AI and ML Email Threat Detection

Behavioral Analysis and AI/ML for Threat Detection: Going Behind the Scenes on the Newest Detection Engine from Proofpoint.

Terminology like behavioral analysis and AI/ML (artificial intelligence and machine learning) are so overused in cybersecurity marketing, it’s easy for information security professionals to tune them out. And the truth is, it’s probably a good thing to take these terms with a grain of salt.

In some respects, these models are nothing new. Spambrella has been using AI/ML technology for many years to block malicious and unwanted emails. AI is advancing at a stratospheric pace, enabling new capabilities and use cases for organizations to protect themselves. So, it’s not just important to do behavioral analysis and AI/ML, but also do them well.

Let’s take a deeper dive into the specifics of how Spambrella uses Proofpoint technologies to tackle email threats.

New Supernova Behavioral Engine builds on Supernova for BEC 

Proofpoint's New Supernova Behavioral Analysis Engine

Figure 1. The new Supernova Behavioral Engine analysis uses language, relationships, cadence, and context to detect anomalies and prevent threats in real-time using AI/ML.

We released our Supernova Behavioral Engine to all email security customers globally, at no additional cost and with no additional configuration needed. Supernova Behavioral Engine better detects email patterns that fall outside of the norm, improving detection of all threat types, from business email compromise (BEC) to credential phishing and much more.

Here are some of the signals Supernova Behavioral Engine will use to determine if a message is malicious (as the engine evolves, we’ll add more signals):

  • Unknown sender, i.e. someone who has never communicated with you before
  • Uncommon language or sentiment, such as discussing a financial transaction for the first time)
  • Uncommon URL or subdomain
  • Unusual SaaS (software-as-a-service) tenant, which is often a sign of supplier account compromise
  • Unusual SMTP infrastructure, which is likewise indicative of possible account compromise

The Supernova Behavioral Engine doesn’t just include detection, though. It will also tag messages from uncommon senders using email warning tags with “Report Suspicious” to give the user a heads-up with valuable context.

Users can use the Spambrella M365 Outlook add-in to automatically report emails to the threat team.

The new Supernova Behavioral Engine improves our already leading efficacy while ensuring low false positives for customers. We’re also committed to transparency, especially given how much vendor noise there is around the use of AI/ML: our current false positive rate is 1 in over 4.14 million, which leads the industry and which we will continue to invest in improving. And this data science approach is nothing new to Proofpoint.

A leading data science team with some of the largest global cybersecurity data sets 

Proofpoint Central Data Science Team

Figure 2. Proofpoint uses a centralized data science team working with some of the largest cybersecurity data sets in the world to train our models.

Spambrella has access to massive cybersecurity data sets across email, cloud, networks, domains and more, so our teams can feed and improve our models more effectively. Without a substantial corpus of data, these models become ineffective at identifying threats and sometimes even counterproductive due to excessive false positives.

Supernova for BEC and Supernova Behavioral Engine can improve detection across the board

BEC

Figure 3. Supernova, by Proofpoint now condemns more than just BEC threats; it also effectively stops credential phishing, deceptions (many of which are commodity “scams”, like advanced fee fraud or romance scams), and malware.

The results of both engines have been astonishing. Supernova, as part of the Advanced BEC Defense capability, condemns mostly BEC attacks. However, because we’ve been able to feed the engine so much data, it’s been able to learn, adapt, and detect much more—including credential phishing, malware attacks, and sophisticated spam threats that other service providers consistently miss.

Supernova Behavioral Engine will similarly be able to better detect and prevent all threat types. In early Q1, Proofpoint released the engine in shadow mode and discovered—in less than four weeks—that it improved detection efficacy against invoicing threats by 6x.

Now that the new engine is live for all of our global customers, we can’t wait to see how it learns and improves detection for different advanced threats.

Samples of how Supernova Behavioral Engine improves detection

Here are some samples of where Supernova Behavioral Engine signals can improve detection.

Sample: Lookalike BEC threat: improved likelihood of detection

Proofpoint effectively stops millions of BEC attacks every month. But we’re always aiming to raise the bar on detection. In this sample, our existing Supernova for BEC detection engine would have detected the potential lookalike domain and payment language.

BEC Attack Identification Using Behavioral Signals

Figure 4. Supernova Behavioral Engine from Proofpoint will add additional detection capabilities for BEC attacks, determining the relationship between two parties dynamically.

Our new Supernova Behavioral Engine will now detect that this is an unknown sender to the recipient, improving the likelihood of Proofpoint detecting and condemning this attack pre-delivery. It does advanced relationship mapping by looking at inputs like cadence, language and context of inbound and outbound messages to determine the relationship status dynamically over time between the two parties.

Even if a dormant, previous sender was compromised and started a fresh attack, Supernova Behavioral Engine would view that communication as anomalous and take a closer look.

Sample: Compromised supplier using a URL-based file-sharing threat

URL Attack Identification Using Behavioral Signals

Figure 5. The Supernova Behavioral Engine will better detect compromised suppliers, even if attackers are using a file-sharing site in their attempts to defraud victims.

