Cloud Email Security

(CES) Overview
CES OVERVIEW

Email is the…

#1 way organizations
communicate
70%
of organizations use cloud
#1 threat attack
email solutions today. (Gartner) vector
91%
of all cyber attacks begin with
a phishing email. (Deloitte)

2
CES OVERVIEW

Phishing threats include…

Multiple Types Multiple Sources Multiple Channels

Links, Attachments, Internal, External, Trusted Partners Email, Web, SMS, IM,
Business Email Compromise (BEC) Cloud Storage, Social Media...

Partner /Vendor
Account takeovers

Target
Organization External

°°° Internal
Account
°°°
takeovers

3
Why Cloudflare?
CES OVERVIEW

2023 Forrester Wave for

Enterprise Email Security

● Cloudflare named a Leader for its first year in the

Wave report

● Cloudflare tied for the highest score in ‘Strategy’

with perfect scores in both vision and innovation

● Forrester increased their emphasis on vendors

that provide protection beyond just email

● Forrester highlighted the increased adoption of

layered security with multi-vendor coverage

● Ease-of-use matters in regards to deployment,

integrations, investigations, and remediation

5
CES OVERVIEW

Preemptive Threat Defense

(URLs, Attachments, BECs, Spoofs)

Email Security
Market
Multi-Channel Protection
Direction (Adaptive Link Isolation ) Targeted
phishing & BEC
Forrester and Gartner ML-Powered BEC Detection
have noted a shift away (Employee/Vendor Account Compromise) protection
from traditional SEG
models to leverage a Fast & Flexible Deployment
more complementary (Inline, API, Journaling, Multi-Mode)
pairing of native
capabilities from email
providers with email
security solutions
focused on protecting
against more targeted
and evasive phishing Email Hygiene

Email Provider
attacks. (Anti-Virus, Anti-Spam)

Compared to legacy Sender Authentication Essential

SEGs, this pairing offers (DMARC, DKIM, SPF)
greater simplicity and
email & data
better security outcomes Data Protection controls
at a lower cost. (DLP, Message Encryption)

Data Management
(Archiving, Compliance, Data Controls)

6
CES OVERVIEW

Why Cloudflare has the best solution for phishing?

Automated and integrated phishing protection across a unified platform

Single, unified Zero Superior intelligence, Seamless end-user

Trust platform better detections experience

Deliver consolidated security Remove uncertainty and Ensure disruption-free

with the only fully-integrated
Zero Trust platform that
protects both employees and
company data across email,
web, IM, mobile, social, and
cloud applications.
minimize time spent on
investigations with the most
advanced threat models
powered by automated,
real-time intelligence from
Cloudflare’s global network.
productivity with email security
that’s natively integrated
across Zero Trust services for
effective phishing protection
that’s invisible to end users.
CES OVERVIEW

Links are the most detected

phishing threat
(Results of 2023 Phishing Threats Report)

Links 36%
Domain Age 30%
Identity Deception 14%
Credential Harvester 6%
Brand Impersonation 5%
Attachment 2%

Other 7%

*Based on threat types seen within malicious email detections 8

Business Email
Compromise (BEC)
CES OVERVIEW

BEC attacks: Low volume, high impact

2.7B 80X 21,832

2022 losses ransomware losses complaints

BEC Type 1: BEC Type 2: BEC Type 3: BEC Type 4:

Spoofed Employee Compromised Employee Spoofed Supplier Compromised Supplier

Impersonation of internal Impersonation of internal Impersonation of external Impersonation of external

employees (often CXO) employees via employee vendors/suppliers via vendors/suppliers via
via spoofed sender and account takeover spoofed sender and supplier account takeover
domain domain

