Malicious Email Risk Management Strategy

Definition of Malicious Email and Associated Cyber Security Issues

Malicious email is one of the most common and dangerous attack vectors used by cybercriminals to target individuals and organisations. At CATS, the use of email across staff and student networks presents ongoing risks such as phishing, spoofing, malware delivery, credential theft, and data breaches.

Attackers may disguise emails to look like trusted sources, prompting recipients to click malicious links, download infected attachments, or provide sensitive information. Common threats include invoice scams, credential harvesting portals, ransomware payloads, and impersonation of internal users or executives (CEO fraud).

If a user interacts with a malicious email, it can result in compromised accounts, unauthorised access to CATS systems, data leakage, or widespread malware infections. Because email is widely used across all CATS campuses and roles, it must be treated as a high-priority threat surface.

Incident Response Plan

The CATS incident response process for malicious emails begins with detection. Suspicious emails may be reported by users or flagged by the email security system. Once identified, all copies are quarantined, and threat indicators (e.g. domains, hashes) are extracted for further blocking.

If a user has interacted with a malicious message, their account is immediately investigated. Credentials may be revoked, and access to services like Microsoft 365 is temporarily suspended. Device scans are initiated via endpoint protection tools, and email logs are reviewed for spread.

High-risk incidents are escalated to the CISO and Privacy Officer. If personal data has been compromised, a Notifiable Data Breach (NDB) assessment is triggered. Lessons learned are recorded, and policies or filters may be updated.

Responsibility and Escalation Roles

• ICT Service Centre: First point of contact for email reports; responsible for triage and quarantine coordination.
• Cybersecurity Technician: Leads investigation of affected accounts and scans impacted systems.
• CISO: Assesses severity, authorises containment, and oversees communication or escalation.
• Privacy & Legal Officer: Evaluates privacy impact, determines NDB notification requirements, and liaises with OAIC if necessary.

Recommended Security Technologies

• Email Security Gateway: Filters spam, malware, and phishing emails before delivery.
• Attachment & URL Scanning: Analyzes links and documents in real time to detect threats.
• Multi-Factor Authentication (MFA): Mitigates account compromise even if credentials are leaked.
• DMARC/DKIM/SPF: Helps prevent spoofed emails from reaching staff or students.
• Threat Intelligence Integration: Automatically blocks known malicious IPs, URLs, and file hashes.

Cyber Security Training Program

CATS delivers targeted training on email safety through onboarding, annual refreshers, and simulation campaigns. Phishing simulation results are tracked, and users who click are enrolled in follow-up training automatically.

Training focuses on recognising fake sender addresses, avoiding unsafe attachments, and reporting suspicious messages using the built-in “Report Phish” button. Posters, quick-tip cards, and newsletters reinforce safe habits.

Risk Register / Feedback / Threat Categorisation

CATS maintains a dynamic email threat register as part of its overall cyber risk management framework. This register includes categories such as phishing, spoofing, malware distribution, unauthorised email access, and credential harvesting. Each category is mapped to known controls including email gateway filters, MFA policies, and targeted user education.

Threats are classified by source (external actor, compromised internal account), vector (malicious link, attachment, spoofed domain), and impact domain (user accounts, sensitive data, financial fraud). Each incident entry is assigned a risk severity and likelihood rating, which is re-evaluated after incident closure.

Feedback from users is encouraged and integrated into the response pipeline. A “Report Email Threat” function is embedded into all staff email clients. Reports are triaged by the ICT Service Centre and correlated with gateway logs and threat intelligence feeds. Recurrent or unblocked threats are escalated for policy tuning and control adjustment.

To enhance precision, user feedback is categorised into common themes: false positives (ham marked as spam), misidentification of internal sources, and undetected phishing. This input supports adaptive threat modelling and improves training materials and filtering rule accuracy over time.

Strategy Evaluation and Benchmarking

• Simulation Metrics: Regular phishing simulation campaigns measure susceptibility across campuses. Metrics include click rates, report rates, and delayed response times. Users with repeated failures are flagged for tailored retraining.
• Gateway Effectiveness: Weekly reporting tracks gateway performance — including blocked emails, quarantined content, and delivered threats. Any “misses” are manually reviewed and used to generate new detection rules.
• Credential Breach Monitoring: Compromised credentials detected through dark web monitoring or MFA failures are logged and linked to past email threats for impact analysis.
• External Benchmarking: CATS compares its email defence maturity to peer educational organisations using ACSC benchmarks and Essential Eight indicators — particularly around MFA enforcement, patching, and awareness maturity.
• Audits and Reviews: Internal email threat response processes are audited annually. In addition, third-party audits are conducted bi-annually to ensure adherence to the Information Security Manual (ISM) and Notifiable Data Breach (NDB) obligations.

Key performance indicators (KPIs) tracked over time include the ratio of blocked vs delivered threats, average time to detect and quarantine phishing emails, and the percentage of users completing simulation remediation training. This data is visualised in internal dashboards used by the CISO team and ICT managers for ongoing benchmarking.

Update Mechanism

The email strategy is reviewed quarterly by the CISO in consultation with cybersecurity, privacy, and ICT stakeholders. Updates may be triggered by internal events (e.g. simulation failures), external threat intelligence (e.g. ACSC alerts or CERT-AU advisories), or changes to compliance obligations such as APP 11 and the Notifiable Data Breach (NDB) scheme.

Update procedures include version-controlled policy documentation, documented rationale for changes, and automated push alerts to affected users. Major changes (e.g. a new link scanning policy or DMARC enforcement shift) are announced via internal email bulletins and highlighted in mandatory training recaps.

Changes to email filtering rules (e.g. new attachment types or spoof detection logic) are tested in a staging environment and pushed to production after validation. Logs from email gateways and user feedback are reviewed weekly for emerging false positive patterns or new bypass tactics. This ensures policy updates remain accurate and minimally disruptive.

Where necessary, updates are accompanied by updated documentation in the Cybersecurity Governance Repository and signed change control records. This ensures traceability, audit readiness, and alignment with CATS' overall ICT security lifecycle.