Mobilizing AI in the Fight Against URL Phishing  

Employees click on malicious URLs in phishing emails. It happens again and again: An employee ends up on a counterfeit website and types in a favorite password — the same one they use for their company email, collaboration platforms, and apps. That small chink in their employer’s security armor eventually opens it up to a full-blown data breach, ransomware attack, or network outage.

Conventional email scanning and blocking tools have not made this problem go away. Now, scanners can be upgraded with artificial intelligence (AI) to catch many of the malicious URLs that usually evade detection. This approach is beginning to pay off for customers of Mimecast’s AI-powered URL Protection scanner, as we describe below.

The Latest Statistics on URL Phishing

Mimecast continually studies employees’ tendency to click on malicious URLs in emails. Recent findings from three of our reports — State of Email Security 2022,  How to Reduce the Risk of Phishing and Ransomware and the forthcoming State of Ransomware — illustrate the stickiness of the situation:

• Current preventions fall short. More than half of respondents rated their organization’s effectiveness as low, when it comes preventing employees from clicking through emails to phishing websites.
• Malicious URLs travel like wildfire. Four in 10 said employees had spread emails infected with malicious URLs across their organization.
• Click-throughs fuel ransomware. More than 40% of ransomware attacks were attributed to phishing emails that led recipients to a malicious website.

What Malicious URLs Look Like 

Our work with customers provides some real-world examples of malicious URLs, showing how tempting it is for employees to click on them. Here are just three that were captured by our AI-powered scanner:

• Microsoft 365 online fax: An email arrived, replete with a Microsoft 365 logo and a thumbnail of what looked like an official document. “You have received (2) Pdf online,” the missive read. “Click here.” Unfortunately, this was a phishing email, and the link led to a credential harvesting website.
• OneDrive file: Another email alerted the recipient that, “You’ve received a secured document via OneDrive,” and instructed them to click on the “view document” link. Our investigation indicated that the attacker’s intent was to infect the user’s device with malware.
• Skype invitation: So many collaboration sessions at work, so little time for employees to keep track of them all. This Microsoft-branded invitation simply suggested that the recipient “initiate the session” using their email, telephone, or Skype login and password. Actually, the email was an invitation to credential theft.

Many malicious URLs lead to credential theft, which IBM’s Cost of a Data Breach Report 2022 has identified as one of the most common causes of a data breach.[1] Other links take email recipients to bogus websites that drop malware onto companies’ devices and networks in exploits known as “drive-by downloads.”

For example, in analyzing one URL that was blocked, we found that it almost certainly would have downloaded a trojan-like variant of malware that is typically sold on the Dark Web for about $100. This malware’s core capabilities include information harvesting from browsers (including passwords, autofill data, cookies, and credit card information), remote desktop access (to install and launch malware), and others.

Incorporating AI to Elevate Scanning Capabilities

Companies can layer AI on top of current scanners’ functionality, such as checking URLs against threat intelligence feeds. These systems can rewrite any URLs in inbound email so when employees click on the links, they can scan the intended destination websites in real time. Users are only granted access to URLs that check out. And all of this is imperceptible to the user, unless they receive a warning banner informing them that the URL is indeed malicious. 

AI levels up URL scanning in several ways. Our data scientists have developed the ability to go well beyond the standard treatment of a URL. Our AI-powered scanner also considers context including features from the email and attachments and destination page, as well as other AI-powered TTP enhancements such as Credential Theft Protection that inspects websites for brand spoofing and credential harvesting attempts. These and other capabilities provide extra protection against more targeted, sophisticated threats, such as business email compromise, which accounted for the greatest cyber losses reported to the FBI last year.[2]

As such, AI-powered scanners are designed to detect and block emerging threats such as zero-day URL attacks — or even CAPTCHA pages that are intended to be a roadblock for automated security scanners. In other words, they are now able to detect exploits that have never been seen before by threat researchers. This is a key capability since attackers are continuously spinning up new nefarious URLs.

Our AI-powered scanners run on Mimecast’s X1 platform, which is built on a 20-year track record of monitoring trillions of emails and which draws on the user behavior of our 40,000+ customers’ lived experience. Complementing the scanners are such capabilities as Internal Email Protection, which mitigates the internal spread of a malicious email and CyberGraph, an AI capability that understands relationships and connections between senders and recipients. Increasingly, individuals’ performance in Mimecast’s security awareness training programs is also being integrated into our detection and prevention systems.

AI Improves Efficacy of URL Scanning

The upshot is that AI-powered scanners can detect new and more targeted attacks, where conventional scanners might focus on recognizing the known bad or the previously identified techniques used by monitored threat actors. As a result, AI-powered email scanners like Mimecast’s are demonstrating results in blocking more malicious URLs from reaching employees’ mailboxes.

Mimecast ran a proof of concept using our own best-of-breed scanners — “before and after” AI. During this period, Mimecast scanned almost 1 billion clicked URLs and blocked around 6 million of those. The new AI-powered scanner contributed to a 1% increase in detections, protecting customers from more than 41,000 attacks that would have otherwise gone undetected.

The statistics themselves are meaningful in a field in which it only takes one click to start a cyberattack “kill chain.” But they are all the more significant for the types of attacks they block — more targeted (and potentially more dangerous) in many cases, and totally unfamiliar (and thus harder to detect), in others. 

On the flip side, some AI-powered scanners can create a lot of false positives when left unchecked, undermining their usefulness as security teams are inundated with alerts for URLs that turn out to be benign. In Mimecast’s case, our in-house data scientists continually retrain the machine learning model and monitor performance to reduce false alarms.

The Bottom Line

Artificial intelligence is elevating the efficacy of systems that scan and block malicious URLs in emails. See how Mimecast can help you use AI to address this persistent problem.

[1] “2022 Data Breach Investigations Report,” Verizon

[2] “Internet Crime Report 2021,” FBI