In the following article, we will review the solution and the methods that we can use for dealing with the threat of – Phishing mail attacks and his derivative Spoof mail attack.
Article table of content | Click to expand
Dealing with Spoof and Phishing mail attacks | Article Series
- Dealing with a Spoof mail attack and Phishing mail attacks | a little story with a sad end | Part 1#9
- What are the possible damages of Phishing and spoofing mail attacks? | Part 2#9
- What is so special about Spoof mail attack? |Part 3#9
- What is the meaning of mail Phishing attack in simple words? | Part 4#9
- Why our mail system is exposed to Spoof and Phishing mail attacks |Part 5#9
- Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
- The questions that we will need to answer before we start the project of – building a defense system that will protect us from Spoof mail attacks | Part 7#9
- Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC, Exchange and Exchange Online |Part 8#9
- How does sender verification work? (How we identify Spoof mail) | The five hero’s SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
What are the Ingredients that needed for successfully dealing with the threat of attacks and Phishing and spoofing mail attacks?
To be able to succeed in this task, we will need to acknowledge the simple truth about our enemies – they are professionals, that are familiar with every blind spot and weakness that we have, and they will use it because they are highly motivated.
Modern spoof mail attack and phishing mail attacks are very sophisticated attacks, that consist of a couple of “parts,” and exploit the weakness of our mail infrastructures and the weakness of our users (the human factor that exploited by that attacked that uses the social enginery method).
In a scenario where a political candidate declares that – he has the solutions to all the existing problems, and he can solve all the problems in a short time, do not believe him!
The same logic goes relating to the subject of protecting our organization from spoof mail attacks and Phishing mail attacks. There is no such thing as a “single solution” that will deal with this sophisticated attack or a solution that will identify and block 100% of these attacks.
The “solution” that we are looking for, realized as a combination of solutions or, a “logic fan of solutions” that will deal with each of the different parts of the Phishing mail attacks and its derivative Spoof mail attack.
The first and the most important step is – the need for “acknowledgment.”
- The acknowledgment of the fact that – Spoof mail attack and Phishing mail attacks are sophisticated and include many “moving parts.”
- The acknowledgment of the fact that – we must learn to think like the attacker, and understand the DNA and the characters of Spoof mail attack and Phishing mail attacks.
- The acknowledgment that – the “solution” will be a combination of technical solutions, guidelines, educations and so on.
Before we get into the specific details, and the different options that we can use for dealing with Spoof mail attacks and Phishing mail attacks, just a quick reference to the “structure” that we need to use:
The phishing mail attack is exploiting the weakness of human factor by:
- Using a spoofed identity of a trusted sender
- Using a social engineering method for convincing and seduce the victim (our users) to “do something.”
The first thing that we will need to deal with is – the phenomenon of “Spoof E-mail.”
Luckily, at the current time, there are a couple of mail standard that we can use for implementing and enforcing a process, in which we will be able to identify most of the Spoof E-mail scenarios.
The second thing that we will need to deal with is – our user’s education. Allow our users to be aware of the risks and characteristics of Phishing mail attack, so they will have the ability to recognize Phishing mail.
The third thing that we will need to deal with is – the “way” or the method in which the Phishing mail attack actualized.
The “channels” which are used by the attacked the executable Phishing mail attacks to attack his victims are
- Using a malware file – seduce the victim to open seemingly innocent file (malware).
- Using a Phishing website – lure the victim to download + open seemingly innocent file (malware), provide personal information (password, bank account, etc.) or deposit a sum of money to the bank account of the attacker.
To be able to mitigate these risks, we will need to find a protection mechanism; that could identify and block the specific malware and also, find a protection mechanism that could identify and block the “problematic URL’s” (links that lead our users to Phishing websites).
Dealing with a Spoof mail attack and Phishing mail attacks effectively
As we know, there is no “single solution” that could help us to deal with the challenge of Phishing mail attacks and his derivative Spoof mail attack.
Instead, the solution can be described as a “collection” or, a combination of different solutions and methods that will need to implemented.
