How AI-powered Secure Email Gateways Fight Back vs. AI-armed Bad Actors

As bad actors use artificial intelligence to step up their phishing game, mounting an effective defense means using a secure email gateway that likewise employs AI to detect even the most cleverly crafted phishing emails and the fraudulent websites to which the emails attempt to direct recipients.

The concern is not just with generative AI (GenAI) tools like ChatGPT, which has some (rather limited) guardrails to prevent nefarious use. Other large language models (LLMs) have emerged with no such constraints, including two currently advertised on underground hacker forums: WormGPT and FraudGPT.

As detailed in the recent Trustwave Threat Landscape Report covering the technology industry, attackers can use these tools to create phishing and business email compromise (BEC) emails that no longer have tell-tale language and grammatical errors, making the emails significantly more effective. In some cases, entire messages appear likely to be AI-generated.

Incorporating AI into Secure Email Gateways

So, to be effective, a secure email gateway must be able to detect other signs of potential threats, including in the URLs and HTML content of the web pages to which phishing emails often seek to direct users. That's where AI can come into play.

Trustwave MailMarshal, for example, uses PageML, a Trustwave-developed URL scanning system that combines machine learning (ML), deep learning, and human-made heuristic rule elements.

When a user receives an email that references a URL, MailMarshal will rewrite the URL. Suppose the user clicks on it before allowing the corresponding web page to load. In that case, the URL is fed into PageML, which is part of the MailMarshal Blended Threat Module, which examines it to determine whether the URL is legitimate. PageML is an ML system trained to recognize hundreds of attributes that indicate a suspicious URL, such as excessive length, an out-of-place backslash, distinctive HTML content, and many more.

The result is a number that indicates a level of confidence as to whether the URL is legitimate – and whether to warn the user not to proceed.

Because PageML is a machine learning system, its performance improves over time as it sees more legitimate and suspicious URLs.

Impressive Results

Trustwave runs PageML at VirusTotal, which is the online URL and file scanner. Examining threats tracked by VirusTotal shows the AI-powered approach to email security delivers where it matters most: detecting threats.

As the chart below details, PageML has identified some 14.5 million unique, previously unidentified URL-based threats over the last six months of 2024. By unique, we mean URLs that only Trustwave and no other vendor identified as a threat. That number is 4X more than our closest competitor—setting a new standard for identifying and neutralizing sophisticated attacks before they reach your users.

During this time, PageML has detected over 100 million URL-based threats, one of the highest daily detection counts in VirusTotal. All of these findings are identified, neutralized, and fed back into MailMarshal to continuously improve the protection of our clients' environments.

Over the last six months of 2024, PageML identified some 14.5 million threats in VirusTotal that no other vendor found. Overall, about 12% of threat detections were unique to Trustwave and PageML.

PageML is helping MailMarshal build on its 25-year track record of success, including its 99.99% malware and exploit capture rate and, most importantly, the fact that no clients have reported ransomware infections or major incidents. None.

Learn more about what goes into an effective email security gateway and how MailMarshal can help protect your organization from email-borne threats, even those powered by AI.