Email Security: Using ML to Prevent Advanced Attacks

4 min readJun 20, 2019

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Michael Cichon

The statistics are astounding. Email remains the number one threat vector for data breaches, the point of entry for ninety-four percent of breaches. There is an attack every 39 seconds. Over 30% of phishing messages get opened, and 12% of users click on malicious links.

As cybercrime becomes more advanced and bypasses the legacy controls put in place to defend against it, security must become more advanced too. In our last blog post in this series, we discussed how legacy systems simply cannot stop the new wave of identity-based attacks that are hitting inboxes, and how the Agari Secure Email Cloud™ works to protect against them by using machine learning models to dynamically score messages based on identity — not content.

Predictive AI: Central to Advanced Email Security

Machine learning is a subset of AI that’s focused on recognizing patterns and learning for data in order to make predictive business decisions. While there’s certainly plenty of hype around this topic — much of it wildly unrealistic and even scary — these technologies have very real, and very important, commercial applications for many category-leading companies today.

According to Forbes, Amazon relies heavily on applied machine learning to grow its business, improve its customer experience and selection, and optimize its logistics operations. Netflix saved $1 billion with the use of ML technologies for making personalized recommendations. Facebook is using it to identify 96.8% of prohibited content. Apple, Google, and others use ML to continuously improve voice recognition for services such as Siri and Google Voice Search. And within the security space, companies such as CrowdStrike, ThreatMetrix, and Agari all apply different forms of machine learning to address specific facets of cybersecurity.

The Agari Secure Email Cloud with its continuous detection and response technology, for instance, is specifically designed to recognize zero-day threats that come with no recognizable signature or payload and is delivered through the cloud-based on real-time intelligence from around the globe. And it’s easy to implement with any email infrastructure — on-premises, cloud, or hybrid. Here’s how it works.

Defining ‘Good’ to Prevent Phishing Attacks

Unlike systems that scour the entire attack surface in search of attack events, the Agari Secure Email Cloud takes an identity-based approach that continuously detects and responds to threats in real time. Its central concept is simple. If an email isn’t known to be good, it may be bad — which is the exact opposite of systems that look for malicious signatures. It works because of a simple truth: While it’s the illegitimate email that generates headlines, the vast majority of all email sent around the planet is legitimate.

By interpolating over two trillion email messages annually to graph relationships and behavioral patterns between individuals, businesses, services, and domains using hundreds of different characteristics, we’re able to establish what we define as trusted or “good” communications and filter out anything that doesn’t match.

By using proven machine learning principles, automation, and expert human decision-making informed by large sets of labeled data, the Agari Identity Graph™ at the heart of the Agari Secure Email Cloud then dynamically scores each message for convergence or divergence from patterns established as legitimate and trusted, and enforces policies established according to a specific business’s needs. This involves making more than 300 million machine learning model updates each day to continuously refine the solution so it can identify, and even anticipate, which emails represent threats.

Like any AI-based approach, the size and quality of the underlying dataset and the domain expertise of the data scientists who guide it determine the solution’s efficacy. Agari data scientists rank among the world’s foremost authorities in BEC, phishing, ATOs and other advanced and emerging email threats, bringing an unprecedented level of experience and insight to leveraging a dynamic, global data set that grows smarter and more effective with each new day.

Using Machine Learning to Protect Organizations

In actual deployments, this approach functions with 99.9% efficacy against all advanced email attacks, including the hardest to detect account takeover-based scams. The Agari Secure Email Cloud uses this same graph-based approach to continuous detection and response in order to detect and remediate latent threats that evade early detection by physically removing them from the inbox. The technology also provides SOC teams with automated tools that reduce the time it takes to detect and remediate data breaches by up to 95%.

Taken together, this approach effectively transitions the email security paradigm from one that was designed to address isolated events, to one that continuously protects the organization against advanced email threats, as quickly as they emerge.

In the face of rapidly escalating dangers from phishing attacks, BEC scams, and other advanced email threats that may drive as much as 48% of all business losses from Internet-related cybercrime, AI- and ML-based technology and its ability to prevent evolving fraud tactics make it the future of email security, today. In the next part of the series, we’ll dive deep into how we do it.

To learn more about why legacy systems no longer work against identity-based threats, download an exclusive white paper on the Rise of the Secure Email Cloud.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.