E-Mail-Security im Blick – An eye on e-mail security

Statistiken geben Anlass zur Sorge

Eine Analyse vom Oktober dieses Jahres hat ergeben, dass im 3. Quartal 2023 10 % mehr E-Mails mit bösartigen Links auftauchten als im Vorquartal. Der Anstieg ist beträchtlich, wobei Experten davon ausgehen, dass die Zahl der Angriffe bis Weihnachten weiter steigen wird. Zu rechnen ist unter anderem mit KI-gestützten Phishing-Mails, die vorgeben von legitimen Paketdiensten stammen. Einige Anbieter sind bereits dazu übergegangen, ihre Kunden explizit zu warnen. Ein besonders häufiger Angriffsvektor sind bösartige Links zu Google Drive und anderen Cloud-Speichern sowie die Verbreitung von QR-Codes. Sie verstecken sich beispielsweise in PDF-Dateien und leiten die Opfer zu manipulierten Seiten weiter. Signaturbasierte Systeme greifen hier wie so oft zu kurz.

Alles in allem bleibt die E-Mail eine der wichtigsten Kommunikationsformen. Diese Zahl der privat und geschäftlich versendeten und empfangenen Mails soll auch in den kommenden Jahren kontinuierlich steigen und sich im Jahr 2026 auf 392,5 Milliarden Mails pro Tag belaufen. Das heißt, moderne Sicherheitslösungen müssen diesen Anforderungen zurechtkommen und die E-Mail-Kommunikation noch besser schützen. Dabei darf die Usability allerdings nicht leiden.

Wie Cyber-Angriffe ablaufen: E-Mails bleiben ein Problem

Wider besseren Wissens gehen Verantwortliche immer noch davon aus, dass der klassische Cyber-Angriff über das Internet auf die Firewall eines Unternehmens zielt und von dort aus Netzwerke kompromittiert. Die Realität sieht anders aus. Bei weit über 80 Prozent aller Angriffe versenden Cyberkriminelle eine E-Mail mit Schadcode oder Phishing-Links an interne Nutzer. Diese E-Mails gelangen häufig ungehindert in die Postfächer der Anwender, da herkömmliche Virenscanner Phishing-Mails oft nicht erkennen. In vielen Fällen setzen die Angreifer mittlerweile auf QR-Codes, die auf bösartige Seiten verlinken. Solche Codes unterlaufen traditionelle Sicherheitslösungen.

Das liegt nicht zuletzt daran, dass die Angreifer inzwischen auf KI und frei verfügbare Chatbots wie ChatGPT zurückgreifen. Häufig enthalten diese E-Mails sehr überzeugend formulierte Anweisungen, die den Nutzer auffordern, bestimmte Webseiten zu öffnen oder Informationen preiszugeben. Solche E-Mails sind mittlerweile so professionell gestaltet, dass selbst Experten darauf hereinfallen. Beim prominenten Diebstahl von Authentifizierungsschlüsseln für Microsoft Azure vor einigen Monaten ist sogar ein Ingenieur bei Microsoft auf eine Phishing-Mail hereingefallen. Mittlerweile sind offensichtlich so gut wie alle Nutzer gefährdet, Opfer einer Phishing-Attacke zu werden. Bösartige Phishing-E-Mails lassen sich zum Teil erst dann als solche erkennen, wenn sie in einer Sandbox überprüft werden, und die Malware ausgeführt wird. In den meisten Fällen gelingt es den Angreifern nach einem erfolgreichen Phishing-Angriff, Code auf dem Rechner des Opfers auszuführen und schließlich in das Netzwerk einzudringen. Die Folgen sind bekannt: Datendiebstahl, Erpressung durch Ransomware und oftmals nicht unerhebliche finanzielle Folgeschäden.