Let’s say one of your suppliers has a compromised Microsoft 365 account. A threat actor takes over the account, does some research on the specifics of your relationship with the supplier and then sets up a lookalike OneDrive SaaS tenant in an attempt to commit fraud.

The email the threat actor sends comes from a legitimate, common sender, SharePoint, and passes DMARC. In terms of reputation, this email seems legitimate. And the language, a contract, is not unusual given past OneDrive correspondence with this supplier. But there are some tells here that Supernova Behavioral Engine will pick up on.

Supernova Behavioral Engine will notice the subdomain of the file-sharing URL is different and anomalous, and it will sandbox the file-sharing URL to inspect the content. That means Spambrella can better detect and stop attackers compromising supplier accounts and using lookalike domains or even new subdomains of file-sharing tenants.

AI/ML and behavioral analysis: part of a broader detection ensemble

Using AI/ML for content inspection and behavioral analysis can improve detection efficacy. Alone, however, we’ve seen these engines create a lot of noise. That’s why they’re just a few of the engines Spambrella uses in our 26 layer detection ensemble.

Proofpoint Detection Ensemble

Figure 6. The Proofpoint detection ensemble includes more than 26 layers, improving the likelihood of condemning malicious messages while not creating false positives

Broad reputation classifiers combined with our Threat Graph intelligence frequently stop more than 80% of all malicious and spam messages from ever reaching end users. For some customers, that can be tens of millions of messages.

We build our attachment and URL sandboxing in-house and use ML models to determine malicious URLs, HTML, files and memory left from potential malware or tampering.

We utilize Emerging Threat (ET) Intelligence feeds and can quickly identify high-risk IP addresses even if they’ve only recently become malicious. Our cloud threat data can identify malicious third-party applications or compromised accounts and stop those threats from activating. And our threat intelligence team ties it all together, extracting 7,000+ campaigns annually for a deep dive into emerging, advanced threats to see the latest trends.

Additional reading:

What are AI Phishing Attacks?

How to tune Spambrella’s Spam detection

>

Related Case Studies

The service is great at filtering bad email as well as junk email out while allowing clean email though. I have used a few other options over the years and this is the best I have found. Clients sometimes have trouble configuring their settings to how they want it to be. Or tag emails as approved when they shouldn't and need IT interaction to resolve. Maybe just ease of use or having a more clear way for clients to resolve basics on their own.

Brian M., Review via Gartner Capterra

I found spambrella to be easy to set up and has dramatically reduced the number of spam emails hitting our inboxes. It was easy to 'train' the software to release any genuine emails that were caught or add any spam that was not picked up.

Within a couple of weeks of use virtually no spam arrived to our mailboxes. Spam and phishing emails are a growing problem for everyone I'm sure. I now get a very low incidence of spam.

David F., Review via Gartner Capterra

Easy to onboard my customers from another spam filtering system. Very fast and haven't had any downtime in the 9 months since I have moved to Spambrella. When I have had to use support, responses where quick. I had to move all my customers from another filtering system with little notice. After I moved my customers I realised how bad the old solution I used was. Contact with Sales and Support always been professional

Allen B., Review via Gartner Capterra

Robust, versatile, and reliable...
The reliability of the service and the level of protection that it provides. My spam levels immediately dropped to near zero.

There are almost no false positives. And I'm easily able to customize the level of protection with whitelists, blacklists, and sensitivity settings. I'm also a big fan of the antivirus and URL scanning features.

Verified Reviewer, Review via Gartner Capterra

Used the software for: 2+ years - 5/5 Overall
With an ever overloaded department, and with cybersecurity skills shortage getting worse securing the I.T infrastructure.

Offloading the task of e-mail filtering to Spambrella has dramatically helped in the department's performance. The only drawback in our case is that the service is hosted outside of our territory and thus out of the legal jurisdiction.

John P., Review via Gartner Capterra

It doesn't require an arcane knowledge to set the Spam filtering up, the guides are straight to the point and support staff are very helpful. Functionality wise, in short: we do not get spammed. Thanks to Spambrella.

Archiving wise, the new solution is easy to use, searches well and fast and is by far the cheapest we could find at the time. Ten year retention rocks!

Verified Reviewer, Review via Gartner Capterra

Latest blog posts

  • On February 14, 2024
How is AI Enabling Phishing?

AI is being utilized in various ways to enhance phishing attacks, making them more sophisticated and difficult to detect. AI automates responses to interactions, allowing…

Read more
  • On November 3, 2023
Why White Label Cloud Services are Important to MSP’s

Managed Service Providers (MSPs) play a crucial role in the modern IT landscape. They help businesses of all sizes manage their technology infrastructure, ensuring that…

Read more
  • On October 11, 2023
Microsoft 365 targeted by Cybercriminals with LinkedIn Smart Links Cyber Attacks

LinkedIn has long been a go-to platform for professionals seeking to expand their networks, explore job opportunities, and connect with like-minded individuals in their respective…

Read more
  • On October 6, 2023
What is Qakbot Malware?

Malware remains a persistent and ever-present danger. Among the multitude of malware strains, Qakbot, also known as Qbot or Pinkslipbot, stands out as a resilient…

Read more