When it comes to protecting mailboxes against unwanted, unsolicited or even malicious emails, spam filtering is the first line of defence. And spam filtering is, while being a permanent fight against the windmill à la Don Quixote or against boulders and gravity à la Sisyphus, reasonably easy: you just need to have the right patterns of wrong emails to filter them out. The real challenge comes afterwards: identifying emails with malicious content hidden behinds links, URLs or within attachments – the malware detection and detonation part. Let’s enter the Boss Level (like in any great movie or video game).  

Actually, it’s easy to complain about spam filtering when receiving emails which are obviously spam, full of typos, of no relevance or simply and plainly dumb and stupid. On the other hand, training the spam filter is complicated and complex, in particular in an Organization like CERN where emails come from all corners of the planet, are written and read in all languages of the world, and are answered day and night. It’s even more complicated given that CERN allows personal use of the @cern.ch email address, meaning that it receives not only professional and work-related emails but also personal exchanges, private invoices, advertising and newsletters, some directly, some forwarded from external mail hosting services like Gmail or from your institute’s mail system. Finding the right balance between true spam emails to be rejected and those where some doubt remains is difficult, and as the CERN mail service prefers to be transparent, in case of doubt, emails are delivered either to your junk folder or withheld in the spam system’s quarantine. But before delivery, there’s one more step. Here comes the Superboss.  

Evil attackers are permanently out to trick you. To convince you to click on that one malicious link, to open that one malicious attachment. One click and your password might be at risk, your computer infected, or your work or private life in peril. Ideally, such emails won’t ever make it into your mailbox thanks to our sophisticated “email detonation” appliances. For each suspicious email, these appliances spawn up virtual machines with different operating system flavours (Windows 10, Windows 11, etc.), open the suspicious email and simulate user interactions – clicking, opening attachments, mouse movements. You get it. They wait to see whether the email, the clicked link or the attachment does something unexpected ─ whether it “detonates”… This includes contacting external IP addresses, downloading external files or manipulating operating system settings or the file system, i.e. actions you wouldn’t expect when just reading an email or an attached PDF. If it detonates, quarantining that email is advised. Master the Boss Rush, defeat the Bosses. Over and over again. Like Don Quixote or Sisyphus.

CERN’s mail service and Computer Security team are currently deploying a new Boss fighter, Xorlab’s “ActiveGuard”. ActiveGuard complements Microsoft’s spam filter (Microsoft Exchange Online Protection, “EOP”) and is intended to replace Microsoft’s native solution, Microsoft Defender for Office (MDO), which was showing deficiencies when compared in detection quality with our previous solution from FireEye*. ActiveGuard is an in-line cloud solution for email protection, malware identification and containment, and malicious attachment detonation. It also comes with security enhancements based on commonly used industrial standards, namely DMARC validation. While this might break certain functionalities (like external mailing lists spoofing cern.ch email addresses), these standards significantly improve the security of any email exchange by preventing email sender spoofing. And fighting the Boss requires the right weapons…

All email users will benefit from the additional email protection provided by this Boss fighter. However, especially at the beginning while we’re still fine-tuning the filtering of EOP and ActiveGuard, you might see a bit more unwanted mail either quarantined or delivered to your junk folder. In addition, another slight drawback we’re still working on is that both solutions, EOP and ActiveGuard, provide you independently with information about the emails quarantined by them so that you can review and decide whether or not release them yourself. During the roll-out phase we hope to tune this in such a way that the number of false positives to be reviewed by you (and those to be reviewed by us!) reach an acceptable minimum. Have patience with us if we don’t get it quite right at first, and be comforted by the fact that these new spam and malware appliances effectively and efficiently fight the Bosses for you!

* MDO was detecting only about 5–50% when forwarded the quarantined messages from FireEye, which have a very high true positive rate. Six months of discussion with Microsoft support have not resolved this discrepancy. With the new solution, we will repeat this exercise. However, what the (security) world might need is a “Virustotal” for email security products.

_____

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.