Beyond Catching Sender Spoofing – using AI to stop email fraud and Business Email Compromise


In September, we announced our new email security technologies powered by XGen™ and a new product, Smart Protection for Office 365. One key technology introduced was our new AI based Email fraud, or Business Email Compromise (BEC), detection technique.

A user receiving a BEC email will have a difficult time telling whether it is fake or real. He or she would likely focus on the action they need to take to satisfy the urgent request of an executive and miss subtle indications that the email was fake. Traditional email security solutions struggle with these attacks since there is usually no attachment or URL to examine and content looks the same as a legitimate email. These facts make BEC attacks difficult to detect and damaging with the average loss per incident of $132,000 according to the FBI.

Trend Micro Hosted Email Security includes email authentication standards (SPF, DKIM, and most recently DMARC) to prevent domain/sender spoofing but this only solves part of the equation. These standards prevent your domain/senders from being spoofed but don’t prevent other email forging techniques, like “free email account abuse” (using a free but legit email domain name) and “compromised email account abuse” (using a compromised account attacking internally). Additional BEC technologies are needed to fully protect email users.

How Trend Micro uses A.I. to detect BEC

Let’s take a closer look at how we detect fake emails or Business Email Compromise attacks. A user receiving a BEC email will have a difficult time telling if it is fake. The content looks legitimate and the attackers will play into the employee’s desire to be responsive to the executive they are impersonating.

Trend Micro uses artificial intelligence that combines the knowledge of a security expert with a self-learning mathematical model to identify the fake emails. A security expert examining an email would look at both the behavioral factors of an email and the intention of the email.

 

 

In the mail header the security researcher would look at factors such as: is the email coming from an insecure email provider, is the sender’s domain similar to the target organization, is the sender using a name of an executive at the recipient’s organization, and many other factors.

The researcher would also read the content of the email to decipher its intention. Suspicious factors would include a sense of urgency, a request for action, or a financial implication. None of these factors are suspicious on their own, but they paint a more complete picture when combined with the attacker behavioral factors.

 

We can mimic the decision-making process of the security researcher with a form of artificial intelligence called an Expert System. The rules of the researcher decide which factors of the email to examine and rank whether they are suspicious.

We then use a second form of artificial intelligence called machine learning which takes the results of the expert system and uses a computer-generated algorithm to determine if the email is real, fake or suspicious. The machine learning algorithm is based on millions of good and fake emails and is constantly learning and improving. It weighs the results of the expert rules and more accurately detects the fraudulent email as fake.

Even trained users struggle to spot phishing emails. Trend Micro combines the decision-making rules of a security expert with the power of machine learning to find fake emails and avoid damaging Business Email Compromise attacks.

Why is Trend Micro’s BEC detection technique different?

1. Protecting from not only sender spoofing, but also suspicious content

We analyze not only email behavior (ex: forged sender), but also intention (ex: urgency), by using both Expert System and machine learning.

2. Includes internal BEC protection for compromised email account

When a user’s account or mailbox is compromised, usually after a phishing attack, the attacker can use the compromised account to send internal phishing or BEC emails. Because the email is coming from a legitimate user’s mailbox, there won’t be anything suspicious on the mail header or sender address. Therefore, sender authentication techniques are not able to detect this. Trend Micro’s Cloud App Security, which is included in Smart Protection for Office 365, can detect internal BEC attacks on Office 365 email.

3. Includes high-profile users protection

Since BEC scams target high profile users such as company executives, extra scrutiny is applied to high-profile users which are identified by the customer using Active Directory groups or by entering their email address. Trend Micro will check incoming email messages claimed to be sent from those users and apply fraud checking criteria to identify forged messages.

4. No extra charge

BEC protection is included in Smart Protection for Office 365, which includes Hosted Email Security (cloud email gateway) and Cloud App Security (API-based service integration). No extra charge is needed as we think all customers deserve the best BEC protection.