‹  Back

December 19, 2023 · 3m read

New in Material: Enhanced Attachment Detections to Thwart Sophisticated Phishing Attacks

Ivan Dwyer 


Material is rolling out enhancements to our processing pipeline that further inspects and analyzes the contents and behaviors of file attachments for detecting malicious activities.

What's New

Advanced Threat Detection via Code, Vision, and Malware Analysis

Attackers frequently leverage file attachments to obscure malicious code & activity. These emails may look harmless on the surface, but they can be extremely damaging – as intended. For Security teams investigating incoming emails, attachments are harder to verify intent than their respective body contents given the wide range of file types, use of hidden exploit code, and encryption of the contents.

Material customers are used to a seamless case triage experience that provides the right context to make smart remediation decisions. With these enhancements, we will surface our attachment analysis in the Case Details view for further investigation. For example, when we detect that an attachment contains a QR code, we also parse the link to determine whether there is a malicious target.

Attachments in Case Details

Along with the contents themselves, file attachments carry a lot of valuable metadata that help with incident response or forensic investigations. For example, the file’s MD5 and SHA256 hash can be searched to determine additional attack vectors, or the file’s extracted links to analyze malicious targets. The Material Data Platform exposes an advanced search & discovery toolkit that spans message contents and headers – these additions will also include attachments.

A Processing Pipeline Built for Enterprise Scale

Processing all unique file attachments across an organization’s email footprint is a heavier lift than message body contents because of file types & sizes and the different flavors of content analysis. 

Material already employs a unique deployment model where every customer instance is an isolated single-tenant environment. For attachment processing, we deploy a pipeline cluster alongside the core platform. This pipeline is designed to scale to scan every file attachment, and securely processes all data inside the isolated tenant.

Attachment Processing Pipeline

The pipeline is split between two main analysis workflows for each unique attachment.

First, we analyze the contents of the file itself:

The second phase is focused on malware detection leveraging YARA rules (an open source malware detection library):

Finally, we pass all the results of this pipeline into additional detection layers to analyze extracted metadata and attributes, and to compare with analysis against the message body contents. The end result of this analysis will surface issues that are classified as suspicious or malicious, with labels that indicate our findings with remediation recommendations.

Better threat detection. More complete data protection.

Reducing the risk profile of your cloud office environment requires a strong defense-in-depth strategy. Better detections catch more of the right issues to investigate, and a seamless triage experience makes it easier for incident response teams to focus and remediate quickly and effectively.

But total risk extends beyond threat detections. Material is the only provider that also analyzes the historical contents of the mailbox, applying smart access controls to messages that contain sensitive or regulated data.

Material customers gain a unified solution that consistently advances threat detection capabilities while simultaneously protecting sensitive data. This integrated approach stands in contrast to the fragmented nature of separate Phishing and Data Loss Prevention (DLP) tools, offering customers a more efficient and comprehensive email security workflow.

Gain the Material advantage. Avoid material impacts. Request a Demo.