Blog

Links

Locked out! part three: emails

posted: March 1, 2025

tl;dr: Corporations have introduced further impediments to reading emails...

(continued from part two):

Look, I get it: we humans are not perfect at recognizing phishing emails. Bad actors use phishing emails to either install malware on a recipient’s computer, or to get the recipient to visit a website controlled by the bad actor and enter some personal information, such as a credit card number, bank account information, or password. This form of social engineering is rampant these days, and is one of the major ways that bad actors gain access to supposedly secure computer systems and networks.

For a bad actor who is attempting to penetrate a corporation, all it takes is one recipient who falls for the ploy. Not everyone does a good job of considering the source of an email. Email addresses for workers at a corporation can be collected over time from public information and also deduced from the rules used by each corporation to assign email addresses to workers. After collecting and deducing enough email addresses, the bad actor blasts a phishing email to those email addresses. Even if 99% of the recipients recognize the email as a phishing email and delete it, the 1% who treat it as legitimate and act upon it can be enough to give the bad actor the sensitive information being sought.

The initial attempts taken by corporations to combat this problem focused on education and testing. For many years I’ve had to sit through online training, often by the late Kevin Mitnick from the firm KnowBe4, to teach recipients how to recognize phishing emails and other social engineering attacks. The corporations I’ve worked for have also run tests by sending pseudo-phishing emails to workers, to see how many recipients take an action that they shouldn’t. Rarely is the result of these tests 0%.

Seven lines of text, five in black and two in red, displayed on a white background

One of the messages I get from an email security service that has placed an incoming email in quarantine

The past few years has seen corporations rapidly implement email security services which monitor the emails sent to their email domain. Mimecast is the one used by my current employer. The goal is to detect phishing emails and prevent them from being delivered to the recipient’s inbox, so that the recipient never has the chance to take a harmful action. Given that a successful phishing attack can cost a company a huge sum of money, as well as bad publicity, these corporations have decided that the benefit exceeds the cost. But besides the cost of the email security service itself, there is another cost the corporation pays: decreased worker productivity. Reading emails becomes harder and takes longer.

To understand how the inefficiencies arise, it helps to understand what these email security services do with incoming emails. They quarantine incoming emails, especially those sent from an email address or domain that they have never seen before. On a pristine virtual server environment, the email security service will then open the email and click on some or all of the links to see where they go. As I described in Tracking email clicks, the links in an email often go to intermediate servers, not the final destination, so the email security service has to follow all the redirects to see where the links end up. If the ultimate destination of the link is a website with a poor reputation like northkoreanhackers.com, the email might be immediately discarded or marked as suspicious. For suspicious emails, the email security service won’t deliver it to the recipient’s inbox, but will instead send the recipient another email about the suspicious email, asking the recipient if the suspicious email should be blocked or released, and whether future emails from that sender should be permitted to reach the recipient’s inbox.

Mimecast also replaces all the links in the email with links that go first to Mimecast servers. When the recipient clicks on a link, there is a delay as Mimecast first sees where the link goes. Mimecast does not check out all links for every email when it is first received, and even if it did, the destination website might have been fine on initial analysis but replaced with something more sinister later.

A few sentences of text, along with the logo of the Mimecast company, displayed on a white background

A pop-up message displayed by the Mimecast email monitoring service

All this analysis by the email security service takes time and introduces delay, which adversely affects productivity. I’ve seen Mimecast’s quarantine process take from thirty minutes to more than an hour for an email sent from a brand new domain that Mimecast has never seen before. When I sign up for something on a new website, the confirmation email takes a long time to show up and it is always classified as suspicious. Companies launching new websites and emails from new domains need to take this into account. Establishing a good sender reputation takes time: recipients have to declare that they want the emails released or permitted, and then open and engage with the emails.

Even if you permit emails from a specific address, the email security service may throw out that approval at some point in the future and take you through the whole quarantine process again. With Mimecast I am continually re-permitting emails from sender addresses that I have permitted in the past. Systems like Mimecast claim to be using artificial intelligence (AI). The AI makes different decisions at different points in time.

The slowness in getting to the desired web page after clicking a link is a constant drag on productivity. Instead of the desired web page appearing in a second or two, it is now a five to fifteen second wait. This may not sound like much, but those waits add up over the course of a day, week, month, and year.

Bottom line: these email security services make workers less productive, although they do reduce the chances of a phishing attack succeeding.

Related post: Tracking email opens

Related post: Tracking email clicks