Understanding Email Security Technologies and the Power of Hornetsecurity’s Hybrid Approach

Understanding Email Security Technologies and the Power of Hornetsecurity’s Hybrid Approach

Email delivered threats such as phishing, malware attachments and Business Email Compromise (BEC) are still the number one favorite attack vector for cyber criminals. And they’re not letting up, with new flavors of attacks being tested every day. It just takes one legitimate looking email to sneak through into a user’s mailbox, and an unsuspecting user to click a link or open an attachment to open a door into your business for the bad guys.

In this article we’ll explain and provide a comparative analysis of the two main approaches to email security. We’ll then look at a few fictitious companies that suit one approach over the other and finally demonstrate how a hybrid approach, such as the one deployed by Hornetsecurity 365 Total Protection, offers the best of both worlds.

What are the Most Common Approaches to Email Security?

Email security isn’t a new problem. Even a decade ago when most businesses were still running their own email servers, they either had to install software on their edge servers to filter out the dross or subscribe to a hosted service to filter the incoming email feed before it reached said servers.

Today most organizations rely on hosted email, with Microsoft 365 and Google Workspaces being the most popular options. This provides the foundation for the two different approaches: Secure Email Gateway is the single point cloud service where all the incoming emails to your organization are filtered, and clean emails are delivered to your mailboxes.

The other approach is using Application Programming Interfaces (APIs) in the email cloud service to detect and respond to email threats, often called Integrated Cloud Email Security (a term coined by Gartner in 2021). This isn’t an either / or proposition either, you can combine both techniques, something called Hybrid Cloud Email Security.

Secure Email Gateway

This is the older of these two methods, having its roots in the appliances or hosted services that businesses used a decade or two ago. They filter incoming and (often) outgoing emails, removing spam, malware, and other threats, sometimes also providing data loss prevention by identifying sensitive data in outgoing emails. They can also encrypt outgoing emails with standard TLS (formerly SSL) encryption, as well as other approaches such as DNS-based Authentication of Named Entities (DANE), Mail Transfer Agent-Strict Transport Security (MTA-STS) and venerable encryption protocols such as S/MIME and PGP.

email filtering

Secure Email Gateway

An in-depth exploration of DANE and MTA-STS are beyond the scope of this article but suffice to say that they make sure that traffic between mail servers on the internet are always protected with TLS encryption, and not susceptible to attackers changing IP addresses in the DNS infrastructure.

Not all Secure Email Gateway servers are created equally, and their defense mechanisms vary. Often, they apply advanced threat protection features such as opening attachments in sandbox environments to identify signs of malicious activity or use Machine Learning (ML) to identify potentially misleading or dangerous language in the text of a phishing email.

Once an email has been deemed safe and delivered to user’s inboxes, these gateways have no way to remediate threats if it’s later discovered that the message was malicious.

A big benefit of Secure Email Gateways is that all external email pass through them (if used for outgoing filtering as well), enabling easy archiving and journaling opportunities, to fulfil compliance regulatory requirements, as well as enabling e-discovery. These gateways also employ current technologies for identifying spam, phishing and spoofing and protecting organizations email reputation such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

They can also apply corporate template signatures to all outgoing emails, and because they’re a separate service they can provide continuity if Exchange Online or Google Workspaces is having an outage, providing webmail access, and queuing of emails until service is resumed. Depending on the service, there may limited integration with other security tools and services – if for example a user’s workstation becomes infected with malware, it’d be nice to easily know if they received any suspicious emails in the last few hours.

Finally, as a central service, they can provide excellent reporting and statistics on traffic volumes, threats detected, and actions taken.

They require some setup, and they’re not easy to “try out” in a proof of concept, because you must redirect your organization’s email domains (company.com) to the Secure Email Gateway service by changing the Mail eXchanger (MX) DNS entry. This will tell every email server on the planet where to send any emails for your domain, so you can’t do a test setup with just a few users for example.

Integrated Cloud Email Security via an API

The rise of large scale, cloud hosted email services such as Microsoft 365 and Google Workspaces have also spawned new integration points that weren’t available in the old on-premises world. The lifeblood of cloud services are APIs and the ease with which they facilitate integration between different services, and email is no exception.

These cloud services can easily integrate AI and ML for threat detection into user’s mailboxes (temporarily blocking access to delivered emails until scanning is complete), and unlike a gateway, they have continuous access to the entire platform, so that if an email is later identified as malicious, they can reach into mailboxes and delete or quarantine them “after the fact”.

Their ability to provide archiving is controlled by the APIs that the cloud provider offers, in fact, all their flexibility is entirely dependent on what the provider chooses to expose. They generally offer email authentication standards configuration (SPF, DKIM, DMARC) but this again depends on the underlying APIs.

Because they’re dependent on the cloud platform, they can only offer limited support for continuity in the case of an outage, and they don’t manage email encryption with PGP or S/MIME. Integrated Cloud Email Security services also don’t manage routing of emails, instead relying on the cloud platform for handling this. Reporting is likewise dependent on the APIs offered, but integration with other security tools is often excellent (as long as those tools are also cloud services). Being integrated “into the mailbox itself” means they can provide excellent data loss prevention services. If you have a large tenant, your provider must take into account API throttling limits as you can’t overwhelm the capacity of the platform with too many simultaneous requests.

Their real strength shines when it comes to setup – because no infrastructure or MX records need to change, they often only take a few minutes to deploy, and they can be scoped to a set of test users easily.

API - Approach default - (most common)

API – Approach default – (most common)

API - Approach - (safe mode)

API – Approach – (safe mode)

Hybrid Cloud Email Security – The best of both

In many scenarios, a combination of these technologies, like the hybrid model developed by Hornetsecurity, provides the best protection against email borne threats. The Secure Email Gateway will block most low-level threats, whereas the Integrated Cloud Email Security can deeply analyze the text of emails and attachments, using advanced AI and ML models to identify risks. Deployment is seamless, with easy integration into Microsoft 365 and Google Workspaces.

And the strength of each gives a better experience overall, if an email isn’t identified as malicious initially, but then received by other users later and this time blocked / quarantined (perhaps due to updated signatures), the gateway can tell the integrated service to delete the already delivered emails straight away.

During outages you get the benefits of continuing email access, reporting is even more comprehensive as not only incoming and outgoing emails are included, but also internal emails between employees which do not pass through the Secure Email Gateway. Data loss prevention is more comprehensive, with deep analysis of emails by the Integrated Cloud Email Security service, and the option to instruct the gateway to encrypt particularly sensitive emails based on the results.

Finally, because of the API driven nature of the Integrated Cloud Email Security they can extend beyond emails and mailboxes, such as managing permissions for attachments saved to OneDrive for Business from Outlook for example.

Hybrid (MX+API) - Approach - (safe mode)

Hybrid (MX+API) – Approach – (safe mode)

Hornetsecurity’s hybrid technology enables it to leverage gateway technology to provide solutions such as its Spam & Malware Protection, Signature & Disclaimers, Email Encryption, Archiving, and Continuity Service in addition to featured powered by integrated cloud technology such as Advanced Threat Protection, AI Recipient Validation, and 365 Extended Email Protection.

Use Cases

As always in IT, the right solution depends on the specific needs and existing environment of an organization. We’ll look at four different fictitious companies, and their situation and recommend an email hygiene solution to suit.

GlobalTech Inc. is a large multinational corporation that has diverse email services across different countries, including on-premises, Google Workspace and Microsoft 365. In this mixed, complex environment, a single, cloud based Secure Email Gateway service, integrating the different email domains will provide comprehensive control and reporting.

