08 Oct Don’t Get Obfuscated: Use AI To Stop Attacks

Human-like intelligence should review data and make decisions

– Gil Friedrich

New York City, N.Y. – Oct. 8, 2021

Stop us if you’ve heard about this cat and mouse game before. Hackers find a clever way to bypass protections. Microsoft or Google responds with a new fix. Hackers respond in kind. And on and on it goes.

Over the last year or so, we’ve observed tons of new obfuscation campaigns. Microsoft SafeLinks was bypassed through ZeroFont or JavaScript encoding. We’ve seen hackers successfully use a Bidirectional tag, which is typically used to switch the direction of a text. That technique fools Natural Language Processing — as does the utilization of Base-64 and UTF-8. Foreign languages have been used to fool scanners. CAPTCHA forms have proven an effective way to get malicious content into the inbox. 

There are more techniques that we’ve observed in the wild than is possible to list here. It reflects the determination and wherewithal of hackers worldwide. As soon as a vulnerability is discovered, hackers will pounce with techniques that range from the simple to the complex. When that is patched, the game begins anew.

While fascinating to observe from afar, this has real-world implications for end-users. It means that inboxes are the unlucky pawn in this chess match. It means that users and organizations are at risk.

What to do? To protect your organization from being caught in the middle, the first step has to be implementing top-of-the-line artificial intelligence. According to our research, without advanced AI, traditional solutions miss as many as 51 percent of advanced threats. Further, without AI, it is impossible to catch more attacks without being bombarded with false positives.

Using AI is the new way to combat the ever-evolving cyber threats. It’s real intelligence that exhibits a human-like intelligence at reviewing the data and making a decision — and does so better than humans and at a much faster speed. Think of it as a superhuman that instantly understands whether an email is good or bad. Instead of relying on a pre-approved list of threats, it learns over time. Instead of looking for that one keyword, AI correlates many things together, combining them into an intelligent decision.

Four years ago, the primary way of identifying whether an email was malicious was by looking at patterns. Someone in the Security Operations Center (SOC) would look at, for example, a link that proved to be malicious. The offending link had the suffix of ‘eapf.’ The SOC analyst would then see if other emails had links with that suffix. If they did, you could block it as malicious and create a rule to block all emails with links with the suffix ‘eapf.’

Today, the individual email is just a tiny part of the total picture. In order to fully understand the entire context, more is needed. An effective security solution needs to look at tons of previous emails. It needs to look at other customers in the network — have they received similar emails? It needs to look at role-based, contextual analysis of previous conversations. There needs to be a trusted reputation network. The solution needs to know if it’s a known vendor or a trustworthy partner. In short, the entire context of the company is needed. What’s typical and what’s not? Phishing emails have evolved to look just like regular emails. A single email at a single point in time is not enough. The whole picture is required.

Beyond that, using the hacker’s obfuscation techniques as a way to identify the attack is critical. That means that the AI checks these obfuscation techniques. That includes things like URL and UTF encoding in the email’s headers and attachments, links with suspicious patterns, SPF failure and more.

When the AI is tuned to these things, more will be picked up. Ensuring you AI checks for things like phishing language in an email body; encoded content, such as scripts to encode or decode Base64; HTML obfuscation such as ZeroFont; the existence of a crypto wallet; and much more.

The back-and-forth between hackers and security systems will only get more fierce. Properly protecting yourself is the key to staying out of the fray.

Start a Demo to Experience the Power and Simplicity of Avanan

Avanan Archives

– Gil Friedrich is co-founder and CEO at Avanan.

About Avanan 

Avanan is a cloud email security platform that pioneered and patented a new approach to prevent sophisticated attacks. We use APIs to scan for phishing, malware, and data leakage in the line of communications traffic. This means we catch threats missed by Microsoft while adding a transparent layer of security for the entire suite and other collaboration tools like Slack.

Avanan catches the advanced attacks that evade default and advanced security tools. Its invisible, multi-layer security enables full-suite protection for cloud collaboration solutions such as Office 365™, G-Suite™, and Slack™.  The platform deploys in one click via API to prevent Business Email Compromise and block phishing, malware, data leakage, account takeover, and shadow IT across the enterprise. Avanan replaces the need for multiple tools to secure the entire cloud collaboration suite, with a patented solution that goes far beyond any other Cloud Email Security Supplement.