A week and a half ago, I “celebrated” my 10th year fighting spam. I originally joined Frontbridge in July 2004, and 10 years later I am still with Frontbridge after it was acquired by Microsoft. Since that time, it has been known as:
- Frontbridge (how almost everyone in the email filtering community still knows us)
- Exchange Hosted Services (EHF)
- Exchange Hosted Filtering (EHS)
- Forefront Online Security for Exchange (FOSE)
- Forefront Online Protection for Exchange (FOPE)
- Exchange Online (ExO) and Exchange Online Protection (EOP)
- Office 365 (used interchangeably by me along with the previous bullet point)
I was going to discuss all the changes I’ve seen in spam filtering during the past 10 years. But that would be a really long post and I don’t have the patience to write those anymore.
Instead, I will discuss the three biggest innovations that I have seen in the past three years specifically with regards to anti-phishing (something I have been working on lately):
DMARC is a major revolution in spam filtering because it combines both authentication and a feedback loop to help senders improve their authentication practices. But it also was a major step forward in terms of the amount of cross-organization collaboration to come up with a common protocol, and then have everyone implement it. I’ll have more to say about DMARC in a future post.
DMARC is not the silver bullet for phishing, but what it does, it does very well.
- Advanced Threat Detection I – Attachment Detonation
If you’re not familiar with attachment detonation, it’s because it is relatively new on the scene and it is more for enterprise consumers of spam filters.
We’re all familiar with traditional Antivirus defenses – they match a file in an attachment against a known corpus of malware using signature-based analysis and also apply some heuristics. This is a reactive technology with a little bit of prediction.
Attachment detonation takes the attached file and actually opens it up and executes it during the filtering stage. It does not rely upon signatures. Instead, it uses a series of algorithms to look for suspicious behavior commonly found in malware. Did it change the registry? Does it access the memory? Does it install a rootkit? If so, the attachment is malware. It does this by emulating multiple versions of software where the vulnerability or exploit may exist (e.g., Windows XP, Windows XP SP 1, Windows 7 RTM, Windows 7 RTM fully patched, etc).
This is substantially different than traditional A/V. While A/V vendors use this technology internally to identify malware, Attachment Detonation is turning that internal technology into an actual product.
- Advanced Threat Detection II – Time-of-Click Protection
When I get spam in my inbox or even my junk mail folder, sometimes I click on the link to see where it goes (for research purposes). This goes through our corporate router and proxy and if the URL is bad, I get a message saying “This website is not allowed because it is malicious!” displayed on my screen.
But what if I clicked on that message on my phone while reading the email at the airport?
Time-of-click protection is a technology that is designed to proxy a user’s clicks through a service that inspects the contents of the URL and if it is bad, display a message indicating it is malicious. In other words, it does the work of your web browser which has safe browsing built in.
But not every browser does, especially on a mobile device. Time-of-click protection has multiple uses, but mobile devices that are unprotected, or URLs that turn bad after delivery, are two uses of time-of-click. This is a departure from time-of-scan protection wherein most filters compare any URL within a message against a reputation list. Time-of-click is basically time-travelling where you can update a decision.
Those are the three biggest changes I have seen in the past two years. Who knows what I’ll see in the next two?