Die Angreifer arbeiten oft mit einer Flut von Spam- und Phishing-E-Mails, die signaturbasierte Malware-Scanner schlichtweg überfordern. Abhilfe versprechen kombinierte, heuristische Ansätze (Yara Rules), denen es gelingt, auch aus einer großen Menge von E-Mails die schädlichen Nachrichten herauszufiltern. Bei der obigen Analyse konnten mit klassischen, heuristischen Regeln über 800.000 Spam-E-Mails identifiziert werden. Weitere 70.000 wurden mit modernen, heuristischen Regeln abgefangen. Klassische, signaturbasierte Ansätze haben demgegenüber nur 150.000 Spam-E-Mails erkannt.

Aktuell setzen Angreifer auf einfachere Angriffsmethoden, um „unter dem Radar“ vieler Sicherheitstechnologien ins Netzwerk zu gelangen. Dabei kommen vor allem Callback-Phishing und Business E-Mail Compromise zum Einsatz. Beim Callback-Phishing werden die Opfer aufgefordert, einen vermeintlich seriösen Kontakt anzurufen, der zum Beispiel bei einem Problem am Computer helfen soll. Hier kommen nicht selten KI-gestützte Deep Fakes zum Einsatz. Während des Anrufs versucht der Angreifer, das Opfer zur Installation von Software auf dem Computer zu überreden. Eine Methode, die leider häufig zum Erfolg führt. Bei BEC-Angriffen werden (oft sehr gut gemachte) Geschäfts-E-Mails gefälscht und das Opfer aufgefordert, bestimmte Informationen preiszugeben, Links anzuklicken oder Anwendungen zu installieren. Der vermeintliche Absender ist oft ein Vorgesetzter im Unternehmen, dem die Anwender vertrauen.

Mehr Angriffe, bösartiger und professioneller gestaltet

Die stark wachsende Zahl bösartig manipulierter E-Mails ist alarmierend. Inzwischen werden Firmen über mehr als jede zehnte E-Mail angegriffen. Die Praxis zeigt, dass ein einziger erfolgreicher Angriff ausreicht, um komplette IT-Sicherheitssysteme auszuhebeln. Bei den Untersuchungen fällt auf, dass die Angreifer verstärkt auf schädliche Links setzen, die viele Malware-Scanner nicht (ausreichend) überprüfen. So passieren etliche Malware- oder Phishing-Mails anstandslos die Filter. Im Vertrauen auf die installierte Sicherheitslösung klicken Nutzer dann doch auf die in den E-Mails enthaltenen Links. Dabei spielt die insgesamt professionelle Darstellung der E-Mails eine wichtige Rolle. Verantwortliche im Unternehmen sollten deshalb darauf achten, dass der Malware-Scanner den Inhalt einer E-Mail sehr detailliert scannt und dabei auch Links berücksichtigt, hinter denen schlussendlich Malware/Ransomware stecken kann.

Kompromittierte E-Mail-Anhänge sind aber nicht verschwunden. Vor allem PDFs mit Schadcode sind derzeit ein Thema. Nutzer tendieren dazu, PDF-Dateien zu vertrauen und sie ungeprüft zu öffnen. Teilweise sind in den PDF-Dokumenten bösartige QR-Codes verborgen, die ihrerseits auf bösartig manipulierte Webseiten verweisen.

Signaturbasierte Scanner kommen mit modernen Schad-E-Mails kaum noch zurecht. Attachment Sandboxing erlaubt es, Anhänge in einer sicheren Umgebung auszuführen. Beim Ausführen offenbaren die betreffenden E-Mails dann ihre wahre Natur. Geschieht dies in einer sicheren Sandbox, greift der Malware-Scanner. Ohne diese Technik würde der Anhang seinen Schadcode nahezu ungestört auf dem Rechner des Anwenders und im Netzwerk verbreiten. Intelligente Malware-Scanner informieren dann den Anwender oder/und den Administrator darüber, ob der Anhang gefährlich ist oder nicht.

Wie geht die Entwicklung in der E-Mail-Security weiter?

