WIXLIB

White PaperINTRODUCTIONSince the commercialization of the Internet in the mid ’90s, email has been one ofthe most trusted business communication tools.However, email has also become the most common cyber-attack vector in recentyears. Attackers are constantly improving their attack mechanisms to deliver spam,inject malware, and launch phishing attacks or other email based threats undetected,with an intent to steal, alter, or destroy critical data and information systems.In fact, according to SpamLaws, about 14.5 billion spam emails are sent every singleday. That makes it about 45% of the world’s daily email traffic. While this figure is ageneral consensus, there are some spam traffic statistics that suggest as many as73% of all emails are unwanted promotions, or malicious in nature. For asmall-to-medium-sized business, this means receiving thousands of spam emailsyearly, each with varying potential for financial and reputation loss.With this white paper, Zoho intends to create awareness about the most commonemail-based threats that businesses face today and helps explore in depth thedefense mechanisms that Zoho Mail's spam engine employs to ensure secure emailcommunication and business continuity for its customers.UNDERSTANDING EMAIL-BASED THREATSAccording to the FBI’s Internet Crime Complaint Center (IC3), cybercrime costs 3.5billion in losses in 2019 alone, with business email compromise (BEC) causing themost damage. To safeguard business as well as personal and business data, it isimperative to know the common email-based threat types. This can help avoidvulnerabilities and associated risks by taking necessary preventative measures.The 8 typical email-based threats you need to know aboutSpam: Unsolicited commercial email, or spam, is unwanted junk email sent out inbulk. Typically, spam is for commercial or advertising purposes, although someattackers use it for distributing malware and viruses. Targeted companies can expectto see a large influx of spam, leading to hampered productivity, security breaches,added bandwidth and storage expenses, disaster recovery expenses, and otherissues.Phishing: Phishing is a practice of sending fraudulent communications, most often1

targeted to hundreds or thousands of recipients, by someone posing as a legitimateinstitution, usually through email. The goal is to obtain sensitive information, such asusernames, passwords, and credit card details, often for malicious reasons. Anadvanced level of this tactic is called “spear-phishing”.Spear-Phishing: This is a highly targeted to individuals in order to steal sensitiveinformation such as passwords, account numbers, user IDs, access codes, PINs, orfinancial information from a specific victim, often for malicious reasons. To acquirethese details, the attackers disguise themselves as a trusted entity, individual, friend,or acquaintance, typically through email or other online messaging.Malware: Malicious software, commonly referred to as malware, is softwaredeveloped & distributed as a script, usually, to exploit the normal functioning of anyelectronic device. Malware typically acquires a hold on the device, then startsdeleting, corrupting, or encrypting files to demand a ransom .Viruses: Viruses are a type of malware program that piggybacks onto a legitimateapplication code, then spreads itself from there. Software viruses are loaded onto auser’s computer without the user’s knowledge and perform malicious actions,destroy data, and slow down the system resources.Ransomware: Ransom malware, or ransomware, is a type of malware with only oneaim: to extort money from its victims. It prevents users from accessing their systemor personal files and holds it for ransom before allowing the user to regain access.Social Engineering: Social Engineering is an art of manipulating people to makethem give up confidential information. This attack happens in one or more steps,although it begins by gaining the trust of the victim by phone, email, or even inperson. Criminals use social engineering tactics because it's usually easier to takeadvantage of your natural inclination to trust than to find ways to hack your software.Business Email Compromise: In BEC attacks, scammers impersonate anemployee in the organization in order to defraud the company, its employees,customers, or partners. Attackers target employees who have access to thecompany’s finances or sensitive data, tricking them into performing wire transfers ordisclosing sensitive information. These begin with an email, usually followingsocial-engineering tactics and compromised accounts, which don't involve viruses ormalicious links and attachments, making it hard to detect.The growing variety of threats and the dynamics of today's cyberattacks demand asophisticated and adaptable first line of defense to safeguard your organization fromsuch email-based threats.ZOHO MAIL'S COMPREHENSIVE EMAIL DEFENSEZoho Mail has a multi-layered anti-spam and email protection engine designed to2

detect unwanted and unsolicited emails and defend networks against email-basedthreats. Our approach to spam protection begins with perimeter/edge protection andgoes all the way to time of click spam protection in the user's inbox, ensuring thatyour organization not only stays productive, but also protected from email-bornethreats.Cyber Resilience for Email - Zoho Mail’s approach to Email SecurityZoho Mail provides a robust, yet simple to manage protection from spam bycombining the most effective spam elimination technologies into one cohesive, easyto-manage system. It combines connection analysis, local and global reputation, andadvanced statistical and content analysis techniques that inspect all incoming andoutgoing emails to protect users from diverse cyber-threats.CONNECTION LEVEL FILTERINGA. Edge Blocking Distributed Denial of Service (DDOS) ProtectionA DDoS attack is a type of DoS attack in which multiple hijacked systems are usedto overload system resources or network bandwidths. These threats may render theemail service unavailable, causing disruption in email accessibility. Zoho Mail acts as3

