Fight Phishing Attacks with Machine Learning and Security Analytics

Week two of Cybersecurity Awareness Month focuses on “Fight the Phish.”  If you have never received a phishing email, you probably don’t have an email address.  They are typically much more common than actual business correspondence.  Beyond that, you can say that there are two types of people in the world – those that have clicked on a phishing email, and those who will do so in the future.

Phishing remains one of the easiest and most common ways to hack a computer, get personal data, or spread malware.  Securing a domain and sending thousands of fake emails cost little, and even if one person in a hundred opens one or clicks on a link, the attacker has access to do any of the above.  According to the Verizon 2021 Data Breach Investigation Report, Phishing is one of the top breach actions. 36% of all breaches in 2020 were related to phishing, an 11% increase from 2019.

It’s especially difficult when people use their work email for personal purposes.  That way personal emails get commingled with business correspondence.  And due to their nature, personal emails are more likely to contain spam and other phishing links.

It’s important to know what techniques attackers are leveraging so you can warn your users and update your detection tools.  The FBI maintains a website with of common spoofing and phishing attacks. There you can find resources and recent news.  And information about known phishing attacks can be found on the Anti-Phishing Working Group website.  The organization publishes a quarterly Phishing Activity Trends Report. Here is the report for 2nd quarter 2021.

Over the past few years, Gurucul has observed the following new trends in phishing attacks:

  • Phishing email followed by Phone Call: A new trend being observed is a phishing campaign followed up by an actual phone call. On the fraudulent call, the caller would typically suggest that the email recipient open the email. Given the immediacy and pressure of another person asking them to click on the phishing email in real-time, very often the victim would click on the link and as a result, the pernicious payload gets released on the network.
  • Business email compromise: Business Email Compromise (BEC) is also common in which an attacker obtains access to a business email account and imitates the owner’s identity, in order to defraud the company and its employees, customers or partners.
  • Credential Theft: Credential theft via social engineering and phishing continues to be a high priority for cybercriminals. With hijacked email, network, and application login information, threat actors can further infiltrate networks and systems to execute BEC tactics, install malware and ransomware, steal personally identifiable information, and plunder intellectual property and confidential information

Educate Your Users

So especially within an organization, how can we fight the phish?  How can we help users navigate through their day on the computer safely?

The first step is education.  We can break that down into multiple parts.  First, it involves getting users to think about cybersecurity whenever they are online.  A heightened awareness of the risks is an essential starting point in establishing a foundation for security.

Second, users have to know about active phishing attempts.  Often they seem to come from legitimate sources – partners, banks, pharmacies, or stores, for example.  There are often telltale signs, such as misspellings and unusual links, that indicate a particular email isn’t legitimate.  Users have to be trained in identifying these signs.

Phishing can also be accompanied by social engineering techniques, such as phone calls, visits by colleagues, social media notifications, and follow-up emails.  Users are more likely to click on phishing links if they are accompanied by a personalized follow-up.

Beyond that, if there are any publicly known and prevalent phishing attempts, organizations have to let their users know about them.  Phishing attempts tend to come in familiar waves, and the more information users have, the better equipped they are to deal with them.

Of course, this also comes with an obligation to tell users what to do if they encounter such attempts.  Education not only refers to information on how to identify phishing attempts, but also what to do about them.  In many cases, that answer is to report them to IT staff or cybersecurity staff, but users need these messages reinforced on a regular basis.

Detect Phishing Attacks Automatically with Machine Learning

The second thing that enterprises should do is continuously monitor for possible attacks.  While few organizations have the inclination or resources to read all incoming email, anything outside of the ordinary can and should be flagged for further investigation.  This should be a largely automated process, and the Gurucul Security Analytics and Operations Platform determines the degree of risk with emails in real time.

Gurucul provides a range of pre-packaged supervised machine learning (ML) models specially trained to detect specific types of phishing attacks. These models are not signature-based but rather “trained” on real-world threat data sets to detect and capture various known phishing attacks.

Among the data that train these phishing ML models are:

  • Unusual character sequences based on text mining
  • Pretrained detection on trusted subject lines
  • Unusual sender email domains
  • Inbound email from similar senders to large numbers of internal users

While emails can be difficult to monitor, and phishing often uses multiple email addresses, domains, and names, it’s possible for algorithms to identify emails and other data that doesn’t fit into the normal discourse for individual users.

Below are details on the telemetry and available Gurucul models for detecting various phishing attacks out-of-the-box:

Telemetry Perpetrator Victim Tactic Data Sources High Level Model Use Cases
Email External Bad Actor Internal Employee Phishing, Spear- Phishing, Email, Proxy, Windows Security
  • Text and Symantec analytics
  • Inconsistent email address, links, and domains
  • Detection of threat and unusual urgency
  • Suspicious subject/attachment
  • Unusual process
  • Unseen domain or user
  • Domain generated algorithm
  • Unusual / Inconsistent request
  • File Format Exploits/URLs
Phone / VOIP External Bad Actor Internal Employee Reconnaissance, Trusted Relationship VOIP logs
  • Unseen location / source / protocol
  • Unusual / excessive call duration, frequency
  • Brute Force / Unusual in-bound traffic
Social Media External Bad Actor Internal Employee Phishing Proxy, DLP
  • Traffic pattern
  • Behavior Manipulation
  • Data transfer off of the network
  • Abnormal printing behavior
Bad Actor
Internal Employee Insider Threat Use Cases Multiple
  • Robotic pattern
  • HR Stressers – Financial, personal, addictive, disgruntled / departing / new hire
  • Data exfiltration
  • Wanderer behavior
  • Employee Snooping


Have a Mitigation Strategy

Despite best efforts, it is likely that someone will click on something that brings phishing home to roost.  Enterprises do their best to educate and detect potential attacks, but it only takes one to slip through.  There should be a plan to execute when this happens, including identifying all affected users and communicating the mitigation plan.

Internal users are the key here.  They are on the front lines of phishing attacks, and have to decide which emails are legitimate, and which contain malware.  To do so, they need regular training and information on what to look for, and how to respond to potential attacks.  In particular, users have to develop a “no confidence” attitude toward emails with unusual subject lines or unknown senders, and report those emails to the experts that can look further into them.

And by all means, unless users are certain of the sender and content, they should always follow best practices for thwarting phishing attacks: don’t open emails from people you don’t know or aren’t expecting communications from, don’t click on links in such emails, and don’t open any attachments.

As always, the best offense is a good defense.  Gurucul can help.  Contact us for more information on our Security Analytics Platform.