In den nächsten Jahren ist kaum davon auszugehen, dass Angriffe per E-Mail weniger werden. Phishing wird einer der Schwerpunkte bleiben, wenn es darum geht, Anmeldedaten abzugreifen oder Malware zu installieren. Das BSI konstatiert in seinem Lagebericht zur IT-Sicherheit in Deutschland 2023 „Insgesamt zeigte sich im aktuellen Berichtszeitraum eine angespannte bis kritische Lage. Die Bedrohung im Cyberraum ist damit so hoch wie nie zuvor. Ransomware blieb die Hauptbedrohung. Einen vollständigen Schutz vor Ransomware-Angriffen gibt es nicht, denn Angreifer können auch neue Angriffswege nutzen, für die noch keine Detektions- und Abwehrmethoden entwickelt wurden“.

Aus diesem Grund sollten sich Unternehmen darauf vorbereiten, den E-Mail-Verkehr mit möglichst intelligenten und modernen Scannern zu schützen. Die sind in der Lage, eingehende E-Mails und die darin enthaltenen Links genauer zu analysieren. Schon allein aus dem Grund, weil Angreifer immer mehr auf KI setzen, sollten Unternehmen sich selbst diese Technologie zunutze machen. Etwa, um bisher unbekannte Angriffsmethoden und Malware-Varianten zu erkennen und zu bekämpfen. Auf der Basis von KI lassen sich beispielsweise Anomalien und Muster in E-Mail-Verkehr präziser erkennen und potenziell schädliche Aktivitäten frühzeitig identifizieren. Weiterhin ist eine Integration von stärkeren Authentifizierungsmechanismen zu erwarten, wie beispielsweise Multi-Faktor-Authentifizierung, um die Identität der E-Mail-Absender besser verifizieren zu können.

Vermutlich wird auch der Einsatz der Blockchain-Technologie für eine transparente und manipulationsresistente Nachverfolgung der E-Mail-Kommunikation zunehmen. Diese Technologien, kombiniert mit kontinuierlichen Updates der Sicherheitsprotokolle und intensiven Awareness Trainings, bilden die Grundlage für eine robustere Abwehr von E-Mail-basierten Bedrohungen. Eine moderne Security-Lösung für E-Mails muss einerseits mit der stark steigenden Anzahl der Nachrichten an sich klarkommen und andererseits mit dem Zuwachs von bösartig manipulierten W-Mails, die immer professioneller, raffinierter und intelligenter werden.

Fazit

Auch was das Thema Cybersicherheit anbelangt sind wir in diesem Jahr an einem Wendepunkt angelangt. Die kontinuierliche Abstimmung von Cybersicherheit, Geschäftsstrategie und Betrieb ist unabdingbar geworden. Mit der Einführung von generativer KI als einem vielfältig genutzten geschäftlichen Instrument, steigt neben der schieren Zahl von Cyberangriffen auch das Risiko für den Verlust von geistigem Eigentum und Geschäftsdaten exponentiell. Dazu kommt die wachsende Gefahr, gegen Branchenvorschriften wie HIPPA, DSGVO/GDPR und eine Vielzahl ähnlich gelagerter länderspezifischer Datenschutzgesetze zu verstoßen. Ausgewiesene Fachkompetenz und Verantwortung für eine aktive Steuerung von Sicherheitsinitiativen werden auf Vorstandsebene zu einer strategischen Priorität. Das gilt auch für eine umfassende Betrachtung des Dauerbrenners E-Mail-Sicherheit. 

Statistics give cause for concern

An analysis from October of this year revealed that 10% more emails with malicious links appeared in Q3 2023 than in the previous quarter. The increase is significant, with experts predicting that the number of attacks will continue to rise until Christmas. Among other things, AI-supported phishing emails pretending to come from legitimate parcel services are to be expected. Some providers have already started to explicitly warn their customers. Malicious links to Google Drive and other cloud storage and the distribution of QR codes are a particularly common attack vector. They are hidden in PDF files, for example, and redirect victims to manipulated pages. As is so often the case, signature-based systems fall short here.

