Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Trustwave SpiderLabs: The Power Behind MailMarshal

From the outside, it might appear as if Trustwave MailMarshal is a stand-alone solution that on its own is able to effectively defend email systems from a wide variety of phishing, malware, and business email compromise (BEC) attacks.

The truth is MailMarshal is backed not only by one of the best trained, most experienced cybersecurity research teams in the industry but also by a technology stack that has been decades in the making.

So, how exactly does MailMarshal ensure an organization's email system is as locked down as possible?

Trustwave SpiderLabs has a global team of experts dedicated to supporting MailMarshal and email security. These researchers and analysts spend each day breaking down captured malicious emails, analyzing malware, and discovering the tactics, techniques, and procedures (TTPs) cybercriminals use. These lessons are then ingested and used to help protect all our clients. Because, as we all know, adversaries will use a single attack methodology against a wide array of targets.

The team's strengths include 20-plus years of experience in understanding email security and malware; the malware team works closely with the end-to-end  email team, and SpiderLabs and Engineering work closely together on developing new capabilities.

SpiderLabs' Layered Protection

Under the guidance of SpiderLabs, MailMarshal runs every inbound email through 11 separate layers to help protect against spam, email-delivered malware, phishing and BEC attacks on-premises and in the cloud. 

The layers are:

  • IP Reputation
  • SpamProfiler 
  • Email Threats/KnownThreatsZeroDay
  • Advanced Malware and Exploit Detection
  • Antivirus Engine
  • SpamCensor
  • BEC Filter/Sigs
  • PhishFilter+URLDeep
  • Suspect URL/BTM
  • Sandbox
  • Email Policy Settings

Each of the millions of emails that come in each day is examined and broken down into its component parts, such as message header, message body, raw HTML, URLs, images, and attachments, which are then examined and compared to known threat patterns and heuristics to find new threats. This is done both automatically and by SpiderLab team members who are assigned to scan potentially malicious emails.

When the team dissects an email, you can often see the socially engineered text that tries to convince the target that the email is legitimate and that they need to click on a link or attachment.

As the process continues, the system scores each email, and if a certain threshold is reached, the email is pulled out and quarantined. This activity all happens in a brief period and does not slow down the email process. An additional real-time scan takes place when a user clicks on a link in an email to ensure it is safe.

The layered defense detects 99.95% of incoming spam and malware, with near zero false positives being reported. This already very high success rate can be boosted even further when MailMarshal is used in tandem with other email solutions' embedded security.

How SpiderLabs detects the infamous Emotet banking trojan, which operates as a malware loader, is an excellent example of how the MailMarshal system works. 

Attackers spread Emotet via email, usually through malicious Word or Excel attachments.

The thing about Emotet is it's quite sneaky. The attacker will use other people's SMTP servers to relay emails. Often the attacker has already managed to obtain the authentication credentials to use these SMTP servers. Detecting a potential Emotet-laden email based on IP reputation is almost useless because of the steps the attacker has taken to make the email look legitimate. The attacker uses real email servers, harvests snippets of text from actual email threads, and reuses the subject lines and body text to make them appear more authentic to their end users. 

MailMarshal will take note that an email has a Word document attached. The Word doc has a macro in it and that macro, if invoked, will download Emotet or another type of malware. 

But MailMarshal, through its layered approach, goes beyond the  attachment, and uses many heuristics that target the entire email structure. This approach is highly successful at blocking Emotet and other malicious emails, limiting the potential success of an attack to near zero.

The Trustwave SpiderLabs Effect 

During the normal course of conducting its work, the SpiderLabs Email Security and Malware Analysis team has uncovered some extremely dangerous malware and email attack techniques.

These discoveries include BlackByte ransomware, untangling a phishing campaign that used a chatbot to talk to and socially engineer its targets and Vidar malware launcher concealed in a help file. The team shares its findings not only internally so other clients are protected but publishes detailed accounts so others may benefit from their research.



Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More