They’ll need to meet varying regulatory requirements in different regions, so enabling data loss prevention and email encryption through the gateway will be crucial. If there are email system outages, they’ll rely on the gateway’s continuance services to minimize business impact. Depending on IT needs, they may also add Integrated Cloud Email Security to their Microsoft 365 and / or Google Workspace tenants.

GlobalTech email system

GlobalTech email system

FinSecure Corp on the other hand relies on secure email communications with their clients. They’ve used S/MIME for many years to ensure end to end protection and non-repudiation of emails (proving that the sender of an email hasn’t been spoofed) and rely on DANE to mitigate the risk of criminals performing attacker-in-the-middle attacks against their email infrastructure. They will rely on a Secure Email Gateway service to enforce email encryption policies, and to demonstrate compliance with stringent regulations that are common for financial services firms.

FinSecure Corp

FinSecure Corp

Our third example is CloudInnovate, a tech startup in Silicon Valley, relying exclusively on SaaS cloud services for collaboration and email. They’re growing rapidly and require an easy to integrate service for their cloud-first strategy. They’ll use an Integrated Cloud Email Security service for Microsoft 365 for easy scaling and providing advanced AI and ML protection against emerging threats.

TechGen Robotics


Finally, TechGen Robotics, a leading robotics research and development company, operates at the forefront of innovation in autonomous systems and AI technologies. They have a lot of sensitive intellectual property, and are financially successful, making them targets for BEC attacks as well as industrial espionage. They’ll use both technologies together to ensure encryption of all sensitive emails (and attached documents), along with deep data loss prevention inspection to protect their IP.

They’ll need the advanced protection in their Integrated Cloud Email Security to identify and stop sophisticated attacks, and use the encryption provided by the gateway to protect communications end-to-end. They need the email continuity provided by the gateway in case of a service provider outage, whilst relying on the advanced protection of the API solution to inspect emails and attachments, including when those are saved in cloud storage.


TechGen Robotics


Hornetsecurity’s cutting edge email security solutions relies on providing both a Secure Email Gateway and Integrated Cloud Email Security for complete protection. As you have seen, both approaches have their strengths and weaknesses and by combining them, you truly get the best of both worlds, and the cleanest possible email feed.



What is the difference between Secure Email Gateway and Integrated Cloud Email Security?

Secure Email Gateway filters incoming/outgoing emails via a cloud service, while Integrated Cloud Email Security uses APIs in email platforms like Microsoft 365 to detect/respond to threats within the platform itself.

Why should I consider a hybrid approach for email security?

A hybrid approach to email security is necessary for certain businesses because relying on just one solution leaves gaps in protection. Secure Email Gateway (SEG) offers robust threat detection and compliance features but lacks continuous scanning and advanced threat protection capabilities. Conversely, Integrated Cloud Email Security (ICES) provides real-time scanning and post-delivery threat remediation but may not offer the same control and compliance as SEG. Additionally, businesses can reduce dependency on a single technology, mitigating the risk of vulnerabilities. A hybrid model also offers scalability and flexibility, allowing businesses to adapt their security measures as they grow and their needs evolve.

How does Hornetsecurity’s hybrid model improve email security?

Hornetsecurity’s hybrid model enhances email security by blocking most threats with a Secure Email Gateway and using Integrated Cloud Email Security for advanced threat detection and response, providing seamless integration and robust protection.

AI in Cybersecurity: How Large Language Models Are Changing the Threat Landscape

AI in Cybersecurity: How Large Language Models Are Changing the Threat Landscape

Since late 2022, we’ve seen a dramatic rise of Large Language Models (LLMs) based AI in the form of ChatGPT (Generative Pre-trained Transformer) and its cousins. There’s been quite a lot written about how these tools will impact cyber security.

In Hornetsecurity’s 2024 survey, a staggering 45% of business leaders voiced concerns about AI exacerbating the threat landscape. This alarming trend mirrors the global rise of AI-driven malicious activities, with threat actors leveraging automation and sophistication to orchestrate attacks.

The UK’s National Cyber Security Centre (NCSC) has also noted a troubling consequence: AI is democratizing cybercrime, enabling even novice criminals to engage in sophisticated attacks previously reserved for seasoned adversaries.

It is difficult to ascertain with a high degree of certainty if malicious emails were created or enhanced by LLMs, primarily because if they’re good, they’ll look indistinguishable from a well (hand) crafted phishing email.

However, these are the areas where we know that LLMs are having an impact on cyber security:

Code quality: GitHub Copilot (and other similar tools) is showing some quite astonishing improvements in productivity for developers, both beginners and seasoned hands. While there are safeguards in place to stop these tools developing obvious malware they can be circumvented, so it’s very likely that malware developers are using these tools to crank out more malicious code faster.

Sophisticated phishing: Drafting and enhancing phishing and especially spear phishing emails. We have an example of one of these below, but it’s probable that criminals are using these tools to fine tune their wording to achieve maximum results. Again, various LLMs have safeguards in place to stop these sorts of malicious uses, but they can often be bypassed. There are also GPT tools that lack these safeguards, such as WormGPT and others. Hornetsecurity’s 2024 survey revealed that 3 in 5 businesses describe AI-enhanced phishing attacks as their top concern.

Translating attacks into other languages: Many Phishing and Business Email Compromise (BEC) defenses are tuned for English, having less success stopping attacks in other languages. There are also geographies around the world where phishing and BEC attacks have been uncommon up until now, making the average finance department worker less suspicious (Japan, other countries in East Asia, and Latin America comes to mind). Here, we’re likely to see a surge in attacks based on the ability to translate emails into near perfect prose, by attackers who aren’t fluent in the language, expanding their potential target pool manyfold.

Targeted research: To pull off a successful spear-phishing attack, or social engineering phone call attack on helpdesk staff, requires detailed understanding of a company, individuals that they’re impersonating and their relationship to others in the hierarchy. Traditionally this is often done through LinkedIn, company websites research and the like, but with the advent of LLM based search engines, this is changing. As you’ll see in our example below, AIs can help immensely with this task, and shorten the time investment required.

To demonstrate how easy it is to generate a phishing email through an LLM we decided to create our own. The following is an attack on Andy Syrewicze, a Technical Evangelist here at Hornetsecurity. Here is the initial research prompt and output:

The following is an attack on Andy Syrewicze, a Technical Evangelist here at Hornetsecurity

As you can see, a simple prompt provides a detailed breakdown of a social engineering strategy to target Andy drawing on his professional and personal online footprint. Something that would take far longer to achieve manually.

This is then followed up with a very convincing draft of a spear-phishing email for Andy.

This is then followed up with a very convincing draft of a spear-phishing email for Andy

The email generated here is of a much higher quality than the average phishing email and far more likely to succeed. The personalization of the references and context demonstrates how effective AI tools such as LLMs can be in crafting targeted spear-phishing attacks.

Why We Fall for Scams

A thorough investigation of social engineering and hacking human psychology is a topic for an entire book on its own, here we’ll just focus on the highlights to bring an understanding of the basic characteristics that make us so susceptible.

