Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Trustwave SpiderLabs: The Power Behind MailMarshal

From the outside, it might appear as if Trustwave MailMarshal is a stand-alone solution that on its own is able to effectively defend email systems from a wide variety of phishing, malware, and business email compromise (BEC) attacks.

The truth is MailMarshal is backed not only by one of the best trained, most experienced cybersecurity research teams in the industry but also by a technology stack that has been decades in the making.

So, how exactly does MailMarshal ensure an organization's email system is as locked down as possible?

Trustwave SpiderLabs has a global team of experts dedicated to supporting MailMarshal and email security. These researchers and analysts spend each day breaking down captured malicious emails, analyzing malware, and discovering the tactics, techniques, and procedures (TTPs) cybercriminals use. These lessons are then ingested and used to help protect all our clients. Because, as we all know, adversaries will use a single attack methodology against a wide array of targets.

The team's strengths include 20-plus years of experience in understanding email security and malware; the malware team works closely with the end-to-end  email team, and SpiderLabs and Engineering work closely together on developing new capabilities.

SpiderLabs' Layered Protection

Under the guidance of SpiderLabs, MailMarshal runs every inbound email through 11 separate layers to help protect against spam, email-delivered malware, phishing and BEC attacks on-premises and in the cloud. 

The layers are:

  • IP Reputation
  • SpamProfiler 
  • Email Threats/KnownThreatsZeroDay
  • Advanced Malware and Exploit Detection
  • Antivirus Engine
  • SpamCensor
  • BEC Filter/Sigs
  • PhishFilter+URLDeep
  • Suspect URL/BTM
  • Sandbox
  • Email Policy Settings

Each of the millions of emails that come in each day is examined and broken down into its component parts, such as message header, message body, raw HTML, URLs, images, and attachments, which are then examined and compared to known threat patterns and heuristics to find new threats. This is done both automatically and by SpiderLab team members who are assigned to scan potentially malicious emails.

When the team dissects an email, you can often see the socially engineered text that tries to convince the target that the email is legitimate and that they need to click on a link or attachment.

As the process continues, the system scores each email, and if a certain threshold is reached, the email is pulled out and quarantined. This activity all happens in a brief period and does not slow down the email process. An additional real-time scan takes place when a user clicks on a link in an email to ensure it is safe.

The layered defense detects 99.95% of incoming spam and malware, with near zero false positives being reported . This already very high success rate can be boosted even further when MailMarshal is used in tandem with other email solutions ' embedded security.

How SpiderLabs detects the infamous Emotet banking trojan, which operates as a malware loader, is an excellent example of how the MailMarshal system works. 

Attackers spread Emotet via email, usually through malicious Word or Excel attachments.

The thing about Emotet is it's quite sneaky. The attacker will use other people's SMTP servers to relay emails. Often the attacker has already managed to obtain the authentication credentials to use these SMTP servers. Detecting a potential Emotet-laden email based on IP reputation is almost useless because of the steps the attacker has taken to make the email look legitimate. The attacker uses real email servers, harvests snippets of text from actual email threads, and reuses the subject lines and body text to make them appear more authentic to their end users. 

MailMarshal will take note that an email has a Word document attached. The Word doc has a macro in it and that macro, if invoked, will download Emotet or another type of malware. 

But MailMarshal, through its layered approach, goes beyond the  attachment, and uses many heuristics that target the entire email structure. This approach is highly successful at blocking Emotet and other malicious emails, limiting the potential success of an attack to near zero.

The Trustwave SpiderLabs Effect 

During the normal course of conducting its work, the SpiderLabs Email Security and Malware Analysis team has uncovered some extremely dangerous malware and email attack techniques.

These discoveries include BlackByte ransomware, untangling a phishing campaign that used a chatbot to talk to and socially engineer its targets and Vidar malware launcher concealed in a help file. The team shares its findings not only internally so other clients are protected but publishes detailed accounts so others may benefit from their research.

email security