|
2 | 2 | title: How Cloudflare prevents email-based phishing attacks |
3 | 3 | pcx_content_type: overview |
4 | 4 | sidebar: |
5 | | - order: 4 |
| 5 | + order: 5 |
6 | 6 | --- |
7 | 7 |
|
8 | | -Email-based phishing attacks can be divided into two main categories: Those with and without a malicious URL or attachment. |
| 8 | +Cloudflare Email Security uses a variety of factors to determine whether a given email message attachment, URL, or specific network traffic is part of a phishing campaign. |
9 | 9 |
|
10 | | -Email Security uses a variety of factors to determine whether a given email message, a web domain or URL, or specific network traffic is part of a phishing campaign (marked with a `Malicious` [disposition](/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions)) or other common campaigns (for example, `Spam`). |
| 10 | +These small pattern assessments are dynamic in nature. Cloudflare's automated systems use a combination of factors to clearly distinguish between a valid phishing campaign and benign traffic. |
11 | 11 |
|
12 | | -These small pattern assessments are dynamic in nature and — in many cases — no single one in and of itself will determine the final verdict. Instead, our automated systems use a combination of factors and non-factors to clearly distinguish between a valid phishing campaign and benign traffic. |
| 12 | +Cloudflare's vast global network detects emergent campaign infrastructure and aggregates data for Cloudflare's proprietary analytics engine SPARSE. |
13 | 13 |
|
14 | | -Emails without a Malicious URL or attachment typically fall into the Business Email Compromise (BEC) category. BEC is a type of social engineering attack. In a BEC attack, the attacker falsifies an email message to trick the victim into performing some action - most often transferring money to an account or location the attacker controls. |
| 14 | +SPARSE uses AI and ML models to make effective detections for all types of malicious emails, including Business Email Compromise (BEC). |
15 | 15 |
|
16 | | -To detect these low volume, malicious emails that do not contain malware, malicious links or email attachments, Cloudflare uses machine learning analysis, analyzing email threads, content, sentiment and context via message lexical analysis, subject analysis, word count assessment and sender analysis. Display names are also compared with known executive names for similarity using several matching modeling including the [Levenshtein Algorithm](https://en.wikipedia.org/wiki/Levenshtein_distance), and if matched, lagged when a sender is organization from an unknown domain. |
| 16 | +In a BEC attack, the attacker falsifies an email message to trick the victim into performing some action - most often transferring money to an account or location the attacker controls. |
17 | 17 |
|
18 | | -## Type of malicious attacks |
| 18 | +To detect these low volume, malicious emails that do not contain malware, malicious links or email attachments, Cloudflare analyzes the email thread, content, sentiment and context via message lexical analysis, subject analysis and sender analysis. Display names are also compared with known executive names for similarity using several matching models. |
19 | 19 |
|
20 | | -When malicious payloads or URLs are included or attached to an email, additional steps are taken to protect your users. For example: |
21 | | - |
22 | | -### Malicious payload attached to the message |
23 | | - |
24 | | -- **Example**: Classic campaign technique which utilizes a variety of active attachment types (EXE, DOC, XLS, PPT, OLE, PDF, and more) as the malicious payload for ransomware attacks, Trojans, viruses, and malware. |
25 | | -- **Detections applied**: Machine learning (ML) models on binary bitmaps of the payload as well as higher-level attributes of the payload, with specific focus on signatureless detections for maximum coverage. Additionally, for relevant active payloads, the engine invokes a real-time sandbox to assess behavior and determine maliciousness. |
26 | | - |
27 | | -### Encrypted malicious payload attached to the message, with password in message body as text |
28 | | - |
29 | | -- **Example**: Campaigns that induce the user to apply a password within the message body to the attachment. |
30 | | -- **Detections applied**: Real-time lexical parsing of message body for password extraction and ML models on binary bitmaps of the payload, signatureless detections for maximum coverage. |
31 | | - |
32 | | -### Malicious URLs within message body |
33 | | - |
34 | | -- **Example**: Typical phish campaigns with a socially engineered call to action URL that will implant malware (for example, watering hole attacks, malvertising, or scripting attacks). |
35 | | -- **Detections applied**: Continuous web crawling, followed by real-time link crawling for a select group of suspicious urls, followed by machine learning applied to URL patterns in combination with other pattern rules and topic-based machine learning models for exhaustive coverage of link-based attacks. |
36 | | - |
37 | | -### Malicious payload linked through a malicious payload linked through a URL |
38 | | - |
39 | | -- **Example**: Campaigns where the URL links through to a remote malicious attachment (for example, in a .doc or .pdf file). |
40 | | -- **Detections applied**: Remote document and/or attachment extraction followed by ML detection tree on the payload, instant crawl of links. |
41 | | - |
42 | | -Additional attack types and detections can be found in the [Email Security Detection Methods](/cloudflare-one/email-security/reference/how-es-detects-phish/) documentation. |
| 20 | +Refer to [How we detect phish](/email-security/reference/how-we-detect-phish/#sample-attack-types-and-detections) to learn more about additional attack types and detections. |
0 commit comments