Why is Email the Main Gateway for Ransomware?
90% of ransomware attacks start with a malicious email. Phishing remains the most effective method for delivering ransomware to organizations because:
- Email reaches employees with access to critical data directly
- Users are accustomed to opening attachments and clicking links
- Even aware employees make mistakes under time pressure
- Attacks are increasingly sophisticated (spear phishing, BEC)
| Ransomware Attack Vector | Share (2025) |
|---|---|
| Email (phishing, attachments) | 90% |
| Vulnerability exploitation (RDP, VPN) | 6% |
| Malvertising, drive-by download | 2% |
| USB, insider threat | 2% |
📚 Read the complete guide: Ransomware: Ransomware - czym jest, jak się chronić, co robić po ataku
Anatomy of Email-Based Ransomware Attack
Typical attack scenario:
┌─────────────────────────────────────────────────────────────────┐
│ 1. RECON: Attacker gathers company info (LinkedIn, web) │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ 2. WEAPONIZATION: Prepares email with attachment/link │
│ - Fake invoice (invoice_2026.xlsm) │
│ - Document with macro │
│ - Link to fake login page │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ 3. DELIVERY: Sends email impersonating trusted sender │
│ - Vendor domain spoofing │
│ - Compromised trusted partner account │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ 4. EXPLOITATION: User opens attachment/clicks link │
│ - Macro downloads dropper │
│ - Credential harvesting │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ 5. INSTALLATION: Ransomware installs in system │
│ - Persistence (autostart, scheduled tasks) │
│ - Lateral movement (PsExec, WMI, SMB) │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ 6. ENCRYPTION: File encryption, ransom demand │
└─────────────────────────────────────────────────────────────────┘Layered Email Protection (Defense in Depth)
Effective protection requires multiple layers:
┌────────────────────────────────────────────────────────────┐
│ EMAIL PROTECTION LAYERS │
├────────────────────────────────────────────────────────────┤
│ 1. SENDER AUTHENTICATION │
│ • SPF - who can send on behalf of domain │
│ • DKIM - cryptographic signature │
│ • DMARC - policy and reporting │
├────────────────────────────────────────────────────────────┤
│ 2. SECURE EMAIL GATEWAY (SEG) │
│ • Anti-spam, anti-malware │
│ • Sender/IP reputation │
│ • Heuristic analysis │
├────────────────────────────────────────────────────────────┤
│ 3. ATTACHMENT SANDBOXING │
│ • Detonation in isolated environment │
│ • Behavioral analysis │
│ • Zero-day protection │
├────────────────────────────────────────────────────────────┤
│ 4. URL PROTECTION │
│ • Time-of-click analysis │
│ • URL rewriting │
│ • Malicious site blocking │
├────────────────────────────────────────────────────────────┤
│ 5. USER AWARENESS │
│ • Phishing training │
│ • Attack simulations │
│ • Suspicious email reporting │
└────────────────────────────────────────────────────────────┘SPF, DKIM, DMARC - Security Foundation
SPF (Sender Policy Framework)
SPF defines which servers can send email on behalf of your domain.
How it works:
- You publish a DNS TXT record with list of authorized servers
- Receiving server checks if sender is on the list
- If not - email may be rejected or marked as spam
Example SPF record:
yourcompany.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ip4:1.2.3.4 -all"Explanation:
v=spf1- SPF versioninclude:_spf.google.com- authorize Google Workspace serversinclude:sendgrid.net- authorize SendGridip4:1.2.3.4- authorize specific IP-all- reject everything else (hard fail)
SPF policies:
| Policy | Meaning | Recommendation |
|---|---|---|
+all | Accept everything | NEVER use |
~all | Soft fail (mark as suspicious) | Testing phase |
-all | Hard fail (reject) | Production |
?all | Neutral | Doesn’t protect |
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to every sent email.
How it works:
- Sending server signs email with private key
- Public key is published in DNS
- Receiving server verifies signature
Example DKIM record:
selector1._domainkey.yourcompany.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."Benefits:
- Verification that email wasn’t modified in transit
- Confirmation of sender domain identity
- Required by DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC combines SPF and DKIM into coherent policy with reporting.
