Over the past 2 years, organizations have seen a huge uptick in the number of email compromise attacks. This increase has come mainly in the form of non-signature based attacks, such as name impersonations and domain lookalikes. The social engineering behind name and domain impersonations has become so sophisticated and well-targeted, that phishing attempts can be nearly indistinguishable from the real thing.

IRONSCALES is a messaging security company which focuses primarily on stopping phishing attacks via email by securing the mailbox itself. They have designed their solution to work toward achieving 2 goals, helping the end user identify suspicious emails and helping security teams with incident response. 

Identifying Suspicious Emails with IRONSCALES

IRONSCALES is not an in-line solution, meaning that emails are not forwarded through IRONSCALES for analysis, instead, IRONSCALES connects directly to your mailbox via API. By connecting directly into the mailbox, it does not have to constantly sweep through thousands of mailboxes to detect a threat; rather, it receives a notification of an email as soon as it lands. This connection to the mailbox also allows it to detect polymorphic variants of an email, as well as detect a threat without it being reported. Periodically rescanning links and attachments makes sure they are not weaponized after the initial receipt, if at any point in time a report comes back as malicious, the email will be automatically removed from all mailboxes.

By analyzing data, such as common email senders and responses to specific senders, IRONSCALES builds a behavior profile for context around each user’s mailbox. If something suspicious is detected, IRONSCALES will display a dynamic banner within the body of the email. This dynamic banner tells the user exactly what is suspicious about the email, whether it is an impersonation attempt, a domain lookalike, or spoofing.

How IRONSCALES Helps Security Teams 

IRONSCALES’ second goal – Helping Security Teams with incident Response – reduces time spent on forensics and analysis while automatically removing suspicious emails from mailboxes. IRONSCALES’ solution creates a reporting button in Microsoft 365 so users can report an email as suspicious with a single click.

On the Security Operations side, reports are triaged by priority – Low, Medium, or High. The priority is determined by factors such as whether or not the email contains links or attachments, and the number of end-users affected. When multiple users report the same email, IRONSCALES’ solution will merge them into a single incident report, while still showing each individual user who reported.

IRONSCALES also aids security personnel with Themis, a virtual security analyst powered by AI. Themis learns as human analysts resolve and categorize various threats. When a report comes in, Themis gives her verdict on the attack category (phishing or spam) and the percent likelihood that the email is in fact malicious.