Using ML to Stop Latent Email Attacks That Dodge Early Detection

5 min readJul 26, 2019

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Scot Kennedy

When implemented effectively, real-world deployments of machine learning (ML)-based email security can block business email compromise (BEC) scams, phishing campaigns, and other advanced email threats with 99.9% efficacy. But sometimes, it’s what happens when a malicious email is somehow able to evades early detection that can matter most to that effort.

According to recent research, 22.9 phishing attacks are launched every minute — 20% of them from hijacked email accounts. As many as 30% of corporate employees will open a phishing email, and 4% will fall for it. The FBI estimates that phishing, BEC scams, and other email attacks cost businesses more than $2.7 billion in 2018, up nearly 100% year-on-year. And as a growing number of organizations move to G Suite, Microsoft Office 365, and other popular cloud platforms, cybercriminals are followed suit. O365 alone now accounts for 36% of all phishing attacks — rising 250% in just the last year.

With an ever-increasing number of new attacks, we’ve reached a point where cybercriminals are using QR codes instead of links to easily bypass security controls. They’re weaponizing legitimate URLs through links that redirect only after the email has been delivered. Some are even using ML themselves, automating social engineering at scale to generate fraudulent emails that mimic the writing style of the email sender being impersonated.

While most email security solutions are designed to catch these malicious emails before they reach user inboxes, no solution can detect and block every single malign email, 100% of the time. Even with solutions performing at 99.%-plus, tens or even hundreds of potentially devastating email attacks could be delivered to their targets. But as we’ve discovered, the best deployments of ML-based email security can include a critically important role when these latent email threats are detected post-delivery.

Not Just Any ML Will Do
For those not fully dialed into the subject, machine learning is a subset of artificial intelligence (AI) that’s centered on enabling computer systems to recognize patterns and learn from sets of labeled, sample (or “training”) data in order to make predictive business decisions.

Throughout this series, we’ve shared how Agari Secure Email Cloud leverages ML to eliminate 99.9% of all BEC scams, phishing attacks, and even the most sophisticated zero-day email threats — including those launched from hijacked email accounts.

Our approach is quite unique. Instead of a sole focus on training ML to search for attacks, Agari Secure Email Cloud draws intelligence from more than 2 trillion email messages annually to graph relationships and behavioral patterns between individuals, businesses, services, and domains. By analyzing hundreds of different characteristics, or “features,” it’s able to establish what we define as trusted or “good” communications.

By using proven machine learning techniques, Agari Secure Email dynamically scores each new email message against those trusted patterns, enforcing policies according to each organization’s specific requirements.

Scale is Just the Start of It
As with any ML-based approach, the size and quality of the underlying dataset, and the domain expertise of the data scientists who guide it, determine the solution’s efficacy. One of Agari’s greatest strengths has always been that our domain experts rank among the world’s leading authorities on phishing, BEC, and account takeover (ATO)-based email attacks, bringing an unprecedented level of experience and insight to leveraging a dataset that’s not just Internet scale, but also dynamic.

Through real-time data streaming, intelligence that necessitates model changes are applied not in hourly or daily batched data updates, but rather within milliseconds of detection. Each new customer adds deeper, more relevant insights to this dynamic, global dataset, creating a network multiplier effect that amplifies the effectiveness of Agari Secure Email Cloud on a continuous basis. And that gets to something else we’ve learned over time: It’s not just the size of your high-quality dataset that matters.

Email Attacks: Not Just ‘What,’ But ‘When’
The simple truth is that no email security system can prevent 100% of email attacks, 100% of the time. As I mentioned earlier, even with near 100% efficacy against phishing and BEC attacks, a malicious email will inevitably make it to employee inboxes. To address that challenge, Agari Secure Email Cloud provides continuous detection and responsecapabilities to hunt down and remediate threats that escaped initial detection or have activated post-delivery.

Thanks to its deep integration with cloud-based email systems, Agari Secure Email Cloud can remove a malicious email from every employee inbox that received it. Not just from that moment forward, but also those that may have arrived before the threat is first identified. It can even alert SOC teams if somebody has already opened the email or gone on to fall for the con.

Agari Secure Email Cloud also provides SOC teams with automated tools that reduce the time it takes to detect and remediate any data breaches that may result from a successful attack from weeks or even months down to mere minutes, saving organizations millions average losses of $7.9 million per incident.

Phishing Intel, Made Instantly Actionable
While all of this is undeniably cool, in my own opinion, what’s even cooler is the value of the feedback data that these latent email threats provide, and the ability to factor that data into ML model updates within moments of detection. That’s something our teams are in the process of rolling out as part of our continuous efforts to make Agari Secure Email Cloud smarter, faster, and more effective with each new email it analyzes — pre, and post, delivery.

Once fully in place, a latent attack discovered in the inboxes of one Agari customer organization will be known and neutralized across all of them. All while dynamically and continuously improving Agari Secure Email Cloud’s already-unrivaled 99.9% catch rate for email attacks.

The importance of these kinds of capabilities can’t be overstated. According to TechRepublic, more than 3 billion fraudulent emails are sent every 24 hours, and the volume, ferocity, and sophistication of these attacks grow by the day.

Machine learning-based email security can make all the difference in the battle against costly phishing attacks, BEC scams, and other advanced email threats. But that’s only if it’s based on ML best practices, guided by top domain experts, and informed by a very large, high-quality dataset that includes intelligence from trillions of emails — both inbound and post-delivery.

To learn more about how Agari applies the power of machine learning-based email security to prevent phishing attacks, BEC scams and more, download an exclusive white paper.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.