A well-crafted phishing email has the following characteristics:

  • It’ll blend in and be part of the normal communication flow. We’re used to receiving emails about a parcel delivery, or a notification from our bank, or a reminder from our boss, so a fake email with the same characteristics is less likely to raise our suspicions. It has the right logos, structure, format, and it looks like the expected sender so we’re more likely to take the requested action.
  • It’ll appeal to our emotions. The most important part of any social engineering endeavor is to bypass the cold, logical thinking part of our mind (Cerebrum), and activate the emotions and the “fight or flight” center (Amygdala) so that we take actions we wouldn’t normally contemplate. Some approaches will appeal to greed / reward (“click here for free tickets”), some to shame / embarrassment (“I’ve got video recordings of what you did last night”), or fear / dread (“I need you to transfer this amount now or you’ll be fired”). The most common appeal is urgency; when something needs to be done “right now”, we tend to skip past our normal, suspicious questions and just get it done, often to avoid feeling the uncomfortable emotions mentioned any longer.
  • It’ll have a requested action that’s not too unusual. Examples include providing personal details to your “bank”, something we remember having to do when opening an account in a new bank or resetting our network password by clicking a link and being presented with a normal looking sign-in page.

The whole effect of an effective phishing lure is short-circuiting our questioning rational mind by invoking emotions and urgency and providing an easy way to “fix the issue” quickly.

This leads us neatly to the next step – the importance of security awareness training for all your users.

User Training is Crucial

This cannot be understated; you cannot build a cyber-resilient organization without involving every single person who works there. This starts with the basic awareness of asking someone unknown who isn’t wearing a badge in the office to identify themselves, and if the answer doesn’t stack up, calling security.

When someone calls you claiming to be from the IT helpdesk and asks you to approve the MFA prompt you’re about to receive on your phone, don’t assume they’re telling the truth. Always double-check their credentials first to ensure that it’s a legitimate request.

What you’re trying to foster is “polite paranoia”, making it normal to question unusual requests, and understanding the risk landscape and sharpening instincts. Most people who work in businesses aren’t cyber or IT savvy and weren’t hired for those skills. However, everyone needs to have a basic understanding of how identity theft works in our modern digital world, both in their personal and professional lives.

They also need to have a grasp of the business risks introduced by digital processes, including emails.

By having this context they’ll be able to understand when things are out of context or unusual and have enough suspicion to ask a question or two before clicking the link, wiring the funds, or approving the MFA prompt.

And this isn’t a once-off tick on a form to achieve compliance with a regulation.

Often, the long, tedious, and mandatory presentations that organizations conduct once a year or quarterly, followed by multiple-choice quizzes, are perceived as time-wasters by the staff. They want to rush through them quickly and typically forget any insights gained.

Instead, the training program should be designed to be ongoing, consisting of bite-sized, interesting, immediately applicable, and fun training modules combined with simulated phishing attacks to test users. If any user clicks on a phishing email, they should be given additional training.

Over time, the system should automatically identify users who rarely fall for such attacks and interrupt them with infrequent training, while the persistent offenders are given additional training and simulations on a regular basis.

The other reason for ongoing training is that the risk landscape is continuously changing. Some months ago, malicious emails with QR (Quick Response) codes to scan were the exception, now they’re a very familiar sight, requiring ongoing awareness of staff not to scan them on their phones (outside of established business processes).

Security experts often lament the priorities of staff, saying, “if they only took a second to read the email properly, they’d spot the signs that it’s phishing”, or “they just don’t take security seriously”.

This is a fundamental misunderstanding of the priorities and psychology of the average office worker, clicking a link in an email will at most get you a slap on the wrist, not fulfilling an urgent request by the boss can get you in serious trouble or even fired.

And this is why the entire leadership, from middle managers all the way to the C-suite must lead by example. If they do and communicate their understanding of the basics and secure processes, staff will follow suit.

But if the CFO requests an exemption from MFA or bypasses security controls regularly because “it’s more efficient”, there’s no chance that his underlings will take cyber security seriously.

A Day in the Life at Cyber Resilient Inc.

What does it look like at an organization that has embraced this approach? First of all, no one fears speaking up or asking “silly questions” about weird emails or strange phone calls. If there is an incident and someone clicks something they shouldn’t have, there’s no blaming and accusations, it’s not personal, there was a failure of a process.

This brings a strong sense of psychological safety, an important foundation for cyber resiliency.

Transparency is promoted from the leadership all the way throughout the organization. Understanding that we’re all human, we’re “all in this together” and being upfront about making mistakes, without fear of retribution, will improve the cyber resiliency culture.

Talking about new cyber risks and exploring not just business risks but also the risks in people’s personal lives is another strong result of a good security culture.

Our working and personal lives are blended like never before, with people sending and receiving emails from their personal devices, sometimes even working from their personal laptops (BYOD), which means that the risks to the business aren’t confined to corporate assets and networks. 

Compromises of users’ personal identities can be used by criminals to then pivot to compromise business identities and systems.

Looking at it in the mirror – in an organization where cyber resiliency isn’t valued, staff will be fearful of making mistakes and be unsure what processes to follow if they think they might have made one. Individuals are blamed when incidents do occur, ensuring that any future issues are swept under the rug to avoid the same fate.

And staff don’t understand IT, they don’t understand the risk landscape and they routinely put the organization at risk because of this lack of understanding.

Implementing Security Awareness Service

As mentioned, it’s important that security awareness training is incorporated into the work life of your users, it can’t be something that’s done once every six or twelve months. Hornetsecurity’s Security Awareness Service was designed with exactly this in mind, providing short video trainings, coupled with spear phishing simulations.

But overworked IT teams also don’t want to spend a lot of time on scheduling training and simulations, so it incorporates the Employee Security Index (ESI) which measures each user’s (and group, department) likelihood to fall for targeted, simulated, attacks.

This is mostly hands-off for the administrators, so the users who need extra training and tests receive it, whereas staff with already sharp instincts are tested less frequently. You can also track ESI over time and see the forecast for it.

Employee Security Index dashboard

Employee Security Index dashboard

There’s also a gamification aspect where users can compare themselves to others, which creates a strong incentive to be more cautious and sharpen instincts. The training material is available in multiple languages.

Another benefit of the Security Awareness Service is the statistics, it gives the security teams and business leaders data to understand the current risk profile of their staff, and where boosts of extra training might need to be deployed.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

Discover the latest in cybersecurity: How to Spot a Phishing Email in The Age of AI. Learn how AI fuels sophisticated phishing attacks and gain actionable insights to protect your business.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


Everyone in business today is somewhat aware of the risks of cyber-attacks, phishing messages, and identity theft. It’s essential for businesses to recognize that cybersecurity threats are constantly evolving, especially in the age of AI.

Threat actors are leveraging AI tools to create sophisticated phishing attacks that can lead employees to click on malicious links or disclose sensitive information. The phishing samples we’ve shared should serve as a good source for communicating the signs of scam emails to your staff.


How are Large Language Models (LLMs) impacting cybersecurity?

LLMs, such as ChatGPT, have significantly altered the threat landscape by enabling automation and sophistication in malicious activities. They’ve democratized cybercrime, allowing even novice criminals to conduct sophisticated attacks. Specifically, LLMs are enhancing code quality, refining phishing emails, translating attacks into multiple languages, and facilitating targeted research for social engineering attacks.

What characteristics make phishing emails successful?

Successful phishing emails blend seamlessly into normal communication flows, evoke emotions such as greed, shame, or fear, and prompt urgent actions. They mimic the appearance of legitimate messages, utilize familiar logos and formats, and contain requests that seem plausible, like providing personal details or clicking on links.

How can organizations improve their cyber resilience?

Organizations can enhance cyber resilience through comprehensive user training, which fosters a culture of “polite paranoia” and encourages questioning unusual requests. Continuous, engaging, and practical training modules combined with simulated phishing attacks help users recognize and respond to threats effectively. Leadership plays a crucial role in setting the tone for security awareness and adherence to secure processes throughout the organization.

