Advance Threat Defense Expands Threat Vector Coverage to Email Attachments

By on Jul 25, 2017

This blog was written by Anne Aarness.

Email remains the most highly exploited attack vector. Two email threats—business email compromises (BECs) and ransomware—are rapidly gaining ground lately and deserve everyone’s attention.

BECs are a sophisticated new form of phishing that leverage social engineering and email account credential theft.

Ransomware is another insidious email-borne threat that has ramped up in a big way. According to Verizon, it is now the fifth most common type of malware. Typically, a ransomware attack begins with email and buries malware in attachments or attachments of attachments (often Microsoft Word macros or JavaScript files) that may even appear clean to antivirus solutions.

If malware hidden in attachments in ransomware and BECs can escape detection by traditional security tools, what’s the answer? In-depth analysis with McAfee Advanced Threat Defense.

McAfee Advanced Threat Defense now expands its detection and analysis capabilities to include email attachments. With minimal configuration and single-click activation, the McAfee Advanced Threat Defense Email Connector works with third-party secure email gateway solutions via an embedded message transfer agent (MTA). McAfee Advanced Threat Defense receives a message, analyzes the attachment file, adds the results of its analysis to the email header, and then sends the email back to the secure email gateway, which then applies policy-based actions.

Here’s how McAfee Advanced Threat Defense enhances detection and conviction of attachments in BEC and ransomware emails:

  • The secure email gateway receives an email with a suspicious attachment that its inspection engine cannot fully convict, so it forwards the message to McAfee Advanced Threat Defense for further analysis.
  • McAfee Advanced Threat Defense directly communicates with the secure email gateway via SMTP to accept the message and begin scanning the email attachments.
  • Through dynamic analysis, the attachment file is executed within the McAfee Advanced Threat Defense sandbox environment. The file’s actions are recorded and evaluated.
  • Running in parallel, McAfee Advanced Threat Defense uses static code analysis to unpack the file, look at the instruction sets to determine intended behaviors, and then compare those to instruction sets of known malware families. Since malicious code is often reused but slightly modified to create new variants, this analysis engine is especially effective.
  • A final step in the analysis, ATD specifically looks for malicious indicators that have been identified through machine learning or a deep neural network.
  • The reputation score of the file is determined at this stage, and the severity level of the message is placed into the X-header to be relayed back to the originating secure email gateway IP.
  • McAfee Advanced Threat Defense then sends the message back to the secure email gateway via SMTP where the X-header is scanned for the “verdict” that now accompanies the message. The secure email gateway then acts appropriately on this information by delivering the message to the intended recipient (if the attachment is determined to be clean) or by enforcing user-defined policies to handle the message based on the user’s requirements.

Interested in learning more about McAfee Advanced Threat Defense 4.0? Visit:

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Categories: McAfee Enterprise

Subscribe to McAfee Securing Tomorrow Blogs