A- Dealing with the part of “Spoof mail attack”
As we know, the Spoof mail attack is one of the main characters of Phishing mail attack.
For this reason, we need to implement a solution in which our mail infrastructure will use a mechanism of a sender verification process.
Each time that a sender addresses our mail infrastructure, our mail infrastructure will implement a verification check, so we will be able to be sure that the sender is really who he claims to be.
In other words, using a protection mechanism, that will identify (and block) E-mail message that has a spoofed sender identity. A scenario in which hostile element prettied to be one of our legitimate users or legitimate sender from another organization.
The good news is that at the current time, there are a couple of mail security standard that created for the purpose of verifying sender identity such as – SPF, DKIM, and DMARC.
Note – we will review the main characters of this sender verification solutions in the article – Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC, Exchange and Exchange Online |Part 8#9
Note – if you want to read more information about the implementation of DKIM in Office 365 based environment you can read the article – Outbound DKIM signing and DNS infrastructure | Building the required DNS records for Office 365 | Part 4#5
In addition, in case that your mail infrastructure is based on Exchange architecture, we can use additional option for verify sender identity by, identify authenticated versus non- authenticated (anonymous) senders who use our organization domain name.
B- Dealing with the part of malware and Phishing websites
In this part, we are dealing with the “channels” which are used by the attacker to executing his specific attack.
Just a quick reminder, the Phishing mail attack “channels” are – malware file or a Phishing website.
Using a spam mail filter
For the sake of full disclosure, I don’t think that a spam mail filter is very usefully for identify Phishing mail because Phishing mail is not a spam mail.
Only in a scenario in which the Phishing mail also has characters of spam mail, the spam mail filter can identify such as E-mail message.
Another scenario in which spam filter can be useful is – in a scene that the particular Phishing mail attack recognized as a Phishing mail attack, and distinct characters of the E-mail message (the signature) appear in the signature database of a “well know problematic E-mail messages.”
It’s recommended to use a spam mail filter, but we should not relate to the spam filter as the “ultimate solution” for Phishing mail attacks.
Dealing with E-mail attachments
Many times, the Phishing mail attack is implemented by an E-mail message that includes malware attachment that appears as an Innocent file.
Let’s assume that the attacker (the part that relates to social engineering) convinces the victim (our user), to open the file that is attached to the E-mail message, what can we do in this scenario?
1. Implementing malware mail filters.
The purpose of the malware mail filters as the name implies is to detect malware that appears as an E-mail attachment.
Case 1 – Phishing mail attack that includes Zero-day attack malware
The major disadvantage of the “standard malware mail filters” is his inability to cope with
Zero-day attack. The term Zero-day attack, describe a “new attack” that wasn’t recognized, classified, and was registered on the well-known attack database (have no signature).
The standard malware mail filter can detect E-mail malware, based on a signature database that includes a “documentation” of malware signatures. For this reason, the standard malware mail filters cannot deal with a zero-day attack.
In simple words, cannot detect “new malware” that his particular signature doesn’t appear in the identified malware database.
Case 2 – Malware that doesn’t implement as E-mail attachment
In many Phishing mail attacks, the malware doesn’t appear as an E-mail attachment. Instead, the victim is seduced to click on a link that will lead him to the hostile website and then asked to download a particular file (the malware). In this scenario, the malware mail filter is not involved in the process and cannot detect the malware.
2. Implementing E-mail attachment policy.
The advice of “Implementing mail attachment policy,” in which block a particular type of E-mail attachment such as the executable file is a “good advice,” and not just for the scenario of dealing with a Phishing mail attack.
The main problem is that most of the time, Phishing mail attack that has an attachment, will use an Innocent type of file such as Microsoft Office files (Word, Excel, etc.).
The main problem that we are facing is – that most of the time, we cannot define mail attachment policy that will block “standard” E-mail attachment such as a word document.
This is the weak spot that is exploited by the hostile element that sends the “Innocent attachment.”
3. Implementing “sandbox” solutions.
One of the most frustrating and challenging security threats is the subject of zero-day attack.