What Your Employees Need to Know About Phishing + Real-Life Examples

What Your Employees Need to Know About Phishing + Real-Life Examples

In this article, we’ll present a series of real-world phishing emails, with personal details altered or obfuscated to protect the innocent.

These are useful for training users to spot the clues that something is trying to trick them, so feel free to use these in your training materials.

Real-Life Phishing Examples

Let’s start with a classic, the Nigerian prince scam, also known as an advance-fee scam. These try to make victims believe that they are the recipients of a large amount of money (emotion trigger: greed), but to receive it, they must pay a fee (“transfer fee” or “handling fee”). Here’s a simple example:

“transfer fee” or “handling fee”

Note the use of gift cards – criminals can’t use the standard international bank transfer system (Swift) as their funds would be blocked very quickly, and asking normal users to transfer crypto currency is also a dead giveaway – thus, the gift card request, a very common tactic.

A second clue in this email is the poor use of grammar and English, which is always a sign of something fishy but will likely be less prevalent in the coming months as generative AI tools become commonplace. Does this email really sound like it would have been sent by someone at JP Morgan Chase bank with the last name Angel?

Next is the phishing category, starting with a spoofing email. Spoofing is using various techniques to make it appear as if the email is coming from one sender when, in fact, it’s sent from an attacker’s email address. In this example that’s American Express, amex.com. This email also employs the tactic of making the entire email into an image, to make it harder for anti-spam engines which analyze text. Having SPF and DMARC records in place will block this particular spoofing technique.

spoofing email

The link shown in the image isn’t the one that an unwary user will open if they click it, which is why it’s important to train users to hover over suspicious links before clicking them (which is easier on computers than on smartphones).

Humans, including security experts, are poor at identifying malicious URLs (because they were never designed to be an indication of trustworthiness), but the fact that the link text you’re seeing on the screen doesn’t match the actual link target is enough to know that it’s a scam.

If you do click, you’re taken to a phishing page with a sign-in prompt, which looks like it’s an American express site.

Note the scroll bars however, it’s a webpage, made to look like a browser (within the real browser), which you can tell from the scroll bars on the right and at the bottom. Again, the actual domain that the victim is entering their credentials into isn’t the one shown on the page.

real life phishing sample

Another flavor is impersonation, the email below again purports to be from American Express, but the sender is secureAmex@wsfax.com, whilst the display name of the sender is “American Express”. This email isn’t about triggering greed, but rather concern about the “important information” relating to your account.

American Express - real life phishing

Here’s another one from Canada Revenue Agency / Agence du revenu du Canada, again with the actual sending email address being different. This one appeals to greed, with the promise of a refund, clicking the link leads to a credential harvesting page.

Canada Revenue Agency Agence du revenu du Canada - phishing

We have all become accustomed to receiving a lot of packages, and after the Covid-19 pandemic, it has become ubiquitous. In our data, DHL has been the leading company impersonated for a long time, but they were recently replaced by Fedex.

Here are two examples of DHL impersonation emails where the display name doesn’t match the sending email address, with links to click to “update your address”. Note the misspelt word “Packagging” as well as using “Hello Dear” as an introduction, unlikely from a shipping company.

DHL impersonation - phishing
DHL impersonation - phishing 1

Phishing emails frequently use attachments to spring their trap; here’s one purporting to be from DocuSign.

The PDF attachment, obviously not a scanned fax page, looks like a DocuSign document – clicking the link for View Pending Document will lead to a phishing page. The use of a DocuSign-looking page is appealing to the familiarity of the process. many of us are asked to electronically sign documents using DocuSign, so we’re less likely to be suspicious of this request.

DocuSign phishing
DocuSign phishing 1

As mentioned, QR codes have become very popular in phishing emails. There are two reasons for this: firstly, email hygiene solutions were slow to incorporate technology to spot these in emails, scanning the code, following the link, and inspecting the target web page for signs of maliciousness. Hornetsecurity has had QR code scanning in place since early 2023.

Secondly, and possibly the reason why we’re still seeing large volumes of malicious emails with QR codes, is that they move the attack from an often managed, locked down, secured computer endpoint, where most business users read their emails, to a personal smartphone with minimal protection.

Scanning a QR code with your smartphone is second nature for most of us, especially as their use in society is so common, and people don’t expect a bad result from doing it.

Here are three examples of phishing emails with QR codes as the link instead of the traditional weblink or button to lure a victim.

Scanning a QR code - phishing

This QR code leads to a phishing site where the victim enters their credentials to “update their password” but instead, they hand over their username and password for criminals to use in further attacks.

This second example is similar but focuses on the victim updating the Multi-Factor Authentication (MFA) which is about to expire. Note the misspelling of “mult-factor”.

Multi-Factor Authentication (MFA) - phishing

The urgency of this email, with the 24-hour deadline, is again creating a sense that the user must do something about this now or risk losing access and not being able to do their job.

Both of these are particularly insidious because the legitimate set-up process for MFA with Microsoft Entra ID, either with Microsoft’s Authenticator app or a third-party app, involves scanning a QR code. It’ll seem quite normal for end-users to scan a QR code again as part of MFA.

Key here is education of the business staff by the IT / security teams. If there are no legitimate business processes that involve scanning QR codes sent through emails, it is essential to inform everyone to avoid scanning any QR code that they receive in an email.

Additionally, it is recommended to follow up with Security Awareness training, including simulated phishing emails, to test staff and help them sharpen their instincts.

If you do have legitimate business processes that involve QR codes, look to see if they can be sent in some other way than via email, and if they can’t, clarify to everyone that this process does use QR codes, and here’s how that flow works, but don’t scan any outside of this procedure.

This last example introduces a wrinkle with the QR code being blue on a red background, no doubt to bypass email hygiene solutions (Hornetsecurity ATP isn’t fooled and caught these). Note the clumsy grammar “failure to secure your update Mailbox will lead to deactivation”.

failure to secure your update Mailbox will lead to deactivation

If you scan the QR code you’re taken to a credential harvesting page, gathering Microsoft login credentials.

Microsoft login credentials

The key in all these examples to convey to your staff is to be aware of triggering emotions, unusual requests, unusual processes (this isn’t how I normally reset my password), bad spelling and grammar and for QR codes, don’t scan them unless it’s part of a known business process.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

Discover the latest in cybersecurity: How to Spot a Phishing Email in The Age of AI. Learn how AI fuels sophisticated phishing attacks and gain actionable insights to protect your business.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


In conclusion, understanding the tactics used in real-world phishing emails is crucial for individuals and organizations to protect against cyber threats.

By recognizing common red flags, practicing vigilance, and implementing robust security measures, individuals can defend themselves against phishing attacks, while organizations can fortify their defenses and mitigate the risk of data breaches and financial losses.

Stay informed, stay vigilant, and stay safe in the ever-evolving landscape of cybercrime.


What are common characteristics of phishing emails?

Phishing emails often exploit emotions like greed or urgency, feature poor grammar, and employ spoofing techniques to appear legitimate. They may contain suspicious links or attachments and often mimic trusted organizations to deceive recipients.

How can individuals identify and protect against phishing attacks?

Individuals can protect themselves by being vigilant for red flags such as unusual requests, spelling and grammar errors, and unexpected links or attachments. They should verify the sender’s email address, hover over links to check their destination, and refrain from providing personal information unless absolutely certain of the sender’s legitimacy.

What measures can organizations take to mitigate the risk of phishing attacks?

