Page 156 - Cyber Defense eMagazine October 2023
P. 156
URL Hunting in Email Security, Defined
URL hunting, sometimes also known as threat hunting, is the proactive practice of searching for and
investigating potentially malicious links that reside on an email server, which typically enter the network
via phishing attempt or malware-infected message. This process can pinpoint compromising emails that
were stealthy enough to circumvent an organization’s passive cybersecurity filters. This, unfortunately, is
happening more frequently as hackers evolve their methods and acquire better, AI-based tools.
No solution is 100 percent perfect, but traditional SEG (security email gateway)-based solutions often
rely on the whitelisting and blacklisting of known dangerous IP addresses, and therefore are less effective
against advanced, AI-generated phishing attempts, where the convincing message itself is what deceives
victims into clicking ill-intentioned links.
These URLs often direct to a clever impostor site that spoofs a recognizable vendor or financial institution,
requesting log-in and password information. Links can also lead victims to supply credentials for their
email accounts, resulting in those accounts being hacked. Cybercriminals often target high-level
executives for this activity, since they can use an authoritative email account to demand wire transfers,
access financial accounts, or gather personal identifying information about additional employees. This is
referred to as BEC or Business Email Compromise, and its prevalence is escalating in the workplace.
According to a Microsoft Cyber Signals report from May 2023, BEC attacks have increased by 38 percent
over the past four years.
Only a limited amount of cybersecurity solutions incorporate URL hunting, which functions like a search
engine that can root out dangerous material. IT administrators can proactively use these tools as a
complementary strategy, or can reactively apply the tool when a known threat is suspected of being
triggered on a business network. For instance, if an employee has fallen victim to a phishing scheme on
his home computer, the IT team can check whether that same malicious URL has been visited on his
office email server, and if others on the network have received and clicked on the perpetrating link. Or, if
administrators get wind of certain link-based malware that is rearing its head in a particular industry, they
can identify what users on their own system have visited the offending URL.
How Analytics Can Inform Remediation
Not only does a URL hunting tool enhance the administrator’s ability to discover this harmful activity, it
can also provide administrators with intelligence to help determine the scope and details of the attack,
such as the IP address where the impostor page is being hosted. A sophisticated URL hunting
mechanism can perform advanced automated functions, such as presenting the email content to the
administrator for examination, blacklisting both the link and the sender’s IP addresses for the future,
and/or eradicating the message from the recipient’s inbox. Detailed analysis of these circumstances can
empower IT teams to devise a targeted mitigation plan when an existing threat is revealed.
Cyber Defense eMagazine – October 2023 Edition 156
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.