I was in a discussion recently with some vCISOs about email phishing attacks, and the conversation wandered through the impact of GenAI on filtering based on language and beyond.
The notion of analyzing language in email to determine an email phishing attempt is common. It is also a pretty amateur approach, in my opinion. The issues isn’t what the phishing attempt is saying, it’s the request the email is making that needs to be mitgated.
The word came second, but first came the deed.
The very next day I went back to an idea raised earlier in this blog about mitigating email phishing. I will unhappily mention that it's our lowest ranked blog post by percent of “opens” according to intrusive Substack surveillance systems.
That blog post unreasonable offered the notion that ordinary users, and even most technical users, should start using mail clients that allow email to be viewed as plain ordinary ASCII/UTF-8 text. Even for the new generations of super-technical users, life without Gmail or HTML email is probably viewed as a backward step on the alleged long march of human progress.
I still think at least those in information security should consider it.
I'll hold my ground regardless, but make this email phishing measure a bit more populist. Maybe requesting users change their email clients isn’t the easiest route. Maybe there’s a more novel and monumental approach that is possible.
Let's go back to the basics.
Consider this image of a well-crafted phishing email:
For an actual Mailjet customer it's tempting to click the "Action Required" link.
And unlike many phishing emails and too many web sites, for that matter, the copyright date was actually accurate when it was received.
Now look at the email as text, without HTML formatting:
Is that email even tempting to click now? The URL contains “mailjet” in the subdomain, but the full domain name should set off alarm bells.
https://mailjet.com.session.6846519.alleinewandernistdoof.de/ shouldn't seem valid to most users. If it does, some brief instruction about domains and subdomains should help.
That's why a simple end-user mitigation step would be to view the suspicious email as plain text. Let users click a button to switch between the noisy HTML-formatted email, and the raw text formatting. But that's easier said than done.
The most common email clients don't allow you to easily jump between text and HTML-formatted email views, if it allows you to view email as text at all.
That animated noisy email functionality provided by HTML formatting is now a cover for phishing attacks. At least allow users to easily drop the glitz and see the unadulturated contents.
I don't use email clients any of the mainstream email clients, and only occasionally look at email with HTML formatting. I may stand corrected here, but I don't believe any of the common email clients allow users to easily view email as only text. That takes this useful security mitigation off the table for most users.
I have a hard time believing something like Mutt's interface will be acceptable to most users.
The responsible parties to address this are the email cabal I've ranted about before.
This email cabal doesn't just dominate most email received and sent. They also provide most email clients, whether desktop software or web-based solutions.
That email cabal also seems to rule the unsolicited commercial email received in my inbox.
If you're at a large commercial entity who can push some of the email cabal and get results, this might be a worthwhile use of your influence.
How about some simple UI toggle to go from HTML or rich-text formatted email to plain ASCII/UTF-8 text? Why not empower end users to cut through the mists of deception and see what's really in that email message?
With a little guidance, a huge blow could be dealt to well-crafted phishing attempts, and maybe even identifying some of the more benign spam.
We can talk about enterprise email security solutions and why the security industry and the big name CISOs can't fix decades of the same old problems until we're blue in the face. In the meantime, maybe we give the users in and out of the enterprise a useful self-help tool?
About the author: George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.
About ClearOPS. ClearOPS provides security program management software to security experts powered by Generative AI. The platform is rooted in assessments, such as gap, security, privacy, RFPs and risk. Once a knowledge base is formed, all assessment can be automated or used to automate other features. Inquiries: info@clearops.io