Organizations should implement comprehensive security awareness training to educate employees about phishing tactics and best practices for identifying and reporting suspicious emails. Additionally, they should deploy advanced email filtering and anti-phishing technologies, enforce email authentication protocols like SPF and DMARC, and regularly update security policies and procedures to adapt to evolving threats.

Unmasking Phishing: Understanding the Insidious Threat to Your Organization

Unmasking Phishing: Understanding the Insidious Threat to Your Organization

In this article, we delve into the pervasive threat of phishing and its profound implications for organizational security. Phishing, an ever-evolving tactic employed by cybercriminals, continues to pose a significant risk to businesses worldwide.

From impersonating trusted entities to crafting sophisticated lures tailored to specific targets, the techniques employed by malicious actors are as diverse as they are insidious. Join me as we delve into the intricacies of this perilous cyber threat landscape and explore strategies to fortify organizational defenses against it.

Phishing – An Insidious Risk to Your Organization

Phishing remains the number one attack vector for criminals to establish a foothold in your organization. Even in this day and age of Teams, Slack and their cousins being used for collaboration and communication, email remains the most common way to exchange information with people outside an organization.

And it’s got inertia because it’s been there for so many decades, and everyone knows how to use email, both in their personal and work lives.

This also makes it the perfect channel for the bad guys to “show up in front of” your users, masquerading as someone trustworthy.

At the lowest level this involves impersonating a trusted company – DHL / Fedex (“we’re delivering a parcel and need you to click here to validate the address”), or your bank / credit card company (“click here to validate this anomalous transaction we’ve flagged”).

And of course, there’s the OG phishing scam – “I’m a Nigerian prince with money to give away and I just need you to help me out with the transfer”. These are sent in bulk because even if only 1 in 1,000 makes it through to a user’s inbox and only 1 in 1,000 clicks it, for each million I send, I get one hit.

Stepping it up a bit are more customized campaigns, targeting specific countries or regions, with specific lures related to current affairs and impersonating companies more likely to be trusted by the recipients in that geography.

Finally, we have spear phishing with highly customized lures, sent in much smaller volumes but where criminals have done their homework and use people and companies that your users are already collaborating with, ensuring a much higher success rate.

In all cases – if a user falls for the lure and clicks the link, or downloads the attachment, or enters their login details on the fake sign-in page, the consequences can be dire.

A single click starts the dominos falling

That single click or download can be the start of a major incident. In cybersecurity we talk about the kill chain, the steps an attacker must take to achieve their end goal, which could be theft of your intellectual property, or encryption of all files in a ransomware attack.

There are many variants, and depending on the attacker and the target, not all steps are required but generally they start with Reconnaissance to understand your business and what lures are most likely to generate a click (and your revenue to know how much they can demand in ransom for your files / systems).

This is followed by Compromise, gaining that first foothold, Moving Laterally to compromise other user accounts and systems, achieving control over the environment (“Domain dominance”), Exfiltration of data so that you can be further incentivized to pay the attacker to not have your data leaked. And if it’s a ransomware attack, this is followed by the actual encryption of your files.

And all from that single click by a user – which is why phishing is such an important attack vector to understand and defend against.

The Need for Security Awareness Training

The risk in numbers

Out of the 45 billion emails analyzed  in Hornetsecurity’s Cybersecurity Report 2024, 36.4% were labelled unwanted. Out of this third, 96.4% were spam, with 3.6% classified as malicious.

In this slice of malicious emails, phishing took the top spot at 43.3% (a 4% increase over the previous year) followed by 30.5% emails with malicious URLs (an 18% increase over the previous 12 months). Where there were malicious attachments, the most common was HTML files (37.1%), followed by PDFs (23.3%) and then archives such as ZIP files at 20.8%.

Getting as close as possible to a “clean feed”

All email hygiene systems follow the same basic architecture. Start by filtering out emails coming from known bad email servers and known bad domains by just refusing the connection.

Then, look at the DNS records (SPF – Sender Policy Framework, DMARC – Domain-based Message Authentication, Reporting and Conformance, and DKIM – DomainKeys Identified Mail) to filter out suspicious senders. Emails that make it through these first gates are then scanned by multiple anti-malware engines to spot any known viruses and filter those out.

In Hornetsecurity’s case, this is followed by Advanced Threat Protection, which inspects each email and its attachments in a sandbox, opening the files to look for any suspicious actions they perform, and using Machine Learning (ML) and over 500 signals to provide a verdict if the file / email is legitimate or not.

And if we later identify an email as malicious after delivery we can reach into any mailboxes where it has already been delivered and delete it.

This is an ongoing arms race, with attackers adjusting their tactics, types of attachment, obfuscating the malicious code and so forth, all to avoid detection. Our Security Lab experts, together with the ever-learning ML model tweak our detections to stop as close to 100% of all malicious emails as possible.

However, no system will catch every single bad message, and this is where the cybersecurity concept of defense in depth comes in.

In any complex IT system, you want to have multiple layers of protection, so that if the attackers penetrate one, they still have others to get through before they get to their prize. In this case, that’s your “human firewalls”, trained staff who know what signs to look for with their sharpened instincts.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

Discover the latest in cybersecurity: How to Spot a Phishing Email in The Age of AI. Learn how AI fuels sophisticated phishing attacks and gain actionable insights to protect your business.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


In conclusion, phishing poses a grave threat to organizational security, requiring a multifaceted defense strategy. Through awareness, advanced email hygiene, and a commitment to defense in depth, organizations can mitigate the risk and safeguard their valuable assets against this insidious cyber threat.


What makes phishing such a significant threat to organizations?

Phishing remains a top concern for organizations due to its deceptive nature and widespread prevalence. Cybercriminals employ various tactics, from impersonating trusted entities to crafting sophisticated lures tailored to specific targets. These attacks often start with a simple email, leveraging users’ familiarity with email communication to trick them into clicking malicious links or downloading harmful attachments. The consequences of falling for phishing attempts can be dire, ranging from data breaches to financial losses and even ransomware attacks.

How can organizations mitigate the risk of phishing attacks?

Organizations can mitigate the risk of phishing attacks through a multi-faceted approach. Implementing robust security awareness training programs is essential to educate employees about the tactics used by cybercriminals and empower them to recognize and report suspicious emails. Additionally, employing advanced email hygiene systems, such as those that utilize SPF, DMARC, and DKIM, can help filter out malicious emails before they reach users’ inboxes. Investing in advanced threat protection solutions, including sandboxing and machine learning, can further enhance detection capabilities and mitigate the impact of phishing attacks.

Why is defense in depth crucial in combating phishing threats?

Defense in depth is critical in combating phishing threats because no single security measure can provide complete protection against sophisticated attacks. By implementing multiple layers of defense, organizations can create overlapping security barriers that increase the complexity for attackers and reduce the likelihood of successful breaches. This approach includes not only technical solutions such as email filtering and malware detection but also emphasizes the importance of human vigilance. Trained staff serve as the final line of defense, equipped with the knowledge and skills to identify and respond to phishing attempts effectively.

How Difficult Is It to Remove Ransomware

How Difficult Is It to Remove Ransomware

Ransomware has been a part of the cybercrime ecosystem since the late 1980s and remains a major threat in the cyber landscape today.

Understanding Ransomware Mechanics and Its Short Evolution

The AIDS Trojan was the first known Ransomware attack that encrypted your files and demanded ransom through the postal services over the years, the functionality has been evolving, and it has become more sophisticated.

First, it employed symmetric key encryption, which encrypts data with a single key, however, now most threat actors started implementing asymmetric cryptography, which encrypts files with two keys for added security.

