‹  Back

July 18, 2023 · 4m read

Securing Mailboxes in the Era of Persistent Threats: Insights from Recent Chinese State-Linked Hacks

Chris Long 


Stating the obvious: Recent events reinforce the fact that the mailboxes inside of organizations continue to be a target and that even strong authentication controls are insufficient to prevent unauthorized access.

It's time for organizations to adopt a strategy that goes beyond securing against mailbox compromise. Organizations should adopt an "assume breach" mentality and must include protections to mitigate the impact of a successful compromise.

Email was, is, and will continue to be one of the primary attack vectors and targets. 

Email is the most widely used collaboration tool in the world. The wealth of information inside email accounts requires that we stop thinking of them as simple messaging applications and shift to recognizing them as the rich data repositories they have become. Traditional approaches, such as email gateways and phishing protection, do not offer protection for data at rest in a mailbox.

The shift from on-prem to cloud infrastructure has improved overall mail infrastructure security, however, it still hasn't addressed the need to protect the data inside mailboxes. As in other areas of digital transformation, the adoption of cloud-based email services like Microsoft 365 and Google Workspace presents an opportunity to rethink and apply proven security models.

Learning from the past

When trying to find solutions to problems, it is often helpful to consider how similarly complex challenges have been addressed in the past. The theft or loss of a company issued device was previously considered a perilous event. Because data was frequently stored unencrypted on hard drives, it was easily accessed and copied by any individual with possession of the device. Today, device theft and loss still occur but the data on the device remains protected because full disk encryption has become ubiquitous. Except in rare and extreme circumstances, the loss of devices now presents a negligible risk to organizations. The cost and effort required to defeat full disk encryption makes physical asset theft a path of considerable resistance and adversaries often search for alternative access to the information or goals they seek. As an industry, once we accepted that theft or loss of devices would continue to happen, we were able to find innovative ways to ensure that the risk from such an occurrence would be greatly reduced.

Securing the modern, cloud email environment

Unauthorized access to mailboxes, as opposed to physical devices, is a targeted and concerted effort for adversaries. At Material our mission is to make it prohibitively difficult for attackers to access sensitive email data post-compromise. We should operate with the assumption that mailbox compromise is no different than the loss of a physical device and shift to a strategy of protecting emails at rest. The powerful APIs exposed by email providers enables new and innovative mailbox protections. Material Security leverages these APIs to apply defense-in-depth for mailboxes by determining which messages contain sensitive content and requiring an additional, low-friction challenge to access them. Even with full control of an organization's mail infrastructure, such as in the high-profile example recently revealed by the US Commerce Department, adversaries would still be unable to access the content of sensitive emails protected by Material Security.

Protecting data at rest on physical devices is a requirement of modern information security programs. Now that the technology exists, protecting emails at rest in cloud environments must follow.