your first layer of defense against such threats by receiving all inbound emails,assuring that these threats never reach your network perimeter. Rate LimitingAutomated spam software is often used to send bulk emails to a single mail server.To protect the email infrastructure from email flooding, our spam engine throttlesinbound emails for a period of time after the rate limiting threshold is exceeded. It willalso block any further connection attempts from repeated offenders.Rate limiting, ensures service availability while ensuring your user inbox is notflooded with spam. IP Edge BlockingNext, the defense mechanism compares IP addresses of inbound mails againstknown offender lists, such as: Dynamic IP BlockThe dynamic IP block list is a public block list of malicious IP addresses oraddress ranges. Instead of blocking the user account, the spam engine blocksthe originator IP address for their malicious email or failed login attempt usinga different username and commonly used passwords for a specific period. Third-Party Reputation CheckThird-party reputation services compile and manage lists of desirable orundesirable IP addresses. The spam engine uses these block lists andthird-party reputation services as part of its protection system.B. Reception Level FilteringOnce the emails are received for further processing, the following reception levelchecks are done to reject, quarantine, or tag spurious emails.i. Real-time Block ListSMTP Real-Time Block List (RBL) is a mechanism for publishing the IP addresses ofSMTP spammers. You can configure Zoho Mail's spam engine to utilize RBL serversto check the IP addresses of incoming requests against known or suspectedspam-originating IP addresses.Note: While SMTP RBL is an aggressive spam filtering technique and may showfalse-positive results as it is complied from the reported spam activity. To avoid4

emails from trusted sources being blocked by RBLs, add them to an Allowed List.ii. Authentication CheckThe Sender Authentication layer uses many frameworks, such as SPF and DKIM,while also analyzing emails based on DMARC policy to validate the authenticity ofthe sender with standard protocol checks and checks for domain name spoofing orother camouflaging techniques. Emails that fail these checks are classified as spamor spoofed emails, and the appropriate action is triggered to isolate them.iii. Spoofing Intelligence SpoofingWhen someone or something pretends to be something else in an attempt togain our confidence, get access to our systems, steal data or money, orspread malware, it is called Spoofing.Cousin Domain (look-alike domain) Spoofing and Display Name spoofing areother methodologies used by phishing tools to make a message look like itcomes from a trusted source.iv.Virus & Malware ScanningThe spam engine utilizes multiple layers for virus scanning and automaticallydecompresses archives for comprehensive protection. Virus scanning precedes overany other available scanning techniques and is applied even if the email passesthrough any other Connection Layers. This means even if an email comes from a“allowed” or “trusted” IP addresses or domains, emails are still scanned for viruses,and are blocked if a virus is detected.v. GreylistingIf spam emails are received from IPs with very poor reputation, the system willautomatically greylist the IP address, thereby reducing the amount of spam received.C. Policy Enforcementi.Based on IPsZoho Mail's spam engine lets administrators define a list of trusted mail servers bythe IP address, thus, avoiding spam scanning for legitimate emails. Likewise,administrators can also segregate and organize a list of fraudulent email senders to5

block them further. In some cases, administrators may also prefer to utilize IP blockrange to limit specific email servers as a matter of policy instead of as a matter ofspam protection.ii.Based on Domains, TLDs and Emails Blocked ListThis lets you filter out sender addresses and domains from which you neverwant to receive email. Allowed ListBy approving senders, you can automatically allow messages from trustedmail servers or email addresses. Messages from approved senders ordomains are not checked for spam or source reputation. However, messagesfrom this list are still scanned for viruses. Trusted ListsEmails from email addresses that are added in the Trusted Emails List aredelivered to the mailbox without any spam check. These emails will not bevalidated for SPF/ DKIM/ block list checks.iii.Based on Location and LanguageSome organizations expect never to communicate with particular countries orlanguages from which they receive a great deal of spam. Therefore, they usecountry-based or language-based filtering (or both) – a technique that blocks emailfrom certain countries or languages. This allows you to identify and block spamemails based on the country of origin.D. Advanced Threat Protectioni.Phishing URL DetectionThis detection module scans incoming emails for known malicious hyperlinks. Itenables real-time scanning of links, including links in email messages that point todownloadable content.ii.Credential HarvestingMalicious email campaigns use harvested credentials (username & passwordcombination) to exploit the user’s email account or other accounts for additionalmalicious purposes.6