The delivery techniques have also evolved, moving on from the regular phishing email attachments, attackers now take advantage of software flaws and incorporate AI and Machine learning to enhance their evasion capabilities.

Cryptocurrencies like Bitcoin, Monero, and others are now the go-to payment option since they allow hackers to remain anonymous.

Ransomware as a service (RaaS) has made ransomware more accessible to novice attackers, or “Script-kiddies”. Larger organizations are now the target audience, or so we thought.

But attackers increasingly threaten to leak critical material as part of a double-extortion strategy and combine Distributed Denial of Service (DDoS) attacks with ransomware to overwhelm their targets.

Exploring Different Ransomware Types and Their Variances in Approach

As the world evolves, so do the ransomware types and their usage, mostly depending on the goal of the malicious threat actors. In the technology era, the gold standard is information, where the attackers keep their focus and entrapment.

At its core, ransomware is malicious software designed to deny access to a computer system or files until a sum of money (“ransom payment”) is paid. As the end goal varies, so does the approach. Here are some examples of how malicious attackers can infect your systems with ransomware:

  1. Crypto Ransomware (Encryption): The most notable and vicious variant where the attackers encrypt the data on the host or entire organization, demanding payments to be delivered with cryptocurrencies in exchange for the decryption key. 
  2. Locker Ransomware: Another type of ransomware that locks your computer screen, rendering it unusable and restricting access to basic computer functions, accompanied by a popup and message demanding a ransom payment before access is restored.
  3. Scareware: A manipulative type of ransomware intended to trick or frighten the victims into going to particular websites or downloading malicious software. Popup advertisements and social engineering techniques are frequently utilized with the intention of fooling people into downloading or buying dangerous software. An example would be a flash message displayed that your workstation is infected and the attacker suggesting they are here to save the day with their free Antivirus, a classic strategy that unfortunately still works.
  4. Doxware: It involves a process called Doxing, a gathering of personal information about the target and using the scare tactic designed to make the victim feel shameful and disgusted by releasing their personal data. Threat actors breach people’s privacy by getting their hands on private documents and images, which they threaten to make public if a ransom is not paid. This is a more targeted approach, but it could have a wider ‘clientele’ as the target private information includes other potential victims.

Decoding the Mystery Behind Ransomware Removal and Recovery

Ransomware recovery demands a strategic approach, beginning with isolating infected systems to prevent spreading across the network. Simultaneously, it is crucial to discern the specific ransomware variant in play, a critical step as this information guides further steps and the search for customized decryption tools or focused solutions.

After identifying the malware, the eradication process may start, however, before complete removal, it is very wise to back up any essential data to protect against any unforeseen complications.

The employment of reputable antivirus or anti-malware ransomware software, updated to the latest definitions and signatures, becomes pivotal at this juncture, serving as a frontline defense mechanism.

Should circumstances permit, restoring the system from a meticulously maintained and uncontaminated backup stands out as a robust remedial measure.

Sustaining a proactive stance, keeping software and security patches current, educating users on Security Awareness Training, the ins and outs of phishing threats, and, where necessary, seeking professional cybersecurity assistance, complete the comprehensive ransomware removal strategy.

The dynamic nature of cybersecurity activities is highlighted by a post-removal phase marked by persistent monitoring for residual risks that could still bring the organization to its knees. Prioritizing prevention through regular backups and raising cybersecurity awareness is crucial for defending against the constantly changing ransomware threat scenario.

How to Select the Right Approach for Ransomware Removal and Preventative Measures

Ransomware removal is never guaranteed, and the best defense is, being able to focus on your preventative measures. Timing is of the essence when this type of malware gets into your system, and it is crucial to have continuous monitoring properly deployed.

  • Do not pay the ransom – Paying does not guarantee that threat actors will return your files, and even if they do, there is no certainty that they haven’t made a copy and use it for further agenda 
  • Isolate the infected systemsThe first step when there are indicators of ransomware compromise is disconnecting the affected hosts from the network to minimize and control the spread further to other devices and systems 
  • Identify the ransomwareRecognizing the variant helps combat the ransomware, what common locations it resides in, and any remaining infection it may occupy. Using shared intel within the security community could also lead you to a decryption tool (that may or may not exist) 
  • Knock, knock. Whos there? Identify the attack sourcesThis sounds counterintuitive, but if you can identify the attack source, it could be a piece of very useful information to defend yourself from a repetitive infection by taking proper measures, as backups are useless if you close the door again, unlocked.

Steps to Take If Your Email Security Has Been Compromised

MGM Resorts

The notorious ALPHV (BlackCat) crew has unleashed a ransomware attack on MGM Resorts, causing significant havoc that disrupted the website, casino functions, and essential systems such as email, reservations, and digital room keys, plunging MGM’s operations into disarray.

This breach, initiated by social engineering, underscores the escalating risks faced by major enterprises. It’s particularly alarming as it follows a previous security breach at BetMGM, a branch of MGM Resorts, where hackers absconded with data from 1.5 million clients.

In a parallel episode, Caesars Entertainment faced a similar hacker incursion but swiftly recovered by ponying up a substantial ransom.

LockBIT 3.0

Among the prominent players in today’s ransomware arena is the feared LockBit 3.0. This group creates and distributes LockBit ransomware, operating under the ransomware-as-a-service (RaaS) model.

This setup implies that LockBit 3.0 collaborates with affiliates who deploy the ransomware in attacks, with both parties sharing the financial gains.

Affiliates of LockBit employ spearphishing and phishing techniques to penetrate victims’ networks. LockBit group ‘Customers’ acquire and misuse login passwords of active accounts in order to obtain first access, and while LockBit 3.0 is running, the malware executes commands like batch scripts to run malicious commands.

LockBit 3.0 has a global reach, orchestrating impactful cyber attacks on businesses spanning public and commercial sectors. Renowned for their cunning tactics, the gang employs diverse channels to distribute malware, including phishing emails and exploit kits.

What sets them apart is their triple-extortion approach, where they encrypt victim data, threaten public exposure, and engage with partners or customers. Balancing sophisticated techniques with human-centric exploits, LockBit 3.0 remains a formidable force in the cybersecurity arena.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service and Advanced Threat Protection to secure your critical data.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.


To wrap it all up, ransomware is a category of computer infection. It is employed to trick people into making payments. This typically indicates that the ransomware has encrypted your data and requests payment to unlock them. The best course of action is to prevent getting infected and make strong backups of your files in case you do get infected. Depending on how sophisticated the virus is, there might not be a method to get around this.


Can ransomware be deleted?

Removing ransomware from a system is more complex than deleting a regular file. Caution is essential, and paying the ransom is strongly discouraged as it doesn’t guarantee file recovery and may support criminal activities. Prevention, regular backups, and updated security software are vital for protection against ransomware attacks.

What tool removes ransomware?

Keep in mind that no tool can ensure that every ransomware variant has been completely removed and that the effectiveness of a tool can vary based on the particular ransomware strain. Furthermore, proactive defense, timely security software updates, and a solid backup plan are essential to exhaustive ransomware protection.

Is ransomware difficult to remove?

To remove ransomware, think about performing a factory reset on affected systems once you’ve located and isolated them. Paying the ransom is discouraged as removal is never guaranteed, and you only look weak in the eyes of the attackers, making you a recurring target. Rather, prioritize creating a thorough incident response strategy that includes instructions for security partners, how to isolate assaults, and how to record important attack logs for forensic analysis. To guarantee a backup of crucial data, keep up a robust backup management program and evaluate risks regularly. Your organization’s defenses against prospective cyber threats are strengthened by advance planning and abstaining from ransom payments.

