Graymail and its impact on cybersecurity

by Egress
Published on 28th Nov 2023

Graymail – technically, it’s not bad, but it’s not necessarily good either. At worst, it’s a potential cybersecurity threat.

The accepted definition for graymail is solicited emails that aren’t spam or phishing, but which the recipient may perceive as inbox clutter. The term ‘graymail’ includes newsletters, promotional emails, and other marketing communications. Usually, the recipient signed up for them once upon a time, although sometimes they didn’t and are being contacted based on ‘legitimate interest’.

Graymail can also present a more serious threat, as it can aid the spread of malware and other malicious payloads and desensitize people to phishing campaigns.

Because most organizations classify graymail as harmless, doing something about it typically ranks low on the priority list. Unfortunately for some, doing nothing could leave the door open to hackers. For example, cybercriminals may impersonate a legitimate email address that authentic graymail originates from and disguise malicious links as enticements, such as discount codes or subscription updates. Additionally, phishing emails are harder to spot when mixed with apparently benign graymail emails. Both graymail and spam tend to numb people’s senses to unusual or unsolicited emails.

This article provides a high-level overview of the topic, including the defenses that IT security professionals can implement if they want to secure their organizations’ data.

What is graymail?

Graymail describes emails that fall between important email correspondence and spam. It typically consists of emails that people don’t consider valuable but simultaneously may have some interest in. Examples of graymail include newsletters, promotional emails, and updates from social networks. It can even include unwanted activity notifications from rarely used applications.

Graymail differs from spam in that it is typically sent by legitimate organizations rather than from unsolicited, anonymous, or fraudulent sources. The sender of graymail has typically obtained the recipient’s consent and email address through a sign-up process, purchase, or other legitimate means.

How does Graymail work?

This type of mail is sent via a mass mail or email marketing platform using a template with generic copy and limited personalization (such as the recipient’s first name) or by using APIs to source ‘trending’ content for the recipient (such as notifications on a social platform), which is then populated within a template.

These emails typically contain tracking codes designed to collect information about the recipient’s interaction. Individuals may even send this information without knowing it, just by opening the email, thanks to transparent tracking pixels that let senders gather data on when and how often recipients open their emails. Other information collected may include whether the email was delivered or categorized as spam, what links the recipient clicked, what web browser they used to visit that link, what device they used to read the email and visit the website, and more.

Graymail vs. spam vs. phishing

Due to its initially solicited nature, graymail is not the same as spam. Spam arrives entirely unprompted, typically sent for commercial purposes to promote a business, and because it is untargeted, may have little relevance and no value to many of its recipients.

Graymail and spam, while both potentially annoying, are also distinct from malicious phishing emails.

Graymail emails can contribute to the challenge posed by phishing because they can act as camouflage for malicious emails hiding among them. People can become desensitized to unwanted, unusual, and unexpected emails and, by lowering their guard, can be more susceptible to a phishing email.

Additionally, if the graymail sender gets hacked, valid email addresses and other information they store can fall into the hands of criminals and be used in phishing campaigns. For example, attackers could use captured email addresses to launch spear phishing attacks designed to deliver ransomware.

Graymail defense

Fortunately, senders of legitimate mass email, including graymail, are legally required by global anti-spam legislation to include an unsubscribe or opt-out link at the bottom of their emails. Manually unsubscribing from these lists can be labor intensive and time consuming.

Egress Defend now auto-filters graymail into a dedicated folder to reduce the time users spend interacting with valueless messages. By moving graymail out of the main inbox flow, users won’t become desensitized to the risk of phishing emails, plus not having those emails in the main inbox flow reduces alert fatigue and allows users to focus on the mail that matters most. Admins will also benefit from the feature, as graymail is 12x more likely to be reported as phish by users. This feature will help minimize false alarms that need investigation so admins have more time to focus on higher-priority security needs.

Many email services and clients also provide filtering and blocking tools to manage graymail. These tools allow people to control the amount and types of emails they receive. For example, someone can mark unwanted emails as spam to help train the filtering algorithms. However, it is worth noting that non-experts can lead to miscategorized emails, which while of low impact when considering spam and graymail, can be a problem if your anti-phishing solution allows itself to be informed by end-users. Read our article on social graph models and phishing for more insight.