How we flip the phishing quarantine model on its head (and why it’s incredibly effective)

A new approach to stopping phishing attacks
by Jack Chapman
Published on 10th Feb 2023

Secure email gateways (SEGs) quarantine phishing emails. Microsoft sends them to Junk. Egress – well, we deliver them to the inbox.

We know it sounds controversial – but in reality, it’s an incredibly effective approach for immediate and long-term phishing prevention. 

Anything that goes against the way things have always been done is bound to sound controversial – but, as the saying goes, if we always do things the same way, we’re always going to end up with the same results. And every industry report, news headline, and organization tells the same story year after year: phishing remains the top cybersecurity risk; it’s the primary cause of security incidents; and it continues to threaten data, operational efficiency, and the organizations’ finances.

At Egress, we don’t want to do things the traditional way when we can see a better route. It’s our mission to enable our customers to detect and prevent immediate threats to their security, as well as improve their resilience against future threats. As part of achieving this, our integrated cloud email security (ICES) solution flips the traditional phishing quarantine model on its head to deliver tangible, long-term risk reduction.

The short answer to why we don’t quarantine phishing emails

It’s inevitable that employees will be exposed to phishing emails at some point. By quarantining or junking phishing emails that are detected, you miss the opportunity to regularly and automatically use real-life examples to improve people’s detection capabilities. When that phishing email inevitably gets through, the person will be more likely to fall victim to it if they aren't regularly shown what to look out for. Additionally, no training program can scale to regularly share examples across the broad spectrum of phishing attacks without dominating Security professionals and employees’ time (and, likely, becoming something employees are switched off to). Even if an employee is effectively trained to detect a mail impersonation scam targeting DHL, this won’t necessarily transfer to detecting other brand impersonation attacks or CEO impersonation, as well as other attacks including invoice and payment fraud.

As noted at the top of this post, the approach taken to date hasn’t done enough to staunch the rising tide of phishing attacks. It’s time to do things a new way.

Wait, what about security awareness and training (SA&T)?

Forrester’s Jinan Budge explained in a recent webinar that traditional SA&T has an acknowledged ceiling to its effectiveness. Unfortunately, you can’t guarantee people are listening to and retaining what they’re told. Even if they do, training goes out the window when they’re naturally or socially engineered into Type 1 thinking (a high-risk state defined by being fast, emotional, and intuitive, vs. Type 2 thinking that is slow, calm, and logical). This is something cybercriminals recognized and it’s why they use tactics such as impersonating high-ranking company officials like CEOs and CFOs and weaponizing the 24-hour news cycle. Finally, unlike technology, people have a naturally higher margin of error and can be taken in by a well-presented and highly targeted advanced attack, as seen in many brand impersonation attacks.

Egress Defend: Proven to reduce risk and improve security awareness

Our anti-phishing solution, Egress Defend, has been architected to use SMTP processing for detection, which means every email is scanned before it is delivered to the inbox. 

This enables us to do two things.

First, we neutralize every phishing email we detect, so the recipient can’t do anything you (or we!) wouldn’t want them to. For example, Defend rewrites every hyperlink (regardless of whether it links to a phishing website or not, so we can combat post-delivery weaponization). Our intelligent email DLP solution, Egress Prevent, can also block replies to phishing emails, adding an extra layer of protection.

Second, we use real-time teachable moments to improve awareness. Defend adds dynamic banners to every email, including orange and red banners when risk is detected. If they want to, people can click on these banners for clear, concise explanations of what we’ve found, which improves their long-term education in a matter of seconds using actual phishing emails they are exposed to (versus the selective or mocked up examples used within training programs). Whether they click the banners or not, they can then quickly and safely move onto the next email in their inbox having benefitted from risk being highlighted to them in real time.

This approach is proven to tangibly reduce risk. In one customer example, interactions with phishing emails decreased by 71% once Defend was actively deployed and bannering emails, compared to when they didn’t have banners in their emails (data taken over a 30-day period). And once deployed, anyone interacting with the phishing emails we’d neutralized and bannered would simply be improving their security education.

Are all ICES the same?

No. Not every ICES is created equal. Again, there are two important points to this.

1. GraphAPI for detection can leave organizations exposed to risk

Some ICES solutions use GraphAPI in their detection process (rather than SMTP like Defend). As a result, every email – phishing and legitimate alike – is delivered to the inbox, from which phishing emails are removed and quarantined via GraphAPI. Most solutions do this by routing all emails as quickly as possible into a hidden folder to process them ‘out of the way’ of the user, and then they put the emails they deem legitimate back into the inbox while quarantining those that they have detected as phishing. In theory, this is instantaneous, and the end-user is none the wiser that there is a rule diverting their emails.

However, if for any reason (such as Microsoft throttling GraphAPI, technical bugs, or the user deleting or breaking the ICES’s routing rule) the solution can’t move emails into the hidden folder, then everything is delivered to and sits in the inbox where the user can interact with it until the routing is up and running again.

Similarly, if the solution fails to detect a phishing email (a false negative) or an email is weaponized post-delivery (through a URL redirect when the original link hasn’t been rewritten), the recipient is again able to interact with it.

When either of these scenarios occur, quarantine means the person hasn’t regularly been made aware of the risk of phishing and has no in-the-moment, everyday education to fall back onto. They’re essentially flying solo, relying on historic SA&T modules, while acting as the last line of defense.

2. Without dynamic threat banners, Junk is an extra layer of risk

Junk is treated as a quasi-quarantine – somewhere ‘out of the way’ that phishing emails detected by Microsoft can be routed to. But people can still access their Junk folders – and even experienced employees have been known to interact with phishing emails from that folder.

So, Defend neutralizes and banners emails within the Junk folder to provide an extra layer of security in Microsoft 365. Defend can do this due to its use of SMTP processing for detection, which means it processes email pre-delivery and before Microsoft has routed them to Junk. SEGs and other ICES solutions that use SMTP combined with quarantine and not dynamic banners miss this opportunity as well. Again, they process emails before Microsoft, so anything they miss is either sent to Junk or the inbox without banners by Microsoft. (Conversely, ICES solutions that rely on GraphAPI processing are doing so post-delivery to the Inbox folder for threats missed by Microsoft and the SEG.)

Why our approach is better for administrators too

Finally, we know the time administrators need to act effectively and save time on routine tasks wherever possible. Quarantine will always need triaging for false positives – whether that’s a single quarantine from a SEG or ICES hidden folder alone, or doubling up with both. With no quarantine to triage, Defend frees administrators to work more efficiently while continuing to protect the organization from advanced phishing threats.

See our approach in action

Book your personalized Defend demo today to see how our detection capabilities, dynamic banners, and real-time teachable moments can protect your organization from advanced phishing threats.