Can ransomware be solved?

Ransomware can be solved depending on the variant, your organization’s preparation, and your incident response plan. It is very important to have proper security awareness training and exercises to prepare you for this event, as time is valuable once you become a victim. Tabletop exercises, communication with other security professionals, and intelligence sharing will only boost your chances of fighting this attack. Preparation is key, as it is not an ‘if’ issue but a ‘when’. Ransomware can be solved depending on the variant, your organization’s preparation, and your incident response plan. It is very important to have proper security awareness training and exercises to prepare you for this event, as time is valuable once you become a victim. Tabletop exercises, communication with other security professionals, and intelligence sharing will only boost your chances of fighting this attack. Preparation is key, as it is not an ‘if’ issue but a ‘when’.

How to Avoid an Email Security Breach

How to Avoid an Email Security Breach

Email is still the most important communication channel. More than 300 billion e-mails are sent and received every day. According to forecasts, this figure will increase to almost 400 billion a day by 2026.

Hackers know this and are constantly targeting companies, infecting them via email with various types of malware or phishing attacks. But this only happens when companies have poor security hygiene and fail to provide ongoing employee training.

As an example, in 2019, healthcare organization NHS Highland inadvertently disclosed the health records of 40 HIV-positive people by sending an email via CC rather than BCC. This was considered an email security breach.

This article is about email security breaches and how to avoid them using best practices and Hornetsecurity’s email security services.

We all want to stay ahead of a malicious email leading to a compromised business. Don’t we!?

Understanding Email Data Breaches and the Importance of Email Security

A data breach is data loss or data compromise due to inadequate security measures or human error.

Malicious actors are targeting our infrastructure using various techniques such as malware, phishing, and social engineering. In most cases, these attacks are carried out via email. The hackers try to trick us into opening links or attachments that give them access to our infrastructure and data.

Even if we have the most advanced security measures and systems in place, this is of no use if our employees are not trained in the correct handling of devices, emails, and data.

The first target of most cyber attacks is people. Attackers use our human psychology against us, our willingness to help others or our lack of understanding of the risks involved in email attacks.

The introduction of strong email security measures and employee training reduces the risk of being hacked.

Notable Examples of Massive Email Data Breaches

There have been several data breaches in the last decade. We will not go into all of them, but we will mention a few major data breaches.

In August 2013, Yahoo was attacked by a hacker group. Over 3 billion email accounts were compromised.

In 2018, hackers gained unauthorized access to Aadhar, the largest ID database in India. Over 1.1 billion Indian citizens were affected by this data breach, including their data such as names, addresses, photos, phone numbers, emails, and biometric data.

In July 2019, hackers gained access to over 100 million accounts hosted by Capital One. The hackers stole credit information affecting around 100 million people in the US and around 6 million accounts in Canada.

In June 2021, LinkedIn discovered that 700 million of its user accounts had been exposed to the dark web. This was the largest data breach the company had experienced.

There are dozens of other data breaches that can be traced back to inadequate security measures. 

Exploring Vulnerabilities Stemming from Weak Email Security

Weak email security can expose company data and vulnerabilities. Weak email security is related to weak passwords, lack of multi-factor authentication, lack of security measures against phishing and spam, lack of email encryption, lack of email security policies, lack of ongoing training, and others.

Even failing one of these can damage the integrity and reputation of a company and put it in financial difficulties.

Where there is weak email security, there is plenty of scope for attacks and email security breaches. Attackers can easily penetrate our network and exploit vulnerabilities from the physical to the application layer to attack our unpatched systems, unencrypted storage, unpatched systems, and others.

To minimize the risk, companies should invest in robust email security measures.

Recognizing Signs of a Hacked Email Account

If you suspect that your email account has been hacked, there are several signs you should look out for. Please note that these signs, especially if they are suspicious activity (they could be you), are not always proof that your account has been hacked, but they should trigger an alert to check it out.

There are two possible scenarios. Your account has been hacked and you can no longer use it, or your account has been hacked and you can still use it.

In the first case, hackers have compromised your email account and data and changed the password.

You have tried several times to re-enter your web or email client password, but it does not work. If you have been authenticated in the Outlook client application, you are prompted to re-enter your password. You have probably been hacked.

In the second case, the hackers have compromised your email account but have not changed your password. If you have configured this, you should receive a notification about unusual or suspicious activity in your email account.

Email accounts have a security service that sends emails directly to you or your alternate email address when suspicious activity is detected.

These activities may include notifications of unauthorized access from unusual IP locations or devices, password change notifications, unexpected password reset emails, changes to account information, and unknown devices connected to your email account.

You should always pay attention to these notifications, even if you think it’s not a sign of malicious activity. For example, if you were logged into your email in Germany, then traveled to the US and continue to use your email, your email service will trigger a notification of a new sign-in activity from a different country.

In this example, we see that someone tried to log into my email account from the US and an unknown location, and it wasn’t me.

Email Sign-in activity

Email Sign-in activity

Additionally, if your internal or external colleagues are receiving spam or phishing emails from your account that you did not send, your account is likely compromised.

Note that sometimes an email may appear to be from you, when in fact it was sent from a different email address and merely uses your email addresses as “cover” to make it more likely to slip through defenses.

Check if there are any suspicious emails in the “Sent” folder or if there are any forwarding rules in place to forward emails from your account to a third party’s email address.

Steps to Take If Your Email Security Has Been Compromised

If you are an IT Administrator and you notice in the breach list that some of the emails within your organization are breached, you need to take immediate security measures and inform affected parties.

First and foremost, change the email password and implement (MFA) multi-factor authentication. If you are an end-user and find that you can no longer log in, report the incident to your IT team immediately.

Different security measures to secure your email account

Different security measures to secure your email account

Check your account settings to see if they have been changed. Since many apps are registered to a specific device or you, check the apps and devices associated with your email account. If you notice any unknown devices, block them immediately.

Also, check account activity and see where you have logged in or tried to log in without authorization.

Malicious people could be sending emails to your contact list. You should check your folders for sent, received, and deleted emails. Also make sure that your contact list is informed, as they may have received emails from you that originate from malicious people.

Scan your computer and network for malware and viruses.

Once you have found the root cause and taken the measures mentioned, you should find out what caused it, document it, and strengthen your security measures to prevent it from happening again.

How can you do this? Read the section below on Hornetsecurity.

Strategies for Organizations to Mitigate Simple Email Mistakes

One of the most common email errors is incorrect delivery. That is, when you accidentally send a confidential email with or without attachment to the wrong external email contact.

One of the ways to alert employees when the company sends email notifications is through external email notifications. Microsoft 365, for example, offers you the option of activating external email alerts. If you send an email to an address outside your company, you can see the warning as a precautionary measure.

External Email Warning Message Microsoft 365

External Email Warning Message Microsoft 365

Another example of incorrect delivery is the improper use of CC and BCC email fields. In 2019, representatives from the healthcare organization NHS Highland sent emails to nearly 40 HIV-positive people, publicly exposing them and breaching confidentiality.

What did they do to publicly expose them? They sent an invitation to a support group run by a health clinic, using the CC and not the BCC (Blind Carbon Copy) email field. For the sake of sharing, with CC all recipients are visible to everyone, whereas those who are BCC’ed are not visible to anyone.

Another mistake is not recognizing spam. Spam is an unsolicited advertising message that. Phishing emails on the other hand are malicious emails, either with links to malware or some other dangerous site, or malicious attachments. Users should be trained to recognize these and report them immediately to the IT department.

