The URL Phishing “Danger Zone”

Inadequate Security Policies with Uncategorized Sites

The challenge most email gateways face is how to protect against URL-based threats that exist within a “danger zone”— the period when phishing sites are allowed to sneak into the network as uncategorized sites.

How dangerous phishing sites hide

A recent study by Bolster AI (2020) found that criminals create around 200K+ phishing sites monthly—all designed to capture the credentials of distracted workers.

Frequently, the attacks begin as email links delivered to inboxes. These URLs exist for days as “uncategorized/unknown” sites before email gateways identify them as malicious.

This security gap creates a danger zone when the attacks are able to reach users in the network.

Proactive blocking isn’t feasible

The danger of these uncategorized sites is obvious. Most IT teams do not have time to handle the sheer volume of “allow” or “block” decisions that need to be made to guard against every URL-based threat.

“Allow” decisions generally apply to known, highly visited sites with a very low probability of being compromised or having an attack go unnoticed. A company’s own customer-facing website is a prime example of a site that would normally be given the “allow” designation. While no site is perfectly secure, the chance of an attack going unnoticed for any length of time is low.

“Block” decisions apply to known bad sites or ones that could pose a specific risk to an organization. For example, a company may have an interest in not permitting access to certain cryptocurrency sites to prevent internal misuse.

The list of prohibited sites is also extended by the use of modern cloud-based technologies such as email filtering or sandboxing. These types of services automatically share intelligence across their entire platform to highlight sites previously identified as “suspicious.”

Email filtering helps, but security gaps continue to exist

The problem is that most email filtering relies on detecting known threats and is ineffective against attacks that arrive within the danger zone.

Spearphishing threats are particularly dangerous. This type of URL-based attack, which uses a credential-stealing site, will often be able to bypass security because the attacker designs an entire website to attack just a few, high-level individuals.

These tactics create a security gap that leaves the network open to compromise.

Email Isolation prevents phishing from uncategorized sites

Email isolation allows administrators to place all linked content within emails into a read-only mode to prevent credential theft. Read-only mode loads the linked web page into isolation, blocking users from entering any information while still allowing them to view the site content.

Importantly, as many browsing experiences can be satisfied by read-only access, security teams can set policies that more aggressively flag sites as suspicious without seeing a massive increase in support tickets.

Email isolation also applies a risk-scoring algorithm to all web pages to (probabilistically) determine if a site is suspicious. All risky sites are then automatically placed into read-only mode.

Fortify your network against URL-based threats with isolation

Email isolation protects against email-based threats that rely on overrunning security teams with a deluge of newly hazardous URLs that exist in the “danger zone” before detection.

Bad actors use the tactic because it works against legacy email-filtering technology; however, with cloud-based isolation, the attacks fail. Read-only mode covers the gap exposed in legacy technology by enabling IT admins to safeguard against potentially dangerous, uncategorized sites.

To learn more about isolation, download our data sheet or request demo on email isolation.