URL Hunting in Email Security, Defined

            URL hunting, sometimes also known as threat hunting, is the proactive practice of searching for and
            investigating potentially malicious links that reside on an email server, which typically enter the network
            via phishing attempt or malware-infected message. This process can pinpoint compromising emails that
            were stealthy enough to circumvent an organization’s passive cybersecurity filters. This, unfortunately, is
            happening more frequently as hackers evolve their methods and acquire better, AI-based tools.

            No solution is 100 percent perfect, but traditional SEG (security email gateway)-based solutions often
            rely on the whitelisting and blacklisting of known dangerous IP addresses, and therefore are less effective
            against advanced, AI-generated phishing attempts, where the convincing message itself is what deceives
            victims into clicking ill-intentioned links.

            These URLs often direct to a clever impostor site that spoofs a recognizable vendor or financial institution,
            requesting log-in and password information. Links can also lead victims to supply credentials for their
            email  accounts,  resulting  in  those  accounts  being  hacked.  Cybercriminals  often  target  high-level
            executives for this activity, since they can use an authoritative email account to demand wire transfers,
            access financial accounts, or gather personal identifying information about additional employees. This is
            referred to as BEC or Business Email Compromise, and its prevalence is escalating in the workplace.
            According to a Microsoft Cyber Signals report from May 2023, BEC attacks have increased by 38 percent
            over the past four years.

            Only a limited amount of cybersecurity solutions incorporate URL hunting, which functions like a search
            engine  that can  root  out  dangerous  material.  IT  administrators  can proactively use  these  tools as  a
            complementary strategy, or can reactively apply the tool when a known threat is suspected of being
            triggered on a business network. For instance, if an employee has fallen victim to a phishing scheme on
            his home computer, the IT team can check whether that same malicious URL has been visited on his
            office email server, and if others on the network have received and clicked on the perpetrating link. Or, if
            administrators get wind of certain link-based malware that is rearing its head in a particular industry, they
            can identify what users on their own system have visited the offending URL.



            How Analytics Can Inform Remediation

            Not only does a URL hunting tool enhance the administrator’s ability to discover this harmful activity, it
            can also provide administrators with intelligence to help determine the scope and details of the attack,
            such  as  the  IP  address  where  the  impostor  page  is  being  hosted.  A  sophisticated  URL  hunting
            mechanism can perform advanced automated functions, such as presenting the email content to the
            administrator for examination, blacklisting both the link and the sender’s IP addresses for the future,
            and/or eradicating the message from the recipient’s inbox. Detailed analysis of these circumstances can
            empower IT teams to devise a targeted mitigation plan when an existing threat is revealed.










            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          156
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.