Email is the simplest way to target malware to a specific person and has a VERY high likelihood of being effective.
Email is still the best delivery mechanism for highly targeted campaigns. It may be malware payloads, may direct a user to a site to download the payload or asks for user credentials on a misleading site so they can access cloud services with your credentials.
While all the rage is about APTs (Advanced Persistent Threats), surprisingly effective old school hacks are extremely effective with Email, in particular:
- MS Office attachments (e.g. Word and Excel) documents
- Spear phishing attacks
A typical scenario is the receipt of a resume via Email or any other document that appears legitimate, however it's laced with macros or scripts that invoke exploits and/or malware to ensnare the victim.
Most people believe in one or more of these myths:
- SaaS Email from a service is safe
- Stripping EXE, bat and other attachments is enough
- Having a SPAM appliance (e.g. Barracuda Networks) or service is enough
- Endpoint AV software will protect them
- Next generation firewalls will protect against this
- Using a SaaS service will "air gap" the endpoint
- Only larger firms are targeted
No, no, no, no, no, no and no!
None of the above will block a legitimate allowed attachment, typically a MS word or Excel file laced with malware or exploits to download malware. Even PDF files can be infected. All the aforementioned solutions rely ultimately upon signature based techniques and the real ongoing observed threats of zero day malware and rapid mutations makes it an ineffective solution.
These days, the only way to still receive these kind of attachments and achieve 99% effectiveness in blocking the threats is with sandboxing techniques. In particular FireEye and Fortinet FortiMail are great examples. Whether on premise or cloud based, it's currently the only way to conduct business through Email with some assurance of active breach protection.
However… Corporate Email is one thing, personal web mail Email, other SaaS offerings coupled with the invisibility of encryption mean you need to inspect ALL traffic.
Fortunately solutions and best practices exist, but the key is in proper execution of appropriate technologies.