Gmail users have a surprising choice to make.<\/p>\n
NurPhoto via Getty Images<\/p>\n
Update: Republished on April 10 with a report into a new attack designed to defeat existing security techniques and to deliver high-value outcomes.<\/p>\n
Gmail needs a rethink, as do Outlook, Apple Mail, and other email platforms. The driver for this is AI \u2014 and not in a good way. Symantec<\/a>, Cofense<\/a> and most recently Hoxhunt<\/a> warn that unbeatable AI attacks<\/a> are now inevitable, as the best known large language models (LLMs) design, develop and even execute attacks. But Gmail users also face a more immediate decision, given a critical problem with its most recent updates.<\/p>\n Hoxhunt says \u201cAI agents can now out-phish elite human red teams, at scale,\u201d which means mass customization as spear phishing attacks tailored to a particular victim become the norm. Google, <\/a>Microsoft<\/a> and others say they catch \u201cmore than 99%\u201d of the spam, phishing and malware targeting inboxes. And yet millions of messages still get through before today\u2019s trickle of AI attacks becomes an unstoppable tidal wave.<\/p>\n And it isn\u2019t just AI making email threats more potent and hard to detect, such is the non-stop procession of security and captcha-style verifications, that attackers are now turning these against us, finding ways to exploit this for their own purposes.<\/p>\n ForbesNSA Warning\u2014Check These Settings On Your iPhone NowBy Zak Doffman<\/a><\/p>\n That\u2019s the latest warning from Cofense<\/a>, which has just reported on a novel and crafty new technique that \u201clevels up their credential phishing tactics using Precision-Validated Phishing, a technique that leverages real-time email validation to ensure only high-value targets receive the phishing attempt.\u201d<\/p>\n This is why I\u2019ve argued email needs a fundamental change, not evolutionary add-ons. A change to better replicate the immediacy and brevity of the messaging platforms pulling users away from email, both in and out of the workplace. A change to leverage private and secure on-device filtering and threat defense. And a change with security built in, not added on. Again, as we now expect from other comms platforms.<\/p>\n Email can\u2019t be adjusted to fit, it needs that rethink. And while many of Gmail\u2019s recent innovations are welcomed \u2014 enhanced sender authentication, cloud-based AI filtering, and (in development) shielded addresses, its two most recent updates show the challenge in building on what we have today.<\/p>\n Gmail’s AI relevancy search<\/p>\n Google<\/p>\n This month, Google confirmed it is \u201cmaking end-to-end encrypted emails<\/a> easy to use for all organizations\u201d which use Gmail. This delivers the table stakes security we rely on with voice and video comms and with messaging. But it\u2019s harder with email\u2019s wide open architecture. That\u2019s why this change is coming first to enterprises.<\/p>\n Ars Technica<\/a> and others have qualified the excitement that quickly followed Google\u2019s game-changiung announcement: \u201cGmail unveils end-to-end encrypted messages. Only thing is: It\u2019s not true E2EE.” The reason being that the keys protecting the secure email traffic sit within the client-side infrastructure, not within the actual \u201cend.\u201d<\/p>\n As Ars Technica warns, \u201cthe new feature is of potential value to organizations that must comply with onerous regulations mandating end-to-end encryption. It most definitely isn\u2019t suitable for consumers or anyone who wants sole control over the messages they send. Privacy advocates, take note.\u201d<\/p>\n True end-to-end encryption (E2EE) sits within the client itself, managing key exchange between sender and recipient. The only way to deliver E2EE email is a walled garden such as Proton<\/a>, which relies on manually password protecting emails sent outside.<\/p>\n With Meta\u2019s<\/a> third-party chats and GSMA\u2019s<\/a> RCS E2EE update, we will see (almost) full E2EE between different walled gardens. RCS<\/a> “will be the first large-scale messaging service to support interoperable E2EE between client implementations from different providers.\u201d There is no direct read across to email of course. But it moves the bar.<\/p>\n ForbesSamsung\u2019s Android Update\u2014Millions Of Galaxy Owners Miss DeadlineBy Zak Doffman<\/a><\/p>\n Gmail is secured with Workspace\u2019s Client Side Encryption<\/a> (CSE), which keeps an “organization\u2019s data private with end-to-end encryption that Google servers and third parties can\u2019t decrypt, giving [an] organization greater control over access to its data. CSE is especially beneficial for organizations that store sensitive or regulated data, like IP, healthcare records, or financial data,” not person-to-person comms.<\/p>\n And this brings us to the second innovation. AI-based relevancy search<\/a>. Ten days before Gmail\u2019s quasi E2EE, Google announced<\/a> \u201cGmail is rolling out a smarter search feature powered by AI to show you the most relevant results, faster\u2026 Search results now factor in elements like recency, most-clicked emails and frequent contacts. With this update, emails you\u2019re looking for are far more likely to be at the top of your search results.\u201d<\/p>\n Using this is in itself a decision for users, given it lets AI loose on your data. On which, Google told me “our priority is respecting our users\u2019 privacy while giving them choice and control over their data. To that end, this particular tool is one of the ‘smart features\u2019 that users can control in their personalization settings.\u201d<\/p>\n E2EE and AI search don\u2019t work together, because they\u2019re both wraps around a legacy comms architecture rather than one built for the world we live in today. Google confirmed to me that E2EE messages \u201care completely excluded” from AI search. “We do not have the key to decrypt, so we literally cannot read the message.\u201d<\/p>\n Gmail’s end-to-end encryption<\/p>\n Google<\/p>\n That\u2019s as it should be, but you can see the problem from a user perspective. Two new headline features don\u2019t work together. Email is a fundamentally insecure platform to which we\u2019re adding AI, and that AI comes with new privacy expectations that email can\u2019t deliver. This is why so much enterprise and personal comms has moved from email to messaging. Cue that rethink and the decision you need to make.<\/p>\n And as you make that decision, whether to opt for privacy and security or AI, you now need to keep in mind the changing threat landscape. Per Cofense\u2019s warning, new \u201cprecision-validated phishing\u201d is one such new tactic to watch for. This is designed to frustrate those charged with keeping our inboxes safe from attacks, which is done by studying new techniques, probing at the attack ecosystems themselves, watching how they work and looking for better ways to stop them.<\/p>\n \u201cThe real-time validation process introduces multiple challenges for defenders,\u201d Cofense says. \u201cCybersecurity teams traditionally rely on controlled phishing analysis by submitting fake credentials to observe attacker behavior and infrastructure. With precision-validated phishing, these tactics become ineffective since any unrecognized email is rejected before phishing content is delivered.”<\/p>\n