Malicious emails often spend hours in inboxes before being spotted

email
(Image credit: Image Credit: Geralt / Pixabay)

Malicious emails that manage to squeeze past email security solutions usually spend up to three and a half days in the victims’ inboxes before being identified and managed, a report from Barracuda has found. 

Analyzing threat patterns and the ways 3,500 organizations respond to email threats, Barracuda found that an average firm with 1,100 employees will experience approximately 15 email threats every month. Of that number, roughly 10 employees will be impacted by a phishing attack that moves past their organization’s security solution. 

Drilling deeper, Barracuda found that 3% of employees will click on a link sent through a malicious email, which puts their entire firm at risk. In percentages, that may not seem like much, but in absolute numbers, that’s an average of five users that click a malicious link every month.

Considering that it only takes one click or reply for an attack to be successful, even five people a month is plenty for a major headache, Barracuda warns. Furthermore, it found that it takes an average of 16 minutes for users to click on a malicious link.

Employees at the front lines

Investigating how these threats get identified, the company said most get found through internal threat hunting conducted by the IT team. Sometimes they’ll search through message logs, different keywords, or different senders among already delivered mail. Sometimes they’ll get notified by the employees themselves, and sometimes they’ll use community-sourced threat intelligence. 

A small portion of threats (0.4%) got discovered through automated sources, or with the help of previously remediated incidents. 

For Michael Flouton, VP Product at Barracuda Networks, there’s no such thing as 100% effective email security software, which is why businesses must prioritize security awareness training sessions for their employees. 

“Our research even revealed that organizations that train their users will see a 73% improvement in the accuracy of user-reported email after only two training campaigns,” he said.

According to Flouton, businesses should also consider adding automated incident response systems and threat hunting tools, as well as sharing and receiving threat intelligence from other companies. 

These practices could “significantly improve incident response times to post-delivery email threats”, he said, as well as “catching these malicious attacks before they develop into something more severe.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.