The resurfacing risk of an old, long neglected monster

Decades of organic growth, integrations with 3rd party systems and the cloud have left email architectures highly vulnerable to cyber-attacks.

Due to decades of organic growth and recent tight integration with internet-based systems, email architectures have become increasingly vulnerable to attacks. In particular, impersonation and internal Denial of Service attacks are on the rise. In 2022, 333.2 billion emails were sent worldwide. Depending on the source, 6.1% -11.2% of these are malicious. There has been a sharp increase in these numbers year on year. In the meantime, 97% of all companies have been attacked by means of malicious emails.

The first use of email can be traced back to 1971 when Ray Tomlinson, working for ARPANET, sent the first network mail. Since its adoption in the corporate environment in the 1980s, we can no longer imagine a world without it.

Over the last 10 years, companies have invested heavily in email security. Not just to prevent spam from reaching users’ inboxes, but more importantly to reduce the success rate of phishing attempts, which in combination with ransomware is the most popular attack technique used by criminals today.

Most of the security measures have been focusing on dealing with emails coming into the system (inbound emails). To protect against threats, email system architectures – the email system’s underlying design and structure – have been using filters or 'Secure Email Gateways' (SEGs) for over 25 years.

While the risks posed by inbound email should not be underestimated, email security is more than just messages received from the internet. Consider the risks associated with the following:

  • Old, vulnerable, legacy email infrastructures that can be easily exploited
  • Emails sent internally, with the sender being implicitly trusted by the receiver
  • Business-critical applications relying on legacy infrastructure sending unencrypted emails
  • Uncontrolled third-party applications (e.g., SaaS) sending emails on behalf of a company's email domain
  • Risks involved from social engineering attacks, such as e.g., lookalike domains
  • Risks from an organically grown architecture where multiple disparate systems (cloud, on-premises, hybrid…) and third-party providers have been connected for decades

You don’t have to look far to see how these setups can lead to disaster, especially given the often complex email architectures that weren’t originally designed to deal with modern security risks.

The main driver of these risks is the use of 'legacy' systems, using old technology and protocols that don’t meet modern security standards. This results in risks such as:

1. Legacy applications not supporting modern authentication, signing or encrypting e-mail, and often no longer supported by the vendor, resulting in:

a. Leakage and manipulation of confidential and critical data

b. Impersonation of any person or mailbox within the organization, typically C-level executives

c. Exploitability of and Denial of Service attacks on an organization’s email infrastructure

2. Trust(s) between systems that can be easily exploited by attackers as legacy architectures do not adhere to the Zero Trust principles.

3. The rise of AI that requires data to train its models, data that also resides in sensitive mailboxes on-premises not designed for this purpose, opening the door to uncontrolled data exposure.

4. Legacy Secure Email Gateways (SEGs): they have an organically grown set of exceptions that are ineffective at catching the latest threats, but are still often in place for application email.

Managing these risks can be difficult and complicated, requiring good planning, smart use of resources and solid knowledge of both legacy systems and the new technologies that may replace them.

By its very nature, email requires multiple departments (security, infrastructure, applications, etc.) to work together on a non-standardized architecture containing multiple integrations and is also business critical. On top of that, untracked exceptions to email filters that have grown over the years and may or may not be needed to keep critical business systems running, along with the integration of cloud and cloud-hybrid systems in recent years only increase the security risk further.

At KPMG, we have many years of experience in reducing security risks. We can assist your organization reduce its exposure to email security risks in several ways:

1. Identifying security risks and inefficiencies by:

a. Performing security architecture reviews, both on-premises and in the cloud.

b. Analyzing existing email security rulesets and exceptions.

c. Analyzing existing email systems’ resiliency to cyber-attacks from outside and inside.

2. Mitigating security risks and increasing efficiency by:

a. Patching and upgrading outdated systems.

b. Reducing security exceptions to the absolute necessary.

c. Enabling mandatory use of modern authentication for email systems and applications to the extent possible.

d. Enabling SPF, DKIM and DMARC to reduce illegitimate spoofing risks

3. Ensuring an efficient, secure and sustainable email system for the future by:

a. Identifying your organization’s requirements for email, including legacy applications.

b. Redesigning the architecture and email flows to ensure separation of user and email flows, enforcing modern authentication while strengthening EOL applications and ensuring long-term scalability.

c. Introducing a Defense-in-Depth approach, ensuring long-term protection of on-premises and cloud-hosted email systems.

d. Designing efficient and sustainable processes to govern internal and external email security, thereby technically enforcing domain level anti-spoofing protocols (e.g., DMARC).

Defining logging and monitoring rules and alerts focusing on both outsider and insider email security risks that can be easily integrated with SIEM / SOC solutions.

Michele Daryanani

Partner, Cyber Security

KPMG Switzerland

Lars van Holsbeeke
Lars Van Holsbeeke

Cyber Security Manager

KPMG Switzerland