Email Threat Detection

Email Threat Detection is a set of detection practices that functions to protect email infrastructure from potentially harmful, targeted malware attacks. These practices should represent the last link in a comprehensive email security apparatus which should also include other, more rudimentary anti-spam and anti-virus scanning tools for best results.

How Email Threat Detection Works

In its most basic implementation, email threat detection works when sensors are integrated and configured into email infrastructure deployment services, and a copy of all incoming mail is sent for automated analysis via a mail transfer agent (MTA) using the SMTP protocol. This mail is then rapidly scanned for advanced threats by analyzing any attachments or embedded URLs within suspicious messages. The URLs are then cross-referenced against a database of malicious URLs, while any attachments are dealt with using file triage and dynamic analysis approaches.

A dynamic analysis approach involves using a virtual sandbox environment into which the suspicious attachments are placed and then executed “or detonated” without risking the target system.

Once executed within a sandbox, automated processes or security analysts can monitor the program from the outside for suspicious activity. Some examples of suspicious activity may include attempts to write to the registry, writes to memory, or attempts to call remote servers using APIs.

The dynamic analysis method is also particularly useful for identifying novel threats that haven’t yet been identified by the cybersecurity community-at-large. These new threats are generally known as zero-day ( or sometimes zero-hour) attacks, and they can represent a significant challenge for security experts to combat.

After a full analysis, if malware is detected, results can be forwarded to a Security Information and Event Management (SIEM) system utilizing Syslog in a custom or JSON-based format to provide further study.