Email is a fundamental communication tool for businesses of every size, and everyone has an email address, despite the rise of Microsoft Teams, Slack and other alternative communications options. This ubiquitousness has one downside – it gives criminals a direct “line” to every employee in your business. And that’s why various types of phishing emails are still the most common attack vector that starts a cyber breach.

Plus, modern email is very helpful, providing interactive emails with links to documents and websites, images and logos with links embedded, along with QR codes – all designed to facilitate collaboration, but of course also handy for criminals to trick your users. In fact, a recent analysis of 55.6 billion emails over a year period revealed that 36.9 percent of email traffic is categorized as “unwanted”.

This “unwanted” email is broken down into category areas with 0.3% of emails being categorized as an “Advanced Threat”. 0.3% may not seem like alot but when correlated with 55.6 billion emails that’s still roughly 167 million highly sophisticated email-based threats. This is why you need to use the strongest solution possible to ensure that malicious links don’t end up in your users’ inboxes.  

The Rise of URL-Based Threats 

Once upon a time the way threat actors used email attacks was through malware attachments – “please open the attached PDF or Word document to receive your prize”. This is still happening but it’s less common because it’s easy to spot – any email security solution is going to scan that attachment, and more advanced ones like Hornetsecurity’s Advanced Threat Protection (ATP) will open any unknown attachment in a sandbox and observe any activity from the file to identify if it’s malicious or not. Also – once the email is sent the attackers can’t change the payload, and once it’s been identified as malware, all other copies of the same email will be blocked.  

Sending a link to a website or a file instead of an attachment adds flexibility for the attackers. A favorite approach is compromising a website, but not make any changes until after the email campaign has been sent. Most link scanners evaluating the links only at delivery time won’t flag the emails as the link leads to a perfectly safe site or file, and later the attackers will spring their trap and swap out the benign file for a malicious one, or add malware to a website.

Time-of-click scanning in Secure Links, a feature within Hornetsecurity’s Advanced Threat Protection (ATP), evaluates the risk of the target file or site both at delivery time, and when the user eventually clicks the link.

Notably, groups such as Fancy Bear and Cozy Bear have employed these techniques in sophisticated phishing campaigns. These groups maintain adaptability and evade detection by geotargeting their victims and swapping out payloads on compromised servers.

Therefore, you need a solution like ATP as it’s able to reach into your user’s mailboxes after it’s discovered that a particular email has malicious links in it and delete it from everywhere else where it’s already been delivered.  

The user experience when a URL is safe

Solutions like this are becoming even more important. Our data from over the last year shows that malicious URLs account for 22.7% of email-based attacks. This highlights malicious URLs as increasingly popular with threat actors and second only to pure phishing attacks. For instance, in 2024, phishing attacks saw a significant rise, with a 28% increase in phishing emails reported in the second quarter alone, contributing to an overall 58.2% surge in URL-based phishing attacks – a clear indication of the escalating tactics employed by threat actors.

Attack Technique Percentage
Phishing 33.3
URL 22.7
Advanced-Fee Scam 6.4
Extortion 2.8
.Exe in Disk Image / Archive 2.4
Impersonation 1.8
HTML 1.7
Maldoc 0.5
“Other” 28.4

Furthermore, attackers won’t just link to a particular site, but rather use a complex series of redirects from site to site, and often base the decision whether to serve the malicious file or a benign one on particular characteristics such as the id of the link, country of origin etc. It’s similar to how modern marketing can be hyper targeted to exactly the desired cohort of people, whereas here the attackers are making sure only particular people get their evil payload.

This includes using various techniques to identify if it’s an actual user who clicked the link, or an automated cybersecurity system trying to figure out if the link is malicious or benign, and if it is, it’ll serve up a safe file to try to throw the system off the scent.  

Secure Links adapts to this by anonymizing the tokens in links randomly replacing them so that the content of the page can be safely explored on behalf of the user, without triggering any action or tracking. This function is essential for analysis at the time of click, which blocks attacks based on dynamic links and dormant pages.

Furthermore, each page is browsed from simulations of more than 30 devices and browser combinations on mobile devices (Safari/Chrome, iOS & Android) to spot attacks that are designed to only trigger on smartphones. Finally, the pages are browsed from four different regions of the world, to catch phishing pages that are targeted to a single region.  

