Live: Auto Remediation with Computer Vision in Vade for M365
Natalie Petitto
—September 16, 2021
—2 min read
Now available in Vade for M365, Computer Vision is now plugged into Auto-Remediate. Auto-Remediate with Computer Vision is now live for all Vade for M365 users and requires no action or configuration updates on the part of admins.
Background on Computer Vision in Vade solutions
Vade first introduced Computer Vision to our filter engine in 2019 to identify emails that use images to bypass traditional text parsing and analysis. The Computer Vision engine continually scans images in email to identify malicious emails that leverage the following techniques:
- Image manipulation: Images are slightly altered, making them unrecognizable to security solutions that use fingerprints, but still identifiable by the targeted victim. Examples of alteration techniques include noise, pixelization, translation, cropping, or changes in image properties (contrast, brightness, hue).
- Text-based images: To bypass traditional text parsing and analysis, images contain text that needs to be extracted with OCR (Optical Character Recognition).
- Remotely hosted images: Images are often hosted remotely to evade real-time detection. As fetching an image hosted online takes some time, it is an additional difficulty for security solutions. Images are frequently hosted on high-reputation domains such as googleapis.com and github.com to avoid domain blocking and takedown.
Auto-Remediate meets Computer Vision
Auto-Remediate is an automated incident response feature of Vade for M365 that automatically removes malicious emails post-delivery. Auto-Remediate continually learns from threat intelligence collected from the 1 billion mailboxes protected by the Vade Filter Engine. Emails that are classified as Legitimate upon delivery and later discovered to be malicious are automatically removed from Microsoft 365 mailboxes by Auto-Remediate, with no action on the part of IT admins.
Auto-Remediate now takes into consideration images blocked by the Computer Vision engine and will remove any email featuring a malicious image from user inboxes. Below is an example of image-based phishing detected by the Computer Vision engine. Using OCR, the engine extracts the textual content from the image to perform the analysis, recognizing flag words, including the brand name, as highlighted on the image:
Below is another example of image-based phishing. Like the example above, Computer Vision extracts the relevant textual elements from the image.
Behind the Computer Vision engine
The Computer Vision Engine features a number of technologies that work together to detect malicious emails. Logo Detection features Deep Learning algorithms designed to detect brand logos. As Logo Detection is based on Deep Learning models, it is resilient to image manipulation—down to the slightest change in color or geometry. Vade’s Logo Detection detects 60 brand logos, including PayPal, Facebook, Microsoft, and Bank of America.
RIANA (Remote Image ANAlysis) was developed by Vade to analyze remote images. RIANA extracts textual content from images with OCR and then analyzes the text with many NLP models available in multiple languages.
ELSA (EmaiL Screenshot Analysis) extracts emails with suspicious characteristics, renders those emails into screenshots, and compares the screenshots with graphical renderings of known suspicious emails.
Auto-Remediate now taps into the intelligence of the Computer Vision engine and actively monitors inboxes for emails containing images identified as malicious. To learn more about how Vade combines Computer Vision and incident response to protect Microsoft 365 users, request a demo of Vade for M365.