The simple meaning of this term can be translated into a “new type of malware” that is distributed by hostile elements, that consider as “UN knows malware” meaning, the security, defense systems that should protect our infrastructure from this particular malware are not aware of the fact that this malware.
The problem of identifying scenarios of zero-day attack considers as “blind spot” or, a congenital weakness of antivirus products.
A conventional antivirus software detects malware is by examining the existing file and compare the file characters to a signature database, which include information about malware that was detected, classified as malware and registered in the malware signature database.
Because in the particular scenario of zero-day attack the malware is not “registered” in the malware signature database, itis difficult for the antivirus application to detect and mark the zero-day file as malware.
The solution for a zero-day attack is a technology (technology that is offered by a couple of manufacturers) that was built to deal with the problem by implementing a mechanism named – sandbox.
The concept of “Sandbox” is implemented in the following way:
When an E-mail that includes an attachment sent to a destination recipient who protected by security gateway that uses the mechanism of “Sandbox,” the E-mail will not be sent directly to the destination recipient but instead, will be “Intercepted” by the security gateway.
The security gateway will simulate the exact action that was supposed to perform by the end user, such as, open the E-mail message, and try to open the attachment (double-click on click on the file).
The “activation” of the attached file is executed in a dedicated and isolated memory space (the is the meaning of the term Sandbox).
The security gateway, will watch the “file behavior” and check if the attachment (the file) is trying to do something that is not standard such as – trying to access the hard disk, try to access a suspicious area in the RAM that a standard file will not access, seek to create a buffer overflow and so on.
In this way, we can locate malware that’s disguised them self as Innocent file.
- Zero-day (computing)
- Responding to Zero Day Threats
- The Best Defenses Against Zero-day Exploits for Various-sized Organizations
Advanced Threat Protection – Exchange Online
- Introducing Exchange Online Advanced Threat Protection
- Exchange Online Advanced Threat Protection
- Exchange Online Advanced Threat Protection is now available
- Exchange Online Advanced Threat Protection Service Description
- Advanced threat protection for safe attachments and safe links
Implementing a URL verification mechanism.
A very common method that is used in a Phishing mail attack is – to infect the victim’s desktop with a malware or hostile code, using a smart process” which includes a two or three steps.
The first step is to convince the victim to “do something” by clicking on a particular link that will lead him to a website which includes the malware.
The victim will need to download the file and open the file (the malware).
This method enables the attacker to bypass existing implementation of malware filter because the malware doesn’t appear as part of the E-mail message.
The only way to deal with this “bypass method” is, to implement a security mail filter that can verify URL addresses that appear in the E-mail message by deciding if the particular URL considers as a legitimate URL address or a hostile URL address such as Phishing website.
The security mail filter that needs to verify URL address can implement the verification process in two methods:
1. URL address database
Using a database that includes information about a “problematic website” or a dangerous website” such as a Phishing website or websites that compromised.
2. Simulate the access to the specific website instead of the “original user”
A process in which the “URL filter” tries to access to the URL address that includes in the E-mail message before the recipient read the E-mail and try to check if the website looks like a legitimate website or a website that attempts to manipulate the user desktop by trying to exploit existing vulnerability.
An example of such “URL verification filter” is the Microsoft technology, that implemented in the EOP (Exchange Online Protection) by using the feature named ATP (advanced threat protection) which includes a component called – safe links.
The purpose of this technology is to add an additional layer of security, in which the mail security gateway (the EOP infrastructure) will check and verify each URL address (link) that appears in E-mail message, and verifies the that the “destination website” is a legitimate website and not a website that is displayed as a problematic website.
Safe attachments and safe links | Office 365 and Exchange Online
C- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Users Education & awareness program
Most of the time, when we use sentence such as fighting Spoof E-mail attacks and Phishing mail attacks, the first association that comes to mind is related to some kind of “high end sophisticated products” that will know how to deal with this terrible threat.
The simple truth is that we probably we will need to use this “high-end, sophisticated products” to be able to provide a complete and comprehensive for the problem that we are facing. Also, we must add the layer of – educating our users about the risk of the Spoof mail attack and Phishing mail attacks, the distinct characters of such attack, how to recognize these attacks and so on.