All in all, email remains one of the most important forms of communication. The number of private and business emails sent and received is expected to continue to rise in the coming years, reaching 392.5 billion emails per day in 2026. This means that modern security solutions must be able to cope with these requirements and protect email communication even better. However, usability must not suffer in the process.

How cyber attacks work: Emails remain a problem

Contrary to better knowledge, those responsible still assume that the classic cyber attack via the Internet targets a company’s firewall and compromises networks from there. The reality is different. In well over 80 percent of all attacks, cyber criminals send an email with malicious code or phishing links to internal users. These emails often reach users‘ inboxes unhindered, as conventional virus scanners often fail to detect phishing emails. In many cases, attackers now use QR codes that link to malicious pages. Such codes undermine traditional security solutions.

This is not least due to the fact that attackers are now using AI and freely available chatbots such as ChatGPT. These emails often contain very convincingly worded instructions that ask the user to open certain websites or disclose information. Such emails are now so professionally designed that even experts fall for them. In the high-profile theft of authentication keys for Microsoft Azure a few months ago, even an engineer at Microsoft fell for a phishing email. In the meantime, almost all users are obviously at risk of falling victim to a phishing attack. In some cases, malicious phishing emails can only be recognized as such when they are checked in a sandbox and the malware is executed. In most cases, after a successful phishing attack, the attackers manage to execute code on the victim’s computer and finally penetrate the network. The consequences are well known: Data theft, extortion through ransomware and often not inconsiderable consequential financial losses.

Attackers often work with a flood of spam and phishing emails that simply overwhelm signature-based malware scanners. Combined heuristic approaches (Yara Rules), which are able to filter out the malicious messages even from a large volume of emails, promise to be a remedy. In the above analysis, more than 800,000 spam emails were identified using classic heuristic rules. Another 70,000 were caught using modern heuristic rules. In contrast, classic signature-based approaches detected only 150,000 spam emails.

Attackers are now using simpler methods to gain access to the network „under the radar“ of many security technologies. Callback phishing and business email compromise are the most common methods. In callback phishing, victims are asked to call a supposedly legitimate contact who can help them with a computer problem, for example. AI-based deep fakes are often used. During the call, the attacker tries to convince the victim to install software on their computer. Unfortunately, this is often successful. In BEC attacks, (often very well crafted) business emails are spoofed and the victim is asked to provide certain information, click on links, or install applications. The purported sender is often a company executive whom users trust.

More malicious and professional attacks

The rapidly growing number of malicious emails is alarming. More than one in ten emails is now used to attack companies. Experience shows that it only takes one successful attack to undermine entire IT security systems. Research has shown that attackers are increasingly using malicious links that are not (sufficiently) checked by many malware scanners. As a result, many malware or phishing emails pass through the filters undetected. Trusting the installed security solution, users then click on the links contained in the emails. The overall professional appearance of the emails plays an important role. Corporate administrators should therefore ensure that the malware scanner scans the content of an email in detail, including links that may contain malware/ransomware.

However, compromised email attachments have not disappeared. PDFs with malicious code are currently a particular problem. Users tend to trust PDF files and open them without checking them. In some cases, malicious QR codes are hidden in PDF documents that link to malicious websites.

Signature-based scanners cannot keep up with today’s malicious emails. Attachment sandboxing allows attachments to be executed in a safe environment. When executed, the attachments reveal their true nature. When this happens in a safe sandbox, the malware scanner takes action. Without this technology, the attachment would spread its malicious code on the user’s computer and network virtually unhindered. Intelligent malware scanners then inform the user and/or administrator whether the attachment is dangerous or not.

How will email security evolve?

