December 19, 2023 · 3m read
New in Material: Enhanced Attachment Detections to Thwart Sophisticated Phishing Attacks
Material is rolling out enhancements to our processing pipeline that further inspects and analyzes the contents and behaviors of file attachments for detecting malicious activities.
- Attachments are analyzed through an enhanced processing pipeline to detect suspicious code and actions such as QR code identification, ransomware payloads, and malicious documents.
- Additionally, attachments are processed against an internally-curated library of YARA rules to detect malware payloads.
- Attachment analysis results are included in case details alongside the message headers and body analysis, and attachment attributes are available in Material’s message search for investigation and for saving custom detection rules.
Advanced Threat Detection via Code, Vision, and Malware Analysis
Attackers frequently leverage file attachments to obscure malicious code & activity. These emails may look harmless on the surface, but they can be extremely damaging – as intended. For Security teams investigating incoming emails, attachments are harder to verify intent than their respective body contents given the wide range of file types, use of hidden exploit code, and encryption of the contents.
Material customers are used to a seamless case triage experience that provides the right context to make smart remediation decisions. With these enhancements, we will surface our attachment analysis in the Case Details view for further investigation. For example, when we detect that an attachment contains a QR code, we also parse the link to determine whether there is a malicious target.
Along with the contents themselves, file attachments carry a lot of valuable metadata that help with incident response or forensic investigations. For example, the file’s MD5 and SHA256 hash can be searched to determine additional attack vectors, or the file’s extracted links to analyze malicious targets. The Material Data Platform exposes an advanced search & discovery toolkit that spans message contents and headers – these additions will also include attachments.
A Processing Pipeline Built for Enterprise Scale
Processing all unique file attachments across an organization’s email footprint is a heavier lift than message body contents because of file types & sizes and the different flavors of content analysis.
Material already employs a unique deployment model where every customer instance is an isolated single-tenant environment. For attachment processing, we deploy a pipeline cluster alongside the core platform. This pipeline is designed to scale to scan every file attachment, and securely processes all data inside the isolated tenant.
The pipeline is split between two main analysis workflows for each unique attachment.
First, we analyze the contents of the file itself:
- Filetype Fingerprinting: Ensures file content aligns with its extension, like verifying a file labeled as PDF is indeed a PDF
- Computer Vision and OCR: Identifies suspicious visual content within files, such as an embedded QR code in an image
- Link and Text Extraction: Extracts and analyzes embedded links, like a hyperlink found in a Word document
- Encrypted File Cracking: Employs techniques to access encrypted file contents, for example, cracking open a password-protected ZIP file
- File Metadata Extraction: Gathers and assesses file attributes, such as the ‘first seen’ date of a document
The second phase is focused on malware detection leveraging YARA rules (an open source malware detection library):
- Common Malware Fingerprints: YARA rules detect known malware through unique patterns and signatures in email attachments
- Exploits and Emerging Threats: YARA rules identify new and evolving threats by scanning for exploit code and unusual activity in attachments
- Obfuscation Techniques: These rules uncover hidden malware by detecting encryption, compression, and other obfuscation methods in attachments
- Ransomware Payloads: YARA rules target ransomware by identifying encryption routines, ransom notes, and specific file extensions in email attachments
Finally, we pass all the results of this pipeline into additional detection layers to analyze extracted metadata and attributes, and to compare with analysis against the message body contents. The end result of this analysis will surface issues that are classified as suspicious or malicious, with labels that indicate our findings with remediation recommendations.
Better threat detection. More complete data protection.
Reducing the risk profile of your cloud office environment requires a strong defense-in-depth strategy. Better detections catch more of the right issues to investigate, and a seamless triage experience makes it easier for incident response teams to focus and remediate quickly and effectively.
But total risk extends beyond threat detections. Material is the only provider that also analyzes the historical contents of the mailbox, applying smart access controls to messages that contain sensitive or regulated data.
Material customers gain a unified solution that consistently advances threat detection capabilities while simultaneously protecting sensitive data. This integrated approach stands in contrast to the fragmented nature of separate Phishing and Data Loss Prevention (DLP) tools, offering customers a more efficient and comprehensive email security workflow.
Gain the Material advantage. Avoid material impacts. Request a Demo.