New Machine Learning Behind Early Phishing Detection in Gmail

Google announced today new security features in Gmail, including the news that it will enhance early phishing detection in Gmail through dedicated machine learning.

Cybercrime and state-sponsored advanced attacks continue to cling to email as a primary distribution vehicle for first-stage malware. Phishing campaigns thrive in targeted attacks, and criminals have even resuscitated old-school macro malware in attachments to gain that initial foothold on a victim’s computer.

Google, still stinging from a massive Google Docs-centered phishing campaign during the first week of May, counterpunched today with a host of new security features in Gmail.

Andy Wen of Google’s Counter Abuse Technology group said that the new updates focus primarily on early detection of phishing and spam messages that will benefit from a dedicated machine-learning model.

The model, Wen said, will delay messages (fewer than 0.05 percent of messages) in order to apply the model and analyze emails.

“Machine learning helps Gmail block sneaky spam and phishing messages from showing up in your inbox with over 99.9 percent accuracy,” Wen said. “This is huge, given that 50-70 percent of messages that Gmail receives are spam.”

Google said its detection models integrate with the machine learning supporting Safe Browsing, which is used to warn users of potentially malicious URLs in Chrome.

“These new models combine a variety of techniques such as reputation and similarity analysis on URLs, allowing us to generate new URL click-time warnings for phishing and malware links,” Wen said. “As we find new patterns, our models adapt more quickly than manual systems ever could, and get better with time.”

Enterprise Gmail users can also expect to see warnings when replying to messages outside the company domain as a preventative measure against potential data loss. Gmail will be selective with such warnings, for example, it will understand in context whether the reply is going to a regular contact even if outside the company domain.

Google is also introducing enhancements that scan attachments for signs of ransomware or polymorphic malware.

“We classify new threats by combining thousands of spam, malware and ransomware signals with attachment heuristics (emails that could be threats based on signals) and sender signatures (already marked malware),” Wen said.

Earlier this month, attackers took advantage of Google’s OAUTH2 service implementation to scam 1 million Gmail users via the Google Docs phishing scam. Google said it shut down the attacks within an hour, and that only 0.1 percent of its one billion Gmail users were affected.

The attackers were able to phish users via victims’ stored Gmail contacts. The messages claimed the sender wanted to share a Google Doc and the “Open in Docs” button in the email redirected the victim to the legitimate Google OAUTH consent screen which asked the victim to grant permission to access Gmail and Contacts.

While this was primarily a ruse that abused OAUTH’s open nature and ease with which it shares permissions with third parties, millions of emails were sent in a relatively short amount of time related to the scam.

Today’s Gmail enhancements are only the latest in a series of upgrades already this year. In February, Google added Security Key enforcement to its G Suite apps and added S/MIME to Gmail allowing for the encryption of messages in transit.

At RSA Conference in San Francisco, Google also said it would introduce SMTP Strict Transport Security to Gmail this year, bringing certificate pinning to the service. SMTP STS will be a major impediment to man-in-the-middle attacks that rely on rogue certificates that are likely forged, stolen or otherwise untrusted, Google said.

Suggested articles