Email Security

    Real Examples of Threats Missed by Email Security Systems

    A new view of the Mimecast Email Security Risk Assessment.

    by Matthew Gardiner

    With this blog I am happy to bring you the 9th consecutive quarterly release of our Mimecast Email Security Risk Assessment (ESRA) aggregate report, also with its associated funnel infographic. We now have been running ESRA tests, collecting and analyzing the data, and publishing reports for more than two years!

    For this blog, instead of discussing the numbers presented in the reports, I go deeper and give you specific, redacted examples of threats that bypassed the incumbent email security systems but were detected by Mimecast. These examples highlight the popular attacks types with cybercriminals as well as the fact that it takes a specialized email security system to find them before they get to your employees.

    What is an ESRA?

    In an ESRA test the Mimecast service reinspects a participating organization’s emails that were deemed to be safe by their incumbent email security system. This is based on actual inbound email traffic, not on test emails. We run this test over time, usually between a week and a month at each organization. An ESRA test passively inspects and records the security detections that would have taken place with the Mimecast service.

    In security terms, an ESRA is a false negative hunting test, where the Mimecast email security service inspects delivered emails for missed spam, phishing, malicious files and URLs and impersonation emails.

    Now for some specific examples of email-borne attacks that were missed in the recent ESRA testing cycle.

    Impersonation Attack

    Impersonation—or Business Email Compromise—attacks come in many forms. But most typically they are simple, use social engineering content gleaned from public sources such as the organization’s web site and Linkedin, and directly pursue the intended victim’s money.

    (Image: Impersonation Attack Email)

    In this example the attacker sends a simple email to an HR person in which they spoof the display name of an employee of the firm and ask to change the bank routing information for their payroll direct deposit. What a great way to steal an employee’s salary! How many payment cycles will go by before the employee notices they aren’t getting paid?


    For Mimecast this type of email is easily flagged as suspicious by matching the display name in the inbound email to the names of staff that are resident in the organization’s Active Directory. In addition, the term “direct deposit” is one of many “hot terms” for which Mimecast is hunting in inbound emails.

    Office 365 Credential-Stealing Attack

    There isn’t a more well-known vendor that cybercriminals like to spoof more to steal user credentials than Microsoft. This makes sense as grabbing Office 365™ or Active Directory credentials can lead directly to some serious breaching!

    (Image: Credential-Stealing Attack Email)

    Note the domain of the sender looks kind of like a domain owned by Microsoft, “,” but it isn’t, it is “” If you look at the WHOIS record for this domain, it is pretty sketchy. Do you think your users would notice the difference between those domains? And when they click and “login” to the attacker’s site their credential becomes another one in the wrong hands and available for sale in the black market.

    For Mimecast, using Advanced Similarity domain checks against well-known internet brands (such as Microsoft-owned domains), it is an easy check to ferret out this type of attack.

    (Image: Mimecast Detection Log for a Supply Chain Attack)

    Malware Infection

    Many attackers use phishing as the best way to establish an initial malware-based foothold in the targeted organization. What better way to do that than with a remote access trojan or some other type of backdoor exploit? To do this you need to get the email with the malware payload passed the email security system that is guarding the door and then get the victim to run it.

    A great way to do that is to leverage peoples’ natural curiosity. Unfortunately, the attached Word document in this example (“Customer_Order_Details_374116.doc”) is loaded with a macro that makes the Word file a dropper that goes and grabs the intended malicious code once the file is opened.

    (Image: Malware Infection Via Phishing)


    (Image: Mimecast Malware Analysis Log Results)

    These examples are just three of the thousands of missed malicious emails we regularly see as part of our ESRA testing. Are they particularly sophisticated or unusual? No. Why weren’t these caught by the respective organization’s incumbent email security system?

    Suffice it say that it is our experience that security systems in general and email security systems in particular must continuously adapt to the latest attack techniques to keep up. We commit to doing just that!

    Stay tuned for the 10th iteration of the Mimecast ESRAs this fall.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top