We are excited to announce that we will be presenting our research, “Harnessing Language Models for the Detection of Evasive Malicious Email Attachments,” at the prestigious peer reviewed AVAR 2024 and Black Hat MEA 2024 conferences.
In our presentation, “Harnessing Language Models for the Detection of Evasive Malicious Email Attachments,” we’ll dive into the technical aspects of Neural Analysis and Correlation Engine (NACE). By using generative and predictive AI, NACE detects malicious attachments and URLs before they can deliver a malicious payload—without needing to analyze every stage of the attack.
NACE employs a layered approach, leveraging multiple advanced generative AI models such as Meta’s Llamar3 (utilizing transformer-based architecture), CLIP (Contrastive Language-Image Pre-Training), etc.. to derive deeper semantic and thematic structures embedded within an email’s body, attachment text, images, and headers. This understanding of semantics and thematic elements forms the core feature set for detecting malicious attachments, URLs, and identity-based attacks which includes phishing, ransomware, password stealer, downloaders, droppers, etc… at the initial access stage.
In addition to sharing the technical details of NACE, we will also provide insights into the AI framework used to derive these semantics.
We will conclude with the detailed results of our technology, benchmarked against the detection of evasive threats from VirusTotal. A quick overview of the benchmark: We utilized all email samples from 2024 available on VirusTotal for our benchmarking analysis. These emails contained evasive threats such as HTML smuggling, phishing, archive downloaders, PDF downloaders in their attachments. HTML smuggling [1] and downloaders are extensively used as the first stage of multi-stage attacks to deliver ransomware, password stealers, phishing pages etc…
Approximately 51.8% of HTML smuggling samples detected by NACE were flagged by fewer than 5 AV vendors in VirusTotal, highlighting a significant false negatives by existing technologies.
Similarly, 53% of PDF downloaders and 26% of phishing samples detected by NACE were also flagged by fewer than 5 AV vendors, underscoring a critical shortfall in detection coverage.
These results highlight NACE’s ability to detect evasive threats more effectively than existing technologies. By leveraging advanced language models and AI-driven detection methods, NACE offers a powerful approach to stopping malicious email attachments and URLs at the initial access stage.
Join us at the AVAR 2024 and BlackHat MEA 2024 where we look forward to sharing our research.
References
[1] HTML Smuggling Leads to domain wide ransomware,
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/