In other words, the technological solutions do not provide a complete solution!
Although there is a great importance to the subject of “user education,” most of us, tend to underestimate this solution because the common association that is related to the term “education” is – boring, not needed, useless.
The interesting thing that I would like to draw your attention is the fact that – one of the most efficient and significant ways, to deal with the phenomenon of Spoof and Phishing mail attacks is the subject of “education.”
At the same time, one of the most neglected areas is the “education.” Because most of us are sure that is just a non-useful nonsense.
Notice that I didn’t use the common term “user education” because the subject of “education” is related to different elements of the ecosystem:
1. Our education
Most of us (IT persons) have the misleading sense that we know everything about mail security, the different type of mail Threats such as Spoof mail attack and Phishing mail attacks and so on.
The simple truth is that we don’t.
Let’s make it simple – the purpose of the current “boring article series” is -to make you understand that the subject of Spoof mail attack and Phishing mail attacks is not so simple and that there is a lot of information that we should learn about this subject.
2. Management education
When I use the term “management education,” I relate to the concept of “management commitment.”
The concept of “management commitment” must be realized in two ways:
- The acknowledgment that Spoof mail attack and Phishing mail attacks could cause serious damage.
- The acknowledgment that there is no “magic solution” to this risk buy instead, a combination of a different solution.
- The acknowledgment that there is no “magic solution” that will block 100% of the Spoofing or Phishing attacks.
The management will need to commit to the simple fact in which she needs to allocate the required resources (time, money, education and so on).
3. User’s education
Because the Phishing mail attack is so sophisticated and hard to detect one of the most practical tools that we can use dealing with this risk is – to make our user aware of this threat.
Teach them about the specific characters of Spoof E-mail attacks and Phishing mail attacks, show an example of Spoof E-mail or Phishing mail and so on.
The outcome of the acknowledgment of the great importance to educate our user regarding the subject of Spoof E-mail attacks and Phishing mail attacks is – the user awareness program.
Security user awareness program.
- Information Supplement: Best Practices for Implementing a Security Awareness Program
- The 7 elements of a successful security awareness program
- Building an Information Technology Security Awareness and Training Program
- Creating an IT Security Awareness Program for Senior Management
D- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Policy, standards and regulations
1. Define a policy and regulation that will restrict the level of damage that could be caused by a Phishing mail attack
One of the most neglected areas relating to the subject of dealing with a scenario of Spoof E-mail attacks and Phishing mail attacks is – an area which I describe as “Policy, standards, and regulations.”
And again, most of the time, the first association that comes to mind regarding these terms is – annoying or, not relay a useful solution that I can use.
I would like to give you an example of a regulation \ policy that seemingly doesn’t relate directly to the subject of Phishing mail attack.
A policy which restricts the specific amount if the money, that particular employee is authorized to transfer to another bank account by himself.
The primary purpose of such regulation \ policy is to reduce the level of damage in a scenario in which a company employee, maliciously execute a criminal activity in which he will steal money by transferring money from the company bank account to his bank account.
A particular type of Phishing mail attack, and especially Spear phishing attack, is directed to a very specific organization’s role such as the company CEO, CFO, etc.
In this Phishing attack, the hostile element used a false identity and lured his victim to – transfer a specific amount of money to a particular bank account (the hostile element bank account).
In this case, one of the most efficient operations that can be implemented is – define a very clear and straightforward company policy that deals with subject such as:
- What is the maximum amount of the money that can transfer?
- Who is the element that needs to authorize this money transfer?
- The possibility of implementing a mechanism in which two “entities” need to authorize the money transfer.
- What are the allowed “destination bank account” in which the company money can transferred?
2. Appointing a “dedicated authority” that will be responsible for managing the defense infrastructure.
Another subject that I would like to emphasize is – they need to decide about a “person” or “persons,” that will be responsible for managing the enforcement and the ongoing day to day tasks, which are related to the protection mechanism that deals with Spoof E-mail attacks and Phishing mail attacks.
For example, let