Email Protection

Although it is important for all organizations to protect users from email-borne security threats, email protection in the healthcare industry has an added significance due to the value of Protected Health Information on the black market and the number of hackers trying to access it illegally.

The healthcare industry has long been a target for hackers and cybercriminals; but, since the start of the COVID-19 pandemic, ransomware attacks on healthcare facilities have increased by more than 50%. Most ransomware attacks start with a phishing email which delivers self-propagating malware that allows hackers to access the network, extract data, and deploy the ransomware payload.

Security software vendors attempt to keep pace with the increase in email-borne security threats; but it is often the case that hackers quickly find ways to circumnavigate the latest email protection measure. For example, within a year of Microsoft announcing DMARC support across all Office 365 email platforms, hackers had found eighteen ways to bypass the sender authentication mechanism.

How to Better Protect Inboxes

One option to better protect inboxes from email-borne security threats is to implement an email filter with greylisting capabilities. Greylisting is a process that automatically returns emails from external sources to the mail server from which they originated – unless the email originates from a trusted source and has been previously whitelisted by a system administrator.

Mail servers are equipped with mail retry capabilities to resubmit emails that are not delivered straightaway; and, when a greylisted email is returned to the mail server, it is put into a mail retry queue and usually resent within minutes. When the greylisted email is returned, the email filter recognizes it has already been greylisted and allows it through to the other filtering processes.

Spammers´ servers often have the mail retry capability disabled because multiple emails are returned to them (i.e., for failing recipient verification tests); and, if the returned emails were added to the mail retry queue, the servers would get backlogged trying to resubmit mails that will never be delivered. Consequently, greylisted spam emails are rarely returned.

The Effectiveness of Greylisting for Email Protection

Because greylisted spam emails are rarely returned – and therefore never quarantined or sent to a spam folder – it is difficult to quantify the real-world effectiveness of greylisting. However, in tests, greylisting has improved spam detection rates from 99% to 99.9% and, as many spam emails harbor malware, it is fair to suggest that greylisting has the same impact on email-borne security threats.

Furthermore, with fewer spam emails being accepted by the email filter, the subsequent filtering processes work more efficiently. For healthcare organizations that receive a large volume of email, this means that genuine emails are tested, checked, scanned, and delivered quicker – mitigating delays due to the greylisting process initially returning the emails to their originating server.

Thereafter, because the email filter is working more efficiently, it is not necessary to whitelist multiple trusted sources. This not only reduces the management overhead for system administrators, but also mitigates the risk that a trusted source might be compromised by a hacker and the compromised account exploited to send phishing emails with apparently genuine links.

Equipping Existing Email Filters with Greylisting Capabilities

Not all email filters support greylisting email protection – some vendors claiming that existing sender authentication processes are sufficient to block phishing emails, while others are reluctant to delay the delivery of emails by initially returning them to their originating servers. Furthermore, greylisting email protection is not guaranteed to block all email-borne security threats.

Nonetheless, greylisting can help reduce the number of threats evading detection; and, at a time when the number of ransomware attacks on healthcare facilities is increasing, any mechanism that can better protect email inboxes should be adopted. But what if the organization is already committed to an email filtering service that does not support greylisting email protection?

Email filters with greylisting capabilities do not have to be deployed as standalone solutions. They can be deployed in front of existing email filtering services to greylist inbound emails before allowing them through to the existing filtering service. Although this increases the cost of email filtering, the cost of adding a second email filter is easily justified if it prevents a single ransomware attack.

Office 365