Example DMARC record:
_dmarc.yourcompany.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com; pct=100"Explanation:
v=DMARC1- versionp=reject- policy (reject emails failing SPF/DKIM)rua=mailto:...- address for aggregate reportspct=100- percentage of emails covered by policy
DMARC policies:
| Policy | Action | When to use |
|---|---|---|
p=none | Reporting only | Initial phase (monitoring) |
p=quarantine | Mark as spam | Transition phase |
p=reject | Reject | Full protection |
DMARC implementation timeline:
| Week | Action |
|---|---|
| 1-2 | Implement SPF for all email sources |
| 3-4 | Implement DKIM |
| 5-6 | DMARC p=none + report analysis |
| 7-8 | Fix sources failing SPF/DKIM |
| 9-10 | DMARC p=quarantine |
| 11-12 | DMARC p=reject |
Secure Email Gateway (SEG)
SEG is a dedicated solution filtering email before reaching users.
Key SEG Features
| Feature | Description | Effectiveness |
|---|---|---|
| Anti-spam | Filtering unwanted mail | 99%+ |
| Anti-malware | Known threat signatures | 95%+ |
| Sandboxing | Attachment analysis in isolation | Detects zero-day |
| URL filtering | Malicious link blocking | Real-time |
| Impersonation protection | Spoofing detection | Protects against BEC |
| Data Loss Prevention | Data leak blocking | Compliance |
Popular SEG Solutions
| Solution | Deployment | Key Features |
|---|---|---|
| Microsoft Defender for Office 365 | Cloud | M365 integration, ATP |
| Proofpoint | Cloud/On-prem | Sandbox leader |
| Mimecast | Cloud | Strong BEC protection |
| Fortinet FortiMail | On-prem/Cloud | FortiGate integration |
| Check Point Harmony Email | Cloud | Unified security |
Configuration Best Practices
1. Enable blocking of dangerous file types:
Block: .exe, .scr, .bat, .cmd, .ps1, .vbs, .js, .jar, .msi
Block with password: .zip, .rar, .7z (if containing above)2. Enable blocking of macros in Office documents:
Block: .xlsm, .docm, .pptm (or pass through sandbox)
Alternatively: convert to PDF3. Enable sandboxing for all attachments:
Sandbox: all files except whitelist
Timeout: 60-120 seconds
Action on detection: quarantine + alertAttachment Sandboxing
Sandboxing is a technique of running attachments in isolated environment to detect malicious behavior.
How Sandbox Works
┌─────────────────────────────────────────────────────────────┐
│ SANDBOX WORKFLOW │
├─────────────────────────────────────────────────────────────┤
│ 1. Email with attachment arrives at gateway │
│ 2. Attachment sent to sandbox │
│ 3. Detonation in isolated virtual machine │
│ - File execution │
│ - Monitoring: processes, network, registry, filesystem │
│ 4. Behavioral analysis (does it try to download malware, │
│ encrypt files, connect to C2) │
│ 5. Verdict: clean / malicious │
│ 6. If malicious → quarantine + alert │
│ 7. If clean → deliver to user │
└─────────────────────────────────────────────────────────────┘Evasion Techniques and Countermeasures
Attackers try to bypass sandbox:
| Evasion Technique | Description | Countermeasure |
|---|---|---|
| Time delay | Malware waits before activation | Extended analysis (5+ min) |
| VM detection | Checks if in VM | Bare-metal sandbox |
| User interaction | Requires click | Click simulation |
| Environment check | Checks computer name | Realistic environment |
| Encrypted payload | Password in email body | ML analysis, OCR |
URL Protection
Links in emails are the second main attack vector.
URL Attack Techniques
- Phishing page - fake login page
- Drive-by download - automatic malware download
- Redirect chains - chain of redirects hiding destination
- URL shorteners - bit.ly, tinyurl hiding real URL
- Homoglyph attacks - microśoft.com instead of microsoft.com
URL Rewriting (Safe Links)
Original URL: https://malicious.com/invoice
↓
Rewritten URL: https://urldefense.proofpoint.com/v2/url?u=https%3A%2F%2Fmalicious.com...