*Stats based on 2022 FBI IC3 report

CES OVERVIEW

Example BEC Type 4 attack

IMPERSONATED SENDER
Using a legitimate supplier account that was compromised

TARGET Legitimate compromised sender

Accounting

EMAIL AUTHENTICATION RESULTS

Authentication-Results: spf=pass (sender IP is xxx.xx.xxx.xxx)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com; dmarc=pass action=none
header.from=gmail.com;compauth=pass Lexical analysis algorithms and models used to
identify message sentiment and intent.
reason=100
Cross validation with the malicious content of
MARKED AS CLEAN BY M365 the PDF confirms malicious disposition.
X-Forefront-Antispam-Report:
CIP:209.85.208.170;CTRY:US;LANG:en; SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:
mail-lj1-f170.google.com;PTR:mail-lj1-f170.google.com;CAT:NONE;SF
S:
PDF contains link to credential harvester:
https://hsrjrse[.]com/invoice/DocuSign/

THREAT TYPES Identified as malicious:

BEC Type 4 Identity Deception Attachment Link
● Compromised website identified
● Website contained DocuSign logo
● Matched multiple detection models

CLOUDFLARE INNOVATIONS
Sentiment Analysis
User Impersonation
CES OVERVIEW

Detecting BEC attacks SPARSE™

(Small Pattern Analytics Engine)™

01 02 03 04 05 06

Structural NLU Modeling Sentiment Thread Industry Trust

Analysis (Natural Language
Understanding)
Analysis Analysis Modeling Graphs
Headers Writing Patterns Intent, Tone, Conversations Verticals Partner Social Graphs,
Body, Images, Categories Relationship, Variations Lingua Franca Sending History,
Computer Vision Expressions Hierarchy Length Business Processes ATO Discovery
Links, Payloads Partner
Impersonations

12
Malware/Attachments
CES OVERVIEW

Ransomware still a booming business

$5.13M cost
of a ransomware attack in 2023
(an increase of 13% from 2022)1

24% share
of malicious attacks that rendered
systems inoperable1

Phishing
is still the most common delivery
method for ransomware

All industries
and company sizes are being
targeted with ransom attacks

Average ransomware payment

Source: 2023 IBM Cost of a Data Breach Report
CES OVERVIEW

Detecting all payload-based attack variants

Attack type Detection technique

ML models on payloads, signatureless

⚠ Malicious payload within attachment
detection, real-time sandboxing

Encrypted malicious payload within Text Analysis, signatureless detection,

⚠ attachment, password in text ML on payload binary bitmap

Encrypted malicious payload within Computer Vision, ML models on

⚠ attachment, password in image payloads, signatureless detection

Malicious payload within an ML detection tree on payloads,

⚠ archived attachment archive decomposition

Remote attachment extraction, ML

⚠ Malicious payload linked through URL
detection tree, instant crawl of links
Malicious Links
CES OVERVIEW

Links are the most detected

phishing threat
(Results of 2023 Phishing Threats Report)

Links 36%
Domain Age 30%
Identity Deception 14%
Credential Harvester 6%
Brand Impersonation 5%
Attachment 2%

Other 7%

*Based on threat types seen within malicious email detections 17

CES OVERVIEW

Multi-channel phishing

ATTACK LIFECYCLE
Stages
The various phases of an attack that Research Initial Access Execution Privilege Escalation Continued…
an attacker may progress through to
reach their end goal

Vectors
The various entry points and Software Phishing Supply Chain Drive-By
Continued…
Exploitation (#1 threat vector) Compromise Compromise
vulnerabilities an attacker will attempt
to exploit to gain initial access

Channels
The various applications an attacker Email Web Text Social IM
can engage a user through to gain
access, steal info, or commit fraud
CES OVERVIEW

Example multi-channel phishing attack

Quishing (QR Code) Attacks

QR codes are increasingly being used for
phishing attacks thanks to the various means
of obfuscation and because they’re typically
scanned by mobile devices that are more
susceptible to exploitation. DocuSign logo and email template used for brand impersonation

Detection technique
Cloudflare employs a multi-faceted approach
that includes deconstructing complex links,
crawling URLs to the end, and analyzing a
Malicious link hidden within QR code to direct
wealth of network telemetry to scrutinize users to a fake login page
domains, IPs, and usage patterns.
CES OVERVIEW

Detecting malicious links

BLOCK
100%
The Challenge
Organizations struggle to find an efficient method
for handling “suspicious” email links without Malicious
compromising security or workforce productivity.

