST FREQUENTLY SPOOFED BRANDS

DHL

Google

Amazon

Paypal

Yahoo

Microsoft

Apple

Vodafone

Facebook

Fedesx

0% 5% 10% 15% 20% 25% 30%

Percentage of All Branded Attacks

6
 DETECTION & REMEDIATION
III.
IMPROVEMENT WITH IRONSCALES

The following chart chronicles remediated attacks for

12 companies with approximately 5,000 mailboxes each
(60,000 mailboxes total) that started using IRONSCALES
during the same month in 2016.

Automated
remediations AUTOMATED REMEDIATIONS OVER THE YEAR 2016
6000

5000

4000

3000

Detected by company
2000 empolyees (Report button)

Detected by employees in
1000 other companies

Detected by AV / Sandbox /
0 URL scanning (IronScan)

Q1 Q2 Q3 Q4

The Results: The Key Takeaway:

The increasing number of employee detections can be All 12 organizations benefitted from exponential
explained by improved employee awareness training improvements in phishing attack discovery, mitigation
due to gamified educational simulations conducted and remediation. This resulted in reduced risk and less
over time. burden on security teams and their resources..

Increasing Federation numbers correlate with its official

rollout at end of Q2 2016. Upon confirmation of attack
identification, Federation immediately logs the attack data
and cross-references all users for emails containing a
similar pattern. When an attack is matched, the users are
notified in real-time through in-line messaging or instant
quarantine. With this intelligence sharing, Federation
then communicates immediately with IronTraps, which
automatically remediates the attack without the need for
employee or security team intervention.

AV detection improvement during Q4 was the result of

a new partnership with Check Point, which began in
Q3 2016.

7
IRONSCALES is the leader in anti-email phishing technologies.

The first and only anti email phishing provider to combine human intelligence with machine learning
to automatically prevent, detect and respond to todays sophisticated email phishing attacks using a
multi-layered approach.

IRONSCALES expedites the time from phishing attack to remediation from weeks to seconds, with
minimal security team involvement. Headquartered in Raanana, Israel, IRONSCALES was founded by
a team of security researchers, IT and penetration testing experts, as well as specialists in the field
of effective interactive training, in response to the increasing phishing epidemic that today costs
companies millions of dollars annually. It was incubated in the 8200 EISP, the top program for cyber
security ventures, founded by alumni of the Israel Defense Forces elite Intelligence Technology unit.

START WITH IRONSCALES TODAY

For more information on IRONSCALES,

visit our website at: www.ironscales.com and follow us @ironscales on Twitter
8