• by Ray Schultz , Columnist, January 15, 2020

We’re barely into the new decade, and there is already bad news on the security front: malicious emails are slipping through legacy email gateways by the thousands.

That’s the crux of the 2019 End Of Year Email Phishing Report, a study released on Wednesday by security startup INKY. 

The study charges that INKY competitors are missing dangerous emails. We’re not imaging this: the headline to one section says, “INKY vs. The Competition.”

For instance, more than 500 suspicious emails got by Proofpoint to endanger a major healthcare provider, the report alleges. Moreover, INKY “identified as potentially dangerous 0.3% of emails that were deemed safe by Proofpoint."

And 6,000 possibly dangerous emails escaped detection by Mimecast to arrive at a capital management company, the report claims.

What’s more, Barracuda missed a malicious email, whereas “INKY recognized all the red flags and delivered the email with this red banner warning the recipient that the email looks dangerous.”

One has to read all this with a gimlet eye: in a truly objective report, INKY would give its competitors a chance to defend themselves: It’s a little like an editor reading a rival publication to spot typos. And there is no indication that there were any actual breaches.

But assuming there’s a grain of truth to these claims, how can bad emails be sneaking through? INKY attributes it to new kinds of attacks:

1. Hidden Text and Zero Font Attacks — This happens when attackers set the email font size to zero, so they can hide text to evade email protection software. Also, they can indulge in keyword stuffing, adding hidden text — white text on a white background — to contain keywords that seem to come from a normal conversation 
2. Malicious Fake Attachments — To evade security settings that block remote images, the malefactors embed local images into the emails. “If an end user sees an a attachment that looks like a PDF file and clicks on it, they don’t open a PDF. They end up getting taken to a malicious site that then asks for their credentials.” 
3. Confusable Text and Homograph Attacks—The text in such an email looks correct to the reader but confuses the email gateway. The attacker can “register a new domain like amzon.com or amazon-storefront.com that is easily confused with a well-known brand term or which somehow embeds the brand term in a way that seems legitimate to end users.”It gets better. The offender can also “insert a typo, add extra characters or words, or substitute Unicode homographs where Latin letters would normally appear.”The report adds that “the Cyrillic character looks identical to a Latin capital A, but is actually a completely different Unicode character!”

America, you’ve been warned.