Link shorteners and deferred attacks further

complicate this situation. Degree of
Suspicious confidence
0% based on
real-time
intelligence
Block and potentially obstruct legitimate
business activity

Benign
Allow and potentially expose the user to
malicious content 100%

ALLOW
20
CES OVERVIEW

Deferred attacks (post-delivery)

Campaign setup
Attack launch (part 2)
Link redirected to
malicious website

Weeks before launch Sunday Monday

Attack launch (part1) Attack active

Benign link delivered after User clicks malicious link
passing security controls in their inbox
CES OVERVIEW

Isolating multi-channel phishing threats

● Adaptive link isolation that

insulates users from
untrusted web content
Enabled by code
Network Vector safely executed
Prevent…
● Secure and scalable remote Rendering (NVR)
Known & 0-day exploits
browsing via Network headless
Keyboard input*
Vector Rendering (NVR) browser

File download/upload*
technology
Copy/paste and print*
interactions
controlled
● Low-latency, high
resolution user experience Zero Trust
draw commands Untrusted code
that feels like local browsing
Untrusted
Sensitive data
● Universal browser interactions
User browser Any website, link, or app
compatibility for greater
ease-of-use

*Disabling user actions requires SWG + RBI services

22
Brand Impersonation
Brand Impersonation - Most Phished Brands
Microsoft Impersonation Phish (Credential Harvesters)

Impersonated sender
no-reply@sharepointonline.com

Reply-To mismatch
help.desk.message.alert@mail.com

Image of a SharePoint email

HTML attachment contains

credential harvester
Banking Phish (Credential Harvesters)

Impersonated Sender

Can you tell which one is real?

Attachment-based Voicemail Phish (Credential Harvesters)
Impersonated Sender
HTML Contains JS Redirection using obfuscated URL, redirecting to:
https://open.weprotect[.]xyz/?e=%am1hcmF6em9AcGxtaWxtLmNvbQ==
Credential Harvester still
active as of 2/19/2021
PASSED EMAIL AUTHENTICATION
Authentication-Results: spf=pass (sender IP is 202.224.55.14)
smtp.mailfrom=atson.net; [redacted]; dkim=none (message not signed)
header.d=none;[redacted]; dmarc=bestguesspass action=none
header.from=atson.net;
MISSED BY MICROSOFT DETECTIONS
X-Forefront-Antispam-Report:
CIP:202.224.55.14;CTRY:JP;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail02.asahi-net.or.jp;PTR
:mail02.asahi-net.or.jp;CAT:NONE;SFS:(4636009)(376002)(346002)(39850400004)(136003)(396003
)(2906002)(4270600006)(356005)(621065003)(73894004)(6666004)(8676002)(956004)(26005)(31600
2)(66616009)(36756003)(68406010)(70586007)(6966003)(6266002)(2160300002)(31686004)(3420600
2)(126090200001)(498600001)(7596003)(7246003)(7126003)(336012)(2616005)(31696002)(86362001
)(7636003);DIR:OUT;SFP:1101;
X-Microsoft-Antispam: BCL:0;
NEWLY REGISTERED DOMAIN - EMAIL WEAPONIZED ON 2/18/2021
Domain Name: WEPROTECT[.]XYZ
Registry Domain ID: Not Available From Registry
Registrar WHOIS Server: whois.hostinger.com
Registrar URL: https://www.hostinger.com
Updated Date: 2021-02-18T03:48:38Z
Creation Date: 2021-02-18T03:48:37Z
TARGETED USER:
Vice President of Accounting and Treasurer at F500 Insurance Company
CES OVERVIEW

Cloudflare deployment flexibility

Benefits: No inbox dwell time, adaptive link Benefits: Faster deployment, post-delivery
isolation, pre/post-delivery protection retraction, easier setup for complex architectures
CES OVERVIEW

Start a phishing assessment

O365 users
Run a free phishing retro scan in minutes to identify
active threats that have already evaded existing
security controls over the past 14 days and are
currently sitting in your inbox.

Gmail users
Request a free phishing risk assessment to identify
the phishing threats that are evading your existing
security controls, as they’re being delivered.

29