Egress prevent business email compromise with Spamhaus’ Data Query Service

About Egress

Cybersecurity software company, Egress was founded with aim of keeping email users safe, as simply as possible. Their product, Egress Intelligent Email Security, gives users context-driven and genuinely user-friendly analysis of both inbound and outbound email threats, in addition to end-to-end encryption.

When a threat is detected, Egress’ solution provides a real time notification in the user’s email highlighting the risk, such as a phishing attack from a spoofed domain, so the user, or their email administrator, can take immediate action.

Email threats no longer go undetected and the risk of falling victim to cybercriminals is reduced. Both users and their organizations are protected against BEC and other phishing attempts.

Egress’ initial solution

Egress identifies outbound email as the biggest security risk any organization faces, making outbound protection critical to their solution. Much of this efficacy relies on domain data to determine whether the would-be recipient is legitimate or not. This element of the solution was originally managed in-house by Egress, who collated and curated their own domain data.

The challenge of creating a dataset in house

A critical part of any threat-detection dataset is having the breadth of data to assess. The bigger the pool of data, the bigger the chance of finding malicious behavior. This means securing the raw data from a varied and trustworthy network, which takes time to develop and manage.

Robust mechanisms are required too – not only to identify cybercriminals as they develop their approaches to go undetected, but also to deal with operational aspects, like false positives, efficiently.

Egress wanted to enhance their solution while creating more efficiency in-house. Outsourcing to a specialist provider became a necessary consideration.

Finding the right partner for domain data

For Egress, identifying a partner was relatively straightforward. “We knew of Spamhaus as the trusted authority for reputation data, so the domain datasets were a ‘must have’ to include during our trial phase” explained Darren Cooper, Chief Technology Officer, Egress.

For completeness, Egress tested numerous other providers, but Spamhaus proved to be the most effective in catch rates, false-positives, and overall quality,

Egress also required a solution that was genuinely real time. Any latency in confirming whether a domain has a bad reputation could result in an ill-informed user taking action that negatively impacts them and/or their business.

Using Spamhaus’ real time offering, DQS, Egress’ customers would be protected as soon as a threat is listed, 24/7. DQS also allowed the team to use their existing infrastructure, and once set up, no further maintenance would be required.

A solution with actionable data

By analyzing 3 million domains every day, Spamhaus ensures Egress’ customers are protected with broad and consistent threat-detection coverage.

Data from the Domain List (DBL) provides customers with insight on domains owned by spammers or used for malicious purposes, including otherwise legitimate domains that have been compromised. This is essential for Egress customers. Why?

It’s extremely difficult for Joe Bloggs, your average email user, to identify if a previously legitimate sender, say [email protected], has had their domain and mailbox hijacked. With a well-crafted spear phishing attack, there’s very little to prevent Mr Bloggs from sharing valuable information or clicking through to a compromised link, such as example.com/1ogin_and_pay_here.

Alternatively, using the DBL, Egress would flag a notification directly in Joe’s draft email highlighting the concern, allowing Joe, or Joe’s email administrators, to act and significantly reduce the risk of BEC.

Egress also utilizes the Zero Reputation Domain list (ZRD) to provide intelligence on domains registered in the last 24 hours. This is an effective screening tool as domains are rarely used by legitimate owners as soon as they are registered.

How it works operationally

When a user composes an email and populates the ‘To’ field, Egress’ solution makes a query via DQS to the Domain Lists to identify if there’s a listing. If the would-be recipient’s domain is listed, the user is notified and can make an informed decision on whether they pursue the communication or not. Equally, their action can be blocked by administrators. This not only impacts immediate action, but provides real time teachable moments to empower users to identify future threats too.

Benefits for Egress

Egress has been using the domain data via DQS since April 2021 and highlighted four key benefits:

1. Reliability of data – data quality has remained consistent, without need for enhancement or ongoing management. The team can divert attention elsewhere with this ‘set and forget’ solution.
2. Handling of false positives – with Spamhaus’ robust mechanisms, false positives are dealt with efficiently and consistently with minimum impact to the customer.
3. Resource capacity – by identifying an external data partner, Egress’ internal researchers and developers can focus on other challenges to improve the end solution for their customers.
4. Cost reduction and value increase – the pricing of DQS was compelling alone, teamed with the decrease in data management time, the added overall value was significant.

“We have a truly reliable, consistent source of domain intelligence. With great coverage and low false positives, our customers continue to have confidence in our product”, Darren Cooper, Chief Technology Officer, Egress.

The importance of partnership

The more we can work with likeminded organizations aiming to achieve a common goal – in this case making the internet a safer place – the more focus each organization has on tackling a different piece of the puzzle.

In this case, Spamhaus focuses on providing threat intelligence data that can be easily made operational. Egress focuses on creating user-friendly solutions and preventing email users becoming victims. A symbiotic relationship to tackle the bigger problem.

To make the online world safer, we must all work to build stronger relationships and continue working as a community.

[1] https://www.tripwire.com/state-of-security/featured/fbi-statistics-underline-orrific-cost-of-business-email-compromise/