What is Email Filtering?
Email Filtering is the process of inspecting, analysing and filtering inbound and outbound email to block Malware, Phishing, spam or unwanted content before it reaches users or systems.
In OT environments, email filtering helps prevent attacks on supporting systems such as Engineering Stations, Historians, maintenance laptops and back-office interfaces.
π― Why is email filtering important in OT?
Although direct OT systems (such as PLCs and SCADA) typically do not use email, supporting systems are exposed:
| Email-based target | Impact in an OT context |
|---|---|
| Engineering laptops | Installation of malware, RATs, keyloggers |
| Management portals or web HMIs | Credential harvesting for Remote Access |
| Maintenance staff | Social engineering about firmware updates or system access |
| Suppliers or supply-chain partners | Abuse of supply chain risk via infected attachments |
π§ Types of filtering
| Filtering type | What it does |
|---|---|
| Spam Filtering | Blocks bulk email or advertising without relevant content |
| Phishing Detection | Recognises emails attempting to steal credentials |
| Malware Filtering | Scans attachments and links for viruses, ransomware or trojans |
| URL Filtering | Blocks emails with links to suspicious or malicious websites |
| Attachment Control | Restricts permitted file types (such as .exe, .js, .bat) |
| Content Filtering | Recognises suspicious words, scripts or behavioural patterns in email |
π Protection measures & best practices
| Measure | Explanation |
|---|---|
| MFA for email accounts | Reduces the impact of stolen credentials |
| Allow only trusted attachments | Block .zip, .docm, .exe by default |
| Threat Intelligence integration | Recognises known attack patterns or IOCs |
| Attachment sandboxing | Analysis in an isolated environment before delivery |
| Outbound filtering | Prevents infected systems from spreading spam or malware |
| Security Awareness training | Operators learn to recognise phishing attempts |
| Quarantine & incident response process | Handle suspicious email safely via the Incident Response Plan |
π« Common email-based attack techniques
| Technique | Description |
|---|---|
| Spear phishing | Targeted email to an OT engineer about a SCADA patch |
| Supply chain impersonation | Fake email pretending to be from a supplier, with βfirmware-update.zipβ |
| Malicious macros | Office file triggers a script that scans OT maps |
| Drive-by download | Link leads to a tool download with a hidden RAT |
| Spoofed domains | Email appears to come from support@automation-vendor.com, but is fake |
π In summary
Email Filtering is essential for protecting supporting OT interfaces such as engineering stations, supplier systems and Remote Access platforms. It is a critical first line of defence against APTs, supply chain risks and human error.