It is unlikely that the number of email attacks will decrease in the next few years. Phishing will continue to be a major focus when it comes to obtaining credentials or installing malware. In its 2023 Status Report on IT Security in Germany, the BSI states, „Overall, the situation in the current reporting period was tense to critical. The threat in cyberspace is higher than ever before. Ransomware remains the main threat. There is no complete protection against ransomware attacks, as attackers can also use new attack methods for which no detection and defense methods have yet been developed.“

For this reason, companies should prepare to protect their email traffic with the most intelligent and advanced scanners possible. These are capable of analyzing incoming emails and the links they contain. If for no other reason than the fact that attackers are increasingly relying on AI, companies should make use of this technology themselves. For example, to identify and combat previously unknown attack methods and malware variants. For example, AI can be used to more accurately detect anomalies and patterns in email traffic and identify potentially harmful activity at an early stage. We can also expect to see the integration of stronger authentication mechanisms, such as multi-factor authentication, to better verify the identity of email senders.

The use of blockchain technology for transparent and tamper-proof tracking of email communications is also likely to increase. These technologies, combined with continuous updates to security protocols and intensive awareness training, provide the foundation for a more robust defense against email-based threats. A modern email security solution must be able to cope with the rapidly increasing number of messages and the growth of malicious emails that are becoming more professional, sophisticated and intelligent.

Bottom line

We have reached a tipping point in cybersecurity this year. The continuous alignment of cybersecurity, business strategy, and operations has become essential. With the introduction of generative AI as a widely used business tool, the risk of loss of intellectual property and business data is increasing exponentially along with the sheer number of cyber attacks. This is compounded by the growing risk of violating industry regulations such as HIPPA, GDPR, and a host of similar country-specific privacy laws. Proven expertise and accountability for actively managing security initiatives is becoming a strategic priority at the board level. So is a comprehensive approach to the perennial problem of email security.

ails remain a popular target for hackers. Attacks on companies‘ IT infrastructure continued to increase in 2023. According to a study conducted by the Cyber Rescue Alliance in 2022, almost all companies worldwide have become the target of phishing attacks. In 12% of successful attacks, the attackers had full access to company data for more than a year before ransomware encrypted the data. This is also stated by the BSI in its 2023 status report on IT security in Germany: „Overall, the current reporting period shows a tense to critical situation. The threat level in cyberspace is therefore higher than ever before.“ 

Statistics give cause for concern

An analysis from October of this year revealed that 10% more emails with malicious links appeared in Q3 2023 than in the previous quarter. The increase is significant, with experts predicting that the number of attacks will continue to rise until Christmas. Among other things, AI-supported phishing emails pretending to come from legitimate parcel services are to be expected. Some providers have already started to explicitly warn their customers. Malicious links to Google Drive and other cloud storage and the distribution of QR codes are a particularly common attack vector. They are hidden in PDF files, for example, and redirect victims to manipulated pages. As is so often the case, signature-based systems fall short here.

All in all, email remains one of the most important forms of communication. The number of private and business emails sent and received is expected to continue to rise in the coming years, reaching 392.5 billion emails per day in 2026. This means that modern security solutions must be able to cope with these requirements and protect email communication even better. However, usability must not suffer in the process.

How cyber attacks work: Emails remain a problem

Contrary to better knowledge, those responsible still assume that the classic cyber attack via the Internet targets a company’s firewall and compromises networks from there. The reality is different. In well over 80 percent of all attacks, cyber criminals send an email with malicious code or phishing links to internal users. These emails often reach users‘ inboxes unhindered, as conventional virus scanners often fail to detect phishing emails. In many cases, attackers now use QR codes that link to malicious pages. Such codes undermine traditional security solutions.

This is not least due to the fact that attackers are now using AI and freely available chatbots such as ChatGPT. These emails often contain very convincingly worded instructions that ask the user to open certain websites or disclose information. Such emails are now so professionally designed that even experts fall for them. In the high-profile theft of authentication keys for Microsoft Azure a few months ago, even an engineer at Microsoft fell for a phishing email. In the meantime, almost all users are obviously at risk of falling victim to a phishing attack. In some cases, malicious phishing emails can only be recognized as such when they are checked in a sandbox and the malware is executed. In most cases, after a successful phishing attack, the attackers manage to execute code on the victim’s computer and finally penetrate the network. The consequences are well known: Data theft, extortion through ransomware and often not inconsiderable consequential financial losses.

