December ESRA Report: Aggregate False Negative Rate of Incumbent Email Security Systems is 12%

Is a false negative rate of 12% a large number or a small one? I suppose it depends on your perspective. If your email security system lets in 12 unwanted emails—whether spam, phishing, impersonations, emails containing malicious links or attachments—for every 100 unwanted emails that arrived at your organization’s doorstep, would you be okay with that?

I will leave it to you to decide based on what you consider reasonable and acceptable. But this is what our extensive Email Security Risk Assessment (ESRA) data collection and analysis has found.

I am happy to report that Mimecast’s Email Security Risk Assessment (ESRA) testing and reporting continues to chug along, now in its 7th quarterly iteration! For those of you who are new to ESRAs let me first explain what they are. 

In an ESRA test the Mimecast service reinspects a participating organization’s emails that were deemed safe by their incumbent email security system. This is based on actual inbound email traffic, not on test email. We run this test over a period of time, usually between a week and a month at each organization. An ESRA test passively inspects and records the results of real emails that have been delivered to their employees.

In security terms an ESRA test is a false negative hunting program, where the Mimecast email security service inspects delivered emails for missed spam, phishing, malicious files and URLs and impersonation emails. Summary data is then generated for each test.

What we found in December's ESRA

Here are the key findings from our December ESRA:

• Dangerous File Types showed up and got though at an increased rate. Showing a 25% increase from the last ESRA quarterly test. Dangerous file types are rarely sent via email for legitimate purposes, such as: .jsp, .exe, .dll and .src files, but that can be used to facilitate multiple types of malware led attacks.
• In aggregate Mimecast has inspected more than 180 million emails and detected more than 21 million unwanted emails (12% of the total) as part of this ESRA program. Representing a large test of the most common email security systems in use by organizations.
• Other than spam, the largest category of unwanted emails that have been detected are impersonation attacks, which to date have tallied 42,350 misses. Impersonations can be particularly difficult to detect since they often don’t include malicious files or URLs, they often use only sophisticated social engineering to get the target to do what they shouldn’t.

Stay tuned for the 8th quarterly ESRA release, anticipated in March 2019!