The user experience when the link destination is malicious

This brings us to another important point; the criminals are well funded, staffed and incentivized to improve their attacks with novel approaches to boost their effectiveness. Therefore, your defenses need to be supported by a team of specialists, such as us here at the Security Lab, focusing on detecting these new variants and blocking them as quickly as possible.  

We’ve also seen a steady rise in phishing links leading to fake login pages, trying to trick users to enter their username, password, and respond to an MFA prompt on their phone, all while the proxy site passes this information on to the legitimate sign in page. This is called Attacker or Adversary in the Middle, shortened to AitM. Once successful, the attacker can now act as that user, including accessing their mailbox and other documents.  

This technique has become increasingly common, with a marked rise in AitM phishing attacks in 2024 targeting organizations with stringent MFA policies.

Don’t forget to train your users, if all else fails and a malicious link slips through and lands in inboxes, a security aware user will flag unusual emails, rather than just blindly clicking the links.  

Secure Links, within ATP, works by replacing every link (including clickable images etc.) with one that points to our servers (Secure Web Gateway), so that when the user clicks it, they’re first directed to our servers, while behind the scenes the system follows the link and determines whether the target is safe or not. This protects your users every time they click a link in an email.  

Here’s what it looks like when a user clicks a secure link in an email

There are two challenges to overcome when building a good solution for this, the first is speed. If it takes several extra minutes every time a user clicks a link, which hinders productivity and adds stress to staff, the system won’t be very popular – Secure Links is fast to avoid this.  

Secondly, you need advanced AI technologies such as Machine Learning (ML) and computer vision solutions to scan every image, QR code and other obfuscation the attackers use to bypass protections, again Secure Links brings industry leading tech to bear on this problem.  

Secure Links uses artificial intelligence to provide advanced protection against phishing, even in short-wave, highly targeted attacks: 

  • Smart patterns analyze key features of URLs and pages (e.g. redirections, file paths, scripts, etc.) to identify malicious content. 
  • Supervised and unsupervised machine learning algorithms analyze more than 47 characteristics of URLs and web pages, scanning for malicious behaviors, obfuscation techniques, and URL redirects. 
  • Deep learning: Computer Vision models analyze images to extract relevant features used in phishing attacks, including brand logos, QR codes, and suspicious textual content embedded within images. 

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) using Hornetsecurity’s Secure Links will be pleased to know that they can add their own logo and information on the scanning pages, using White labeling to improve their brand awareness with their customers.   

In the rare case where the scanning of a page couldn’t be completed the user is offered the option to continue to it (admins can control this option through policy)

Email borne threats such as phishing links are a fact of life in today’s digital landscape and businesses need to have a reliable solution in the form of ATP with Secure Links to take care of this threat. This is especially true for spear phishing attacks. Most phishing emails are generic and sent in bulk to a large number of recipients (“click here to validate your address for your FedEx delivery”) and these are easily blocked by ATP.

But where attackers have their sights on a specific organization, they’ll do reconnaissance, identify individuals based on the company website and LinkedIn profiles and craft targeted phishing lures much more likely to blend in with normal email communications. In some cases, we’ve seen them compromise a single user’s mailbox, and then use it to launch targeted phishing emails to others in the organization, increasing the likelihood of a click as the sender is trusted.  

In these situations, Secure Links will be a great benefit as it’ll ensure that every link is safe before allowing access.  

Furthermore, when it comes to comparing with Safe Links in Microsoft 365 E5, Umut Alemdar, the head of Hornetsecurity’s Security Lab points out that: 

In regards to analysis capabilities, one major difference is that Secure Links is capable of file scanning too, Microsoft’s Safe Links is not.

Request a demo today and see how Secure Links can elevate your cybersecurity strategy! 

Advanced Threat Protection icon

Conclusion 

Secure Links is a critical tool in the fight against email-based phishing attacks, leveraging advanced AI technology to ensure that users can navigate their communications safely. With features like real-time link analysis and a user-friendly interface, Secure Links not only enhances security but also integrates seamlessly into existing workflows. By implementing this tool, organizations can proactively safeguard sensitive data and maintain compliance with industry regulations. 

Leave a Reply

Your email address will not be published. Required fields are marked *