Attackers often work with a flood of spam and phishing emails that simply overwhelm signature-based malware scanners. Combined heuristic approaches (Yara Rules), which are able to filter out the malicious messages even from a large volume of emails, promise to be a remedy. In the above analysis, more than 800,000 spam emails were identified using classic heuristic rules. Another 70,000 were caught using modern heuristic rules. In contrast, classic signature-based approaches detected only 150,000 spam emails.

Attackers are now using simpler methods to gain access to the network „under the radar“ of many security technologies. Callback phishing and business email compromise are the most common methods. In callback phishing, victims are asked to call a supposedly legitimate contact who can help them with a computer problem, for example. AI-based deep fakes are often used. During the call, the attacker tries to convince the victim to install software on their computer. Unfortunately, this is often successful. In BEC attacks, (often very well crafted) business emails are spoofed and the victim is asked to provide certain information, click on links, or install applications. The purported sender is often a company executive whom users trust.

More malicious and professional attacks

The rapidly growing number of malicious emails is alarming. More than one in ten emails is now used to attack companies. Experience shows that it only takes one successful attack to undermine entire IT security systems. Research has shown that attackers are increasingly using malicious links that are not (sufficiently) checked by many malware scanners. As a result, many malware or phishing emails pass through the filters undetected. Trusting the installed security solution, users then click on the links contained in the emails. The overall professional appearance of the emails plays an important role. Corporate administrators should therefore ensure that the malware scanner scans the content of an email in detail, including links that may contain malware/ransomware.

However, compromised email attachments have not disappeared. PDFs with malicious code are currently a particular problem. Users tend to trust PDF files and open them without checking them. In some cases, malicious QR codes are hidden in PDF documents that link to malicious websites.

Signature-based scanners cannot keep up with today’s malicious emails. Attachment sandboxing allows attachments to be executed in a safe environment. When executed, the attachments reveal their true nature. When this happens in a safe sandbox, the malware scanner takes action. Without this technology, the attachment would spread its malicious code on the user’s computer and network virtually unhindered. Intelligent malware scanners then inform the user and/or administrator whether the attachment is dangerous or not.

How will email security evolve?

It is unlikely that the number of email attacks will decrease in the next few years. Phishing will continue to be a major focus when it comes to obtaining credentials or installing malware. In its 2023 Status Report on IT Security in Germany, the BSI states, „Overall, the situation in the current reporting period was tense to critical. The threat in cyberspace is higher than ever before. Ransomware remains the main threat. There is no complete protection against ransomware attacks, as attackers can also use new attack methods for which no detection and defense methods have yet been developed.“

For this reason, companies should prepare to protect their email traffic with the most intelligent and advanced scanners possible. These are capable of analyzing incoming emails and the links they contain. If for no other reason than the fact that attackers are increasingly relying on AI, companies should make use of this technology themselves. For example, to identify and combat previously unknown attack methods and malware variants. For example, AI can be used to more accurately detect anomalies and patterns in email traffic and identify potentially harmful activity at an early stage. We can also expect to see the integration of stronger authentication mechanisms, such as multi-factor authentication, to better verify the identity of email senders.

The use of blockchain technology for transparent and tamper-proof tracking of email communications is also likely to increase. These technologies, combined with continuous updates to security protocols and intensive awareness training, provide the foundation for a more robust defense against email-based threats. A modern email security solution must be able to cope with the rapidly increasing number of messages and the growth of malicious emails that are becoming more professional, sophisticated and intelligent.

Bottom line

We have reached a tipping point in cybersecurity this year. The continuous alignment of cybersecurity, business strategy, and operations has become essential. With the introduction of generative AI as a widely used business tool, the risk of loss of intellectual property and business data is increasing exponentially along with the sheer number of cyber attacks. This is compounded by the growing risk of violating industry regulations such as HIPPA, GDPR, and a host of similar country-specific privacy laws. Proven expertise and accountability for actively managing security initiatives is becoming a strategic priority at the board level. So is a comprehensive approach to the perennial problem of email security.