Mobilizing AI in the Fight Against URL Phishing
Email scanners are integrating artificial intelligence to improve their efficacy in detecting and blocking malicious URLs
Key Points
- For years, security teams have been battling a singularly persistent problem.
- Employees keep clicking on malicious links in emails, unwittingly inviting cyberattacks on their companies.
- Email scanning software, combined with security awareness training, has cut down on the problem but not eliminated it.
- Now, AI-powered scanners are making new inroads.
Employees click on malicious URLs in phishing emails. It happens again and again: An employee ends up on a counterfeit website and types in a favorite password — the same one they use for their company email, collaboration platforms, and apps. That small chink in their employer’s security armor eventually opens it up to a full-blown data breach, ransomware attack, or network outage.
Conventional email scanning and blocking tools have not made this problem go away. Now, scanners can be upgraded with artificial intelligence (AI) to catch many of the malicious URLs that usually evade detection. This approach is beginning to pay off for customers of Mimecast’s AI-powered URL Protection scanner, as we describe below.
What Malicious URLs Look Like
Our work with customers provides some real-world examples of malicious URLs, showing how tempting it is for employees to click on them. Here are just three that were captured by our AI-powered scanner:
- Microsoft 365 online fax: An email arrived, replete with a Microsoft 365 logo and a thumbnail of what looked like an official document. “You have received (2) Pdf online,” the missive read. “Click here.” Unfortunately, this was a phishing email, and the link led to a credential harvesting website.
- OneDrive file: Another email alerted the recipient that, “You’ve received a secured document via OneDrive,” and instructed them to click on the “view document” link. Our investigation indicated that the attacker’s intent was to infect the user’s device with malware.
- Skype invitation: So many collaboration sessions at work, so little time for employees to keep track of them all. This Microsoft-branded invitation simply suggested that the recipient “initiate the session” using their email, telephone, or Skype login and password. Actually, the email was an invitation to credential theft.
Many malicious URLs lead to credential theft. Other links take email recipients to bogus websites that drop malware onto companies’ devices and networks in exploits known as “drive-by downloads”.
For example, in analyzing one URL that was blocked, we found that it almost certainly would have downloaded a trojan-like variant of malware that is typically sold on the Dark Web for about $100. This malware’s core capabilities include information harvesting from browsers (including passwords, autofill data, cookies, and credit card information), remote desktop access (to install and launch malware), and others.
Incorporating AI to Elevate Scanning Capabilities
Companies can layer AI on top of current scanners’ functionality, such as checking URLs against threat intelligence feeds. These systems can rewrite any URLs in inbound email so when employees click on the links, they can scan the intended destination websites in real time. Users are only granted access to URLs that check out. And all of this is imperceptible to the user, unless they receive a warning banner informing them that the URL is indeed malicious.
AI levels up URL scanning in several ways. Our data scientists have developed the ability to go well beyond the standard treatment of a URL. Our AI-powered scanner also considers context including features from the email and attachments and destination page, as well as other AI-powered TTP enhancements such as Credential Theft Protection that inspects website for brand spoofing and credential harvesting attempts. These and other capabilities provide extra protection against more targeted, sophisticated threats, such as business email compromise.
As such, AI-powered scanners are designed to detect and block emerging threats such as zero-day URL attacks — or even CAPTCHA pages that are intended to be a roadblock for automated security scanners. In other words, they are now able to detect exploits that have never been seen before by threat researchers. This is a key capability since attackers are continuously spinning up new nefarious URLs.
Our AI-powered scanners run on Mimecast's connected human risk management platform which is built on a 20-year track record of monitoring trillions of emails and draws on the user behavior of our 40,000+ customers’ lived experience. Complementing the scanners are such capabilities that mitigate the internal spread of a malicious email and understand relationships and connections between senders and recipients. Increasingly, individuals’ performance in Mimecast's human-risk-centric security awareness and training programs is also being integrated into our detection and prevention systems.
AI Improves Efficacy of URL Scanning
The upshot is that AI-powered scanners can detect new and more targeted attacks, where conventional scanners might focus on recognizing the known bad or the previously identified techniques used by monitored threat actors. As a result, AI-powered email scanners like Mimecast’s are demonstrating results in blocking more malicious URLs from reaching employees’ mailboxes.
Mimecast ran a proof of concept using our own best-of-breed scanners — “before and after” AI. During this period, Mimecast scanned almost one billion clicked URLs and blocked around six million of those. The new AI-powered scanner contributed to a 1% increase in detections, protecting customers from more than 41,000 attacks that would have otherwise gone undetected.
The statistics themselves are meaningful in a field in which it only takes one click to start a cyberattack “kill chain”. But they are all the more significant for the types of attacks they block — more targeted (and potentially more dangerous) in many cases, and totally unfamiliar (and thus harder to detect), in others.
On the flip side, some AI-powered scanners can create a lot of false positives when left unchecked, undermining their usefulness as security teams are inundated with alerts for URLs that turn out to be benign. In Mimecast’s case, our in-house data scientists continually retrain the machine learning model and monitor performance to reduce false alarms.
The Bottom Line
Artificial intelligence is elevating the efficacy of systems that scan and block malicious URLs in emails. See how Mimecast can help you use AI to address this persistent problem.
**This blog was originally published on October 24, 2022.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!