Security Bite: Why your inbox is still so bad at blocking malware and spam

Arin Waichulis | Jun 2 2024 - 8:24 am PT

Many people are not aware that there’s a clever buffer that exists before emails land in an inbox. It’s here that each piece of mail is scanned, ideally blocking anything malicious before it arrives. However, over the years, email providers (mainly Gmail) have instead put more focus on adding “warning labels” to mail containing links or attachments they suspect are up to no good. Akin to putting lipstick on a pig. Despite these efforts, a stagering 91% of all cyberattacks still originate from an inbox.

If you think Google, Apple, and Microsoft could be doing more, you’re right. So, why haven’t they?

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

First, let’s look at how bad things currently are.

In a previous edition of 9to5Mac Security Bite, I discussed a recent study by web browser security startup SquareX that revealed just how little companies are doing to block malicious attachments and protect users.

The team of researchers took several different types of malware samples, attached them to emails, and sent them through Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL, part of the Yahoo! group. Notably, if the emails were delivered successfully to the users, they might be vulnerable to any potential threat contained within those attachments.

The table below summarizes the results of sending 7 of the 100 malicious samples to the various email providers, indicating whether the malicious attachment was delivered. “If an email was undelivered, it is a sign that malware was detected when the email was being processed by the server,” according to the study from SquareX.

Table showing what malware samples passed which email provider’s scanners and were delivered successfully.
Image: SquareX

The dilemma

Investing in robust email security features may seem like the obvious critical part of protecting users. However, Ian Thornton-Trump, CISO with threat intelligence solutions firm Cyjax, told Forbes, “this is akin to asking the free Wi-Fi at a Starbucks why are they not blocking more or all cyber attacks.” He further explained that it’s tough to balance free and secure in the same sentence.

Thornton-Trump argues that adding advanced email security features “can be deeply problematic with false positives, which may involve the use of technical support resources to help or fix—that expense across millions of users on a free platform may be commercially untenable.”

Moreover, others argue that email providers are dragging their feet on something that could cost substantial resources and impact their bottom line. With the upcoming release of iOS 18, macOS 15, and others next week, I’m interested to see if Apple will integrate any AI security features into the Mail app that could analyze attachments and URLs in emails in real time, among other various things.

I’m curious to hear your thoughts. Please tell me you are not still using that AOL email account from grade school…

About Security Bite: Security Bite is a weekly security-focused column on 9to5Mac. Every week, Arin Waichulis delivers insights on data privacy, uncovers vulnerabilities, or sheds light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices to help you still safe.