↓
On click: real-time scan → if malicious → blockURL Protection Configuration
✓ Enable URL rewriting for all emails
✓ Enable time-of-click analysis
✓ Block known-bad domains
✓ Display warning on redirect to external sites
✓ Block URL shorteners or expand before analysis
✓ Enable typosquatting detectionSecurity Awareness Training
Technology isn’t enough - employees must be aware of threats.
Training Program
| Frequency | Format | Content |
|---|---|---|
| Onboarding | Training | Phishing basics, email security |
| Monthly | Micro-learning | 5-min modules, quizzes |
| Quarterly | Phishing simulation | Test + feedback |
| Annually | Full training | Review + new threats |
Awareness Metrics
| Metric | Target | How to Measure |
|---|---|---|
| Click rate (simulation) | < 5% | Phishing campaigns |
| Reporting rate | > 20% | Reports to SOC |
| Training completion | > 95% | LMS tracking |
| Time to report | < 5 min | From opening to reporting |
Phishing Button
Implement “Report Phishing” button in email client:
Benefits:
- Easy reporting of suspicious emails
- Automatic analysis in SOC
- Building security culture
- Crowd-sourced threat intel
Email Security Implementation Checklist
Phase 1: Fundamentals (Week 1-4)
□ Audit current email configuration
□ Implement SPF for all sources
□ Implement DKIM
□ Implement DMARC p=none + monitoring
□ Inventory all applications sending emailPhase 2: SEG and Sandboxing (Week 5-8)
□ Select and deploy SEG
□ Configure dangerous file type blocking
□ Enable attachment sandboxing
□ Configure URL protection
□ Integrate with SIEMPhase 3: Hardening (Week 9-12)
□ DMARC p=quarantine → p=reject
□ Fine-tune SEG rules (reduce false positives)
□ Implement impersonation protection
□ Configure DLP
□ Email security penetration testingPhase 4: Awareness (Ongoing)
□ Implement training program
□ First phishing simulation campaign
□ Implement phishing button
□ Analyze and iterate based on resultsEffectiveness Metrics
| Metric | How to Measure | Target |
|---|---|---|
| DMARC compliance | DMARC reports | > 99% |
| Malware blocked | SEG logs | Track trend |
| Phishing blocked | SEG logs | Track trend |
| User click rate | Simulations | < 5% |
| Time to block | SOC metrics | < 15 min |
| False positive rate | User reports | < 0.1% |
FAQ
Isn’t Microsoft 365 / Google Workspace enough?
Built-in protections are good but not the best. Consider additional SEG if:
- You’re a spear phishing / APT target
- You need advanced sandboxing
- You have compliance requirements (e.g., DORA)
How much does email security implementation cost?
| Component | Cost (estimated) |
|---|---|
| SPF/DKIM/DMARC | Free (configuration) |
| Microsoft Defender for O365 P2 | ~$5/user/month |
| Enterprise SEG | $3-15/user/month |
| Awareness platform | $1-5/user/month |
How quickly do you see results?
- SPF/DKIM/DMARC: immediately (spoofing reduction)
- SEG: immediately (known threat blocking)
- Sandboxing: immediately (zero-day protection)
- Awareness: 3-6 months (behavior change)
Summary
- 90% of ransomware starts with email - it’s the main attack vector
- SPF + DKIM + DMARC is the foundation - implement with
p=rejectpolicy - SEG with sandboxing detects zero-day - essential for every company
- URL protection blocks phishing - enable time-of-click analysis
- Awareness changes behaviors - quarterly phishing simulations
- Layered protection (Defense in Depth) - one layer isn’t enough
Want to check your email security? Order email security audit or phishing simulation. Contact us.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Phishing — Phishing is a type of social engineering attack that aims to deceive the victim…
- Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
- Spear Phishing — Spear phishing is an advanced form of phishing in which attackers target…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
- Email Spoofing — Email spoofing is a cyberattack technique involving falsifying the sender’s…
Learn More
Explore related articles in our knowledge base:
- Conducting Simulated Phishing Campaigns: A Complete Guide
- COVID-19 and the Change in Organizational Security Perception
- KSC NIS2 and the human firewall: How must a CISO build an ongoing security culture program?
- How to Train Officials to Become a Human Firewall: Building a Security Culture with Grant Funding
- What is a Scam and How to Protect Yourself?
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
