Nearly a Third of Malicious Emails Are Spotted by Users, Not Investigative IT Teams

On average, it takes three and half days (83 hours) from the moment a malicious email attack lands in an employees inbox, to when it is discovered by a security team or reported by end-users and remediated, says new insight from Barracuda Networks, the trusted partner and leading provider for cloud-enabled security solutions.

Barracuda researchers analysed threat patterns and response practices across 3,500 organisations in their most recent Threat Spotlight, this month analysing what happens after a malicious email bypasses an organisation’s security measures and lands in a user’s inbox. They found that an average organisation with 1,100 users will experience around 15 email security incidents per month, and on average, 10 employees will be impacted by each phishing attack that manages to get through.

Most worryingly, Barracuda observed that 3% of employees will click on a link in a malicious email, exposing the entire organisation to attackers. Whilst this figure sounds small Barracuda experts reminded businesses that an average organisation of 1,100 users will have around five users that will click on a link within a malicious email every month, and it only takes one click or reply for an attack to be successful. Considering, it only takes an average of 16 minutes for users to click on a malicious link, so improved investigation and remediation is key, the Threat Spotlight concluded.

Interestingly, two-thirds of the malicious emails which had landed in employees primary inbox were discovered through internal threat hunting investigations launched by the IT team. These investigations can be initiated in a variety of ways. Common practices include searching through message logs or running keyword or sender searches of already delivered mail. Another 24% of incidents were created from user-reported emails, 8.1% were discovered using community-sourced threat intelligence, and the remaining 0.4% through other sources such as automated or previously remediated incidents.

Michael Flouton, VP Product, Barracuda Networks comments:

“There is no such thing as cybersecurity software which is 100% effective against inbound email attacks, and organisations must prioritise security awareness training sessions for its employees – our research even revealed that organisations that train their users will see a 73% improvement in the accuracy of user-reported email after only two training campaigns.

“Organisations should also consider automating incident response systems, adopt threat hunting tools, and share and receive threat intelligence from other companies, all for the purpose of significantly improving incident response times to post-delivery email threats, and catching these malicious attacks before they develop into something more severe.”

  • Francis is a junior journalist with a BA in Classical Civilization, he has a specialist interest in North and South America.