Video not loading? Watch on the original ThreeShield page →

How This Attack Evolved

Attackers continuously adapt to security controls:

  1. Encrypted ZIP with password in same email - bypassed antivirus; now widely recognized
  2. Compromised SharePoint/Dropbox/Google Drive - exploited trusted cloud platforms; about 75% of managers fell for it in ThreeShield simulations
  3. Encrypted email services (current) - links to phishing sites or ransomware sent through ProtonMail, Virtru, and similar services. Content is encrypted and cannot be inspected by gateway security tools

Why Regulatory Requirements Made This Worse

Privacy laws (PIPA in Alberta and BC, PIPEDA federally, GDPR in Europe, health information standards) have driven legitimate adoption of encrypted email services. This created large volumes of legitimate encrypted email traffic - making attacker emails blend in. Users have been told to expect and trust encrypted emails from their healthcare providers, financial institutions, and employers. Attackers exploit exactly this trained trust.

How to Protect Your Organization

  • Treat all encrypted email links with heightened suspicion, especially unexpected ones
  • Verify with the sender via phone, SMS, or chat before clicking any link in an encrypted message - even from known contacts
  • Hover over links to check the actual destination URL before clicking
  • Enable Microsoft Defender for Office 365 Safe Links to scan link destinations at click-time
  • Train staff specifically on this technique - most have never heard of it

ThreeShield's managed clients had controls preventing this attack entirely: location-based access restrictions, trusted device requirements, MFA, and active monitoring that would detect an account compromise before it could be used to send malicious encrypted email.