How can you mitigate these simple email mistakes? By providing continuous security awareness training and challenging users’ actions.

Additionally, use email filtering and security detection to block malware, spam, and phishing attacks before they land in your user’s inboxes.

Reducing the Risk of Email Data Breaches: Best Practices

Security is a shared responsibility. It is the organization’s responsibility to implement security measures and training on security, and it is the end users’ responsibility to follow them.

First and foremost, make sure you have a strong password culture. That means enforcing various password policies within your organization. These policies include password complexity, password length, minimum and maximum password age, password history, password lockout, and others.

For example, the password’s complexity determines which characters should be included in it, while the length determines how long it should be. If you apply these two policies to your email accounts, you can get a password with at least 12 characters, including upper and lower case letters, numbers, and symbols.

As far as password guidelines are concerned, you should never use the same password for multiple accounts. If one is hacked, so can all the others. Also, never use personal information in your password.

Using a strong password is not enough. You should implement MFA (Multi-Factor Authentication). With MFA, you must confirm your identity via SMS, app, or biometric data. If a hacker were to hack your password, they would be unable to successfully log in if they do not have access to your phone. MFA is a must. Not an option.

Hackers use social engineering and phishing to trick you and gain access to your computers. How can you fight them? With solutions like the Hornetsecurity Security Awareness Service, you can also simulate phishing attacks and create sophisticated phishing emails that train users to spot suspicious emails. With this service, you can target everyone from entry-level to C-level.

Phishing attacks will still come after the training. You should implement email security measures that recognize and block phishing attacks in time.

You can find out more about preventive phishing measures in the section Protect your brand with Hornetsecurity: The role of email security.

There are other practices that are a variation of what we mentioned above.

Protect Your Brand with Hornetsecurity: The Role of Email Security

Hornetsecurity offers you a range of tools to strengthen your email security and mitigate email data breaches. These include advanced threat protection, spam and malware protection, and email encryption.

Advanced Threat Protection

Advanced Threat Protection protects your organization from advanced cyber security attacks and threats such as ransomware, phishing, and more. This is very important protection as malicious individuals and groups target organizations with malware such as Emotet, Tribot, GandCrab, and others. The easiest way to send them is via email.

We are trying to make our lives easier by providing everyone with a QR code to download or access a specific website. It’s easier to scan it than to type it in. Isn’t it? Very often hackers put links that direct you to a malicious website to download or simply access a link.

Advanced Threat Protection offers a QR Code Analyzer that analyzes QR codes and checks if they are malicious, in which case the email is blocked accordingly.

QR Analyzer

QR Analyzer

Advanced Threat Protection protects you against blended attacks that are combined into a single email attack. Blended attacks include different types of malware such as viruses, spyware, spam, and phishing.

Hornetsecurity uses various technologies to protect you from email attacks, including sandboxing, freezing, safe links, URL scanning, real-time alerting, and ex-post alerting.

A strong alliance against all methods of attack

A strong alliance against all methods of attack

The sandbox engine scans the attachment in an isolated environment and checks for malicious activity. If the document is malicious, the file is quarantined, and the IT Security team is notified. If a file cannot be classified as malicious, but seems suspicious, Hornetsecurity freezes it for a short period.

Advanced Threat Detection also helps you to scan links before you open them. If you receive attacks such as PDF or Word documents and they contain links, the URL scanning engine can scan them without compromising the integrity of the document.

When an attack occurs, Advanced Threat Protection sends a real-time alert and informs you accordingly. It also supports ex-post alerts to inform you about emails that have already been delivered and are subsequently classified as malicious. It’ll even reach into user’s mailboxes and delete malicious emails that have already been delivered.

Email Security

Hornetsecurity email security offers you a powerful spam filter and protection against malware. According to our research, 50% of the world’s email traffic is spam. Email Security offers the highest detection rate on the market, with 99.9% guaranteed spam and virus detection.

It protects you from DDoS attacks and phishing emails.

It also supports informal filtering, data traffic encryption, link tracking, phishing filters, automatic virus signature updates, outbound filtering, bounce management, dynamic virus outbreak detection, and multi-level spam detection.

In 2023, Hornetsecurity processed in excess of 45 billion emails which provides a unique opportunity to identify emerging threats and critical vulnerabilities, reveal important trends and can make informed projections for the future of Microsoft 365 security threats, enabling businesses to act accordingly. Read more in our Cyber Security Report.

Hornetsecurity spam filtering and malware protection can be integrated into the email management system. Ask about Spam Filtering and Malware Protection now.

Email Encryption

Email encryption enables the encrypted exchange of emails. This is extremely helpful when exchanging sensitive data and attachments. If a hacker intercepts them, they can read them.

It supports all standard encryption technologies including S/MIME, PGP and TLS. It takes minimal effort to manage encryption, user certificates and encryption policies.

Email encryption includes the following features: Testing option for encryption suitability, automatic digital signing & encryption of outgoing emails via S/MIME and PGP, automatic certificate management & key storage, individual setup and definition of encryption policies, personal email certificates, confidential communication via Websafe, and others.

You can read more here Encrypted email – secure email with PGP, S/MIME, TLS Email Encryption.

You can also opt for email compliance and productivity tools for email archiving, signatures and disclaimers, and continuity services.

Security Awareness Service

According to the World Economic Forum, 95% of all cyber security incidents are caused by human error. One of the types of human error is clicking on suspicious links and attachments in phishing emails. Hornetsecurity has developed a solution that simulates realistic phishing emails and is aimed at everyone from entry-level to C-level.

The solution is called Security Awareness Service. It is a fully automated awareness benchmarking, spear phishing simulation, and e-training to raise awareness and protect employees from cyber threats.

It offers an ESI (Employee Security Index) that continuously measures and compares the security behavior of employees throughout the company. Based on the target group in your company and their ESI index, you can develop a customized training course that is tailored to their needs.

Weekly, monthly, or however you like, you can trigger phishing emails and test your employees’ phishing detection skills.

This way your network stays safe.

To properly protect your cyber environment, use Hornetsecurity Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


Email security breaches let malicious individuals or groups access your company data. This happens due to inadequate security measures and a lack of security awareness.

Hackers attack companies through emails by using social engineering and phishing attacks. The idea behind these two attacks is to trick people into opening malicious links and attachments in email in order to gain access to their data. It is one of the most common malicious methods.

Another way for hackers to gain access to emails is if organizations or companies use weak email security. This indicates weak passwords, lack of multi-factor authentication and inadequate email security software.

Security is a shared responsibility between IT teams and employees. IT teams should implement strong email security measures and enforce policies, and employees should follow them.

This article covered email security breaches, how they occur, and what users and organizations can do to prevent them. It also demonstrates the power of Hornetsecurity’s email security solution.


What is an email security breach?

An email security breach occurs when hackers gain unauthorized access to our data and make it publicly available or use it to attack us. This hurts the integrity of our data and the availability of email communication. This happens due to cybersecurity attacks, phishing, and inadequate security measures in companies.

What happens if your email is breached?

If your email is breached, your organization can get into serious problems. Malicious people get access to your data, they can expose them publicly, inject malware and disrupt business operations.

Can I check if my email has been hacked?

If your email has been hacked, the hacker will probably change a password and you will no longer be able to log in. The second scenario is that your email has been compromised, but you can still use it. Email security services can trigger a notification of unauthorized access from a third-party IP or location in this case.

Can I check if my data has been breached?

You can check whether your email, and therefore your data, has been hacked. There are various services that you can find online to check whether your email is in the hacked database.