Financial Institution

Financial Institution Stops Targeted Nation-State Attack With Collective Phishing Defense

How One Firm Cut Response Time 93%


  • Their inline email security gateway couldn’t protect the firm post-delivery and flooded their security team with user escalations caused by false positives
  • Security tools built into the cloud email platform limited access to message search and search coverage, delaying triage and resulting in narrow, manual remediation
  • Phishing Herd Immunity was rolled out in a week, enabling a single user report to quickly protect other users from similar payloads without first requiring manual investigation
  • Material successfully defended the firm against a nation-state attack through the quick thinking of a regular employee
  • Automatic default remediations reduced MTTR (Median Time to Remediate) 93%, allowing more focus on high-value work and advanced attacks

“The thing I care the most about is how long it takes to protect people from malicious emails. Once I get that done, an investigation can take more time because the urgency is gone. So (with Material) I can now focus on the more interesting threats like targeted malware delivery instead of spending time on common impersonations.”

— Mark, SecOps Head, Financial Institution

Protecting customer assets worth billions of dollars comes at a price: you become a target for everyone, from amateur hackers to powerful state actors. This is the daily reality for a high profile firm that partnered with Material in 2019. To protect itself, the firm has a substantially larger and more sophisticated security team than other companies its size. 

Mark* (a pseudonym) is the head of the firm’s SecOps team and reports to the CISO. His team handles threat intelligence and incident response, including phishing. Phishing attacks against the firm had been steadily increasing. Mark’s team needed a better way to deal with the flood of suspicious messages and resulting user reports:

“Even though there are many new attacks, fundamentally, the way most organizations get compromised is phishing. We wanted our approach to phishing to offer peace of mind rather than getting in the way.”

— Mark, SecOps Head

Mark found what he needed in Material. After the “easiest and least intrusive install experience for a security tool” he’d ever had, he had a novel defense in place. Phishing Herd Immunity reshaped proactive reporting by his security-conscious coworkers into an instant, collective defense. Through user-powered automation, Material dramatically reduced the team’s average response time—and then just a few months later, it helped mitigate a targeted nation-state attack.

Inline Solution: Out of Line

Prior to the Material implementation, Mark’s team had been struggling with an inline email gateway from a well-known security vendor that was often doing more harm than good:

“We previously had an inline solution. If suspicious messages got through the gateway, they would be delivered and the gateway wouldn’t allow you to do anything about it. It also blocked the messages that we needed. I spent more time triaging emails that it falsely flagged than doing anything else.”

– Mark, SecOps Head

Inline solutions also require deployment to the entire domain and affect mail delivery. Mark became convinced an API-based approach was a better answer due to the flexible deployment, lack of delivery issues, and post-delivery protection capabilities: 

“Anyone who is not treating office suite APIs as the first-class citizens for protection will not succeed in the long run.”

– Mark, SecOps Head

Phishing Herd Immunity Enables A Regular Employee to Protect the Entire Firm

With this preference in mind, Mark’s CISO brought up Material’s Phishing Herd Immunity, which also offers a novel approach to phishing response. The solution steps in when a user reports a suspicious message: it recognizes the report, maintains a cluster of similar messages across all mailboxes, and immediately applies an auto-remediation to all of them. Mark set theirs to defang links and attachments by replacing them with a warning.

When needed, Mark’s team can switch to different remediations (with varying degrees of severity, including restoring the original messages) at any time. This automated crowdsourced approach to phishing response offers important benefits to the firm: cutting response time, improving remediation coverage, and making false positives less operationally disruptive.

Reduced Response Time 93%, Improved Remediation Coverage, and Painless False Positives

Before rolling out Material, the team’s response times to suspicious message reports could be more than an hour, and investigation and remediation took another 15 minutes. With automated remediation, Mark says, “time to remediation has been inverted because it’s faster than time to triage.” This inversion has shaved an hour or more from the MTTR (Median Time to Remediate). The remaining remediation steps also take just 3-5 minutes instead of 15, for a total reduction of 93%.

“The triage tasks are much faster, remediation coverage has improved, and we have a higher quality of phishing responses overall.”

— Mark, SecOps Head

Prior to using Material, the team had to triage each report individually and remediation on a per-user basis was common, causing “lower confidence in remediation coverage.” Searching to see who else may have been affected by an attack wasn’t always possible for every analyst because it required overly broad permissions in the email platform. Material’s ability to cluster similar messages gave the team confidence that they were rooting out all malicious messages:

“Whenever we are dealing with attacks where it’s not just one user receiving these emails, this is where Phishing Herd Immunity comes in to hunt down and defang all other emails.”

— Mark, SecOps Head

Phishing Herd Immunity also addressed the cost of false positives. Automatic remediation was set to “allow with a warning,” so it protected people from malicious messages but didn't block them because of other users’ false positive reports. Mark considered it to be “the best of both worlds” that also accelerated learning:

“Everyone is human and will get fooled once in a while. If we can inject the right warnings, that can make a difference between being harmed by an attack or learning a lesson.”

— Mark, SecOps Head

Collective Phishing Defense Quickly Blocks a Targeted Nation-State Attack 

Soon after the Material deployment, a number of users received what looked exactly like a Google Drive shared link email that was cleverly able to slip through their cloud email provider’s phishing filter. One trained user, who had been trained, noticed that the message didn’t come from the right domain and forwarded it to a dedicated phishing reporting address. Almost instantly, Material analyzed the report, and found all instances of the malicious message, and modified them to show a warning if the links inside the messages were clicked. 

Phishing Herd Immunity was most critical in the first hour of the attack when every second counted and the security team wasn't able respond to reports requiring human analysis fast enough to protect every single user. With Material’s automatic “surgical defanging,” this watchful user’s quick action helped protect everyone else at the firm. 

Quick initial remediation of the attack bought Mark’s team enough time to analyze the message and confirm the nation-state actor’s infrastructure behind it, and then remove the attacker’s messages from all user mailboxes with a few clicks. For Mark, this kind of fast and safe resolution creates room to engage in more complex and higher-value work:

“The thing I care the most about is how long it takes to protect people from malicious emails. Once I get that done, an investigation can take more time because the urgency is gone. So (with Material) I can now focus on the more interesting threats like targeted malware delivery instead of spending time on common impersonations.”

— Mark, SecOps Head

Beyond his satisfaction with the product itself, Mark appreciates how Material’s Customer Success team has partnered with his SecOps team:

Back to top ^

“Part of what we value is not just the product, but the team. Material’s CTO and Head of Security both really listen and take the time to understand the problems we want to solve. I value a team that can be a great partner.”

— Mark, SecOps Head