Fighting Phishing with Heuristics

The Challenge: “Benign” Emails can Destroy Your Network

Spear phishing is a security threat that is extremely challenging for most existing countermeasures. While phishing generally involves trying to trick email recipients into disclosing personal information or clicking on links that contain malware, spear phishing is far more insidious. The spear phishing attacker sends a single email posing as a person known to the recipient.

What’s worse from a technical security point of view, spear phishing emails usually appear to be completely benign, such as a personalized request for information that’s related to a specific project. In fact, from the perspective of most tools, the spear phishing email is benign. It contains no malware. It doesn’t link to anything. It just looks like any other email, except that it’s not. How do you defend against that?

Phishing accounts for an estimated 91% of information security attacks… and few existing solutions provide adequate protection.

Heuristics Explained

This article looks at how advanced heuristics can be employed in the battle against spear phishing. Heuristics, a term derived from the Greek word for “discover,” applies rules learned by experience to subjective decisions. Like, if there’s a fire, we’re told to feel a door before we open it. If the door is hot, don’t open it, because the heat suggests that the fire is raging right outside the door. We don’t know that the fire is raging, but we are protected by the heuristic rule of “if the door is hot /there’s a high probability of fire, so don’t open the door.”

The best thing about heuristics is that a well-designed heuristic system can continually “learn” how to apply its rules better and better, modifying the rules slightly as it gets more information. So, “If the door is hot” becomes “If the door is over 100 degrees Celsius, don’t open it.” The more rules in place, the more sophisticated and nuanced the system’s response to a wide variety of inputs.

Heuristics loom large in virus and malware detection technology. Most anti-virus software is not able to identify every single virus that’s in circulation. The old approach, known as static filtering, tried to match suspected viruses with an existing list of known threats. There are simply too many viruses being developed every day for anyone to keep track. However, modern anti-virus software can compare the behavior of a suspected software with that of a known virus and make a determination as to whether the suspected software should be quarantined. For instance, if a suspected software is de-compiled and reveals sequences of code found in known viruses, it’s probably dangerous. However, most email filtering systems do not have sophisticated heuristic engines and depend on variations of static filtering looking at domain based blacklists or standard verbiage. They cannot evolve to catch one-off spear phishing emails or zero-hour attacks.

Heuristics and Email Security

So how can heuristics be used to assess whether an email is a spear phishing attack or just another harmless work-related email? The stakes are pretty high. Spear phishing is deadly, from a security perspective. Some of the most egregious data breaches of the last few years are thought to have started with spear phishing. These include the hack on Anthem Blue Cross, the alleged theft of the F-35 fighter jet’s blueprints by the Chinese military and the breach of the US Government’s Office Personnel Management.

In a spear phishing attack, an employee might get an email from someone he thinks is a colleague, sent from a familiar-looking address. For example, if the real colleague’s address is, the attacker might send a message from If the recipient is busy, he won’t notice the address is different from what he’s seen before. The attacker might reference mutual friends, knowledge gleaned from Facebook, while building trust in a lead up to asking for log in credentials for sensitive systems. Last but not least, a fired employee can decide to sell sensitive emails addresses and some contextual element to help hackers.

A heuristic approach to detecting that is a fake would involve a rule that compared the senders of inbound emails with those who have communicated historically with the recipient. Heuristically-trained phishing detection software could look for anomalies in sender addresses. Even if the software doesn’t know for a fact that john-doe@gmail is a hacker, it can be taught to flag the suspicious message.

Vade Retro uses this kind of heuristic approach to spot spear phishing email. The solution has been “trained” to detect suspicious emails based on an analysis of hundreds of millions of emails from all over the world and over a ten-year period. It has created a huge database of rules using this kind of artificial intelligence to screen inbound messages. As a result, Vade Retro represents a uniquely effective countermeasure to phishing and spear phishing scams that otherwise wouldn’t trigger alarms. Using these rules, Vade Retro is able to effectively catch one-off spear phishing attacks as well as previously never-seen mass attacks—and can stop these attacks starting with the very first email. That’s the kind of security that heuristics can provide and it’s the kind of security that you want to provide your users.

What’s more, Vade Retro is easy to deploy, one can greatly improve overall email protection by just layering Vade Retro on top of existing anti-spam solutions. Ten minutes and you’re done.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.