Why Does Link Scanning Miss so Many Phishing Attacks?
- Posted by
Reece Guida on October 25, 2018
Link scanning is a security feature that identifies the safety of a link attached in an email. This protects users in the event that hackers would install malware or credential harvesting software on a compromised website, then insert the deceptive link in phishing emails to extract something of value—most likely SaaS credentials or money.
What is the problem with link scanning?
Because links are reported over time, this method is useless against zero-day links that have not existed long enough to garner any kind of reputation. Link scanning lacks the ability to identify new malicious links, or links that have existed but not been reported as malicious. It follows that relying on link scanning as the sole method of phishing detection and prevention is inherently problematic.
To demonstrate this weakness, we investigated the performance of Google's Safe Browsing feature, considered by many to maintain the gold standard database for malicious links. According to Google, "Safe Browsing helps protect over three billion devices every day by showing warnings to users when they attempt to navigate to dangerous sites or download dangerous files.” When users encounter a dangerous site, Google will alert them to the awaiting threat, saying that there is a “deceptive site ahead.”
In our three-day analysis of the malicious links blocked by Google Safe Browsing compared to those caught using the Avanan security platform, we found that of all the phishing attacks Avanan blocked which contained links to compromised websites, Safe Browsing identified malicious links in only 14% of these emails. When we looked at the other 86% of the malicious emails that were missed by Google, we found that they contained zero-day links which had not been used in previous phishing emails.
These staggering statistics show the danger of relying solely on link scanning alone to prevent phishing attacks. As Google builds a reputation for links over time, bad actors stay ahead by simply moving to new domains. To secure enterprise collaboration beyond the limited perspective of link scanning, indicators for phishing other than the domain reputation must be considered.
How does Avanan's link analysis differ from that of Google?
Avanan's link analysis also makes use of the domain reputation data that the industry relies on, but uses that data in conjunction with additional context about the link in question. For example, Avanan's link reputation feature considers if the link points to new domains, domains with low traffic, or domains hosted in a red zone, then calculates these factors into its risk score for each link. Naturally, many malicious links are not on domain reputation lists, but Avanan can assign a risk score to them based upon other indicators beyond the link itself, which we discuss below.
Looking beyond the link to identify phishing
Because link scanning is an incomplete approach to email scanning, Avanan compliments it with more holistic methods of phishing identification. In addition to the standard SPF/DMARC/DKIM sender checks performed by email gateways, Avanan leverages:
- Company context: roles, nicknames, and relationships between users.
- Potential Risk: understands administrative or executive responsibilities, and in-character conversations based upon previous conversations and topics.
- Natural Language Process: Interpreting the topic of message and the action that might lead to a security concern. For example, an email with an urgent request to pay an invoice in an unusual way would likely signal a phishing attack.
- Signature: Does the signature of the sender match the expected signature?
With these indicators for context, Avanan's machine learning algorithm can catch phishing attacks that no other tool would be able to identify, since it lacks the context and visibility that our API connection provides to our anti-phishing tools. The agility and adaptability of this defense-in-depth protection goes beyond mere link scanning to approach the phishing problem from a variety of angles and perspectives that are unique to each organization.
The reality is that most zero-day URLs will bypass both traditional link scanning security and the default security of cloud email providers. Therefore, depending on link scanning alone to detect phishing is a flawed mechanism.
Avanan scans links against the databases of Google Safe Browsing and two other leading link scanning engines, but goes much further than considering just the link to investigate the entire message. Most email gateways have limited visibility into the context surrounding each individual message. On the other hand, Avanan has the advantage of correlating user behavior to the email structure and content rather than merely scanning the links within. Combining standard link scanning features with entire email scanning, Avanan's machine learning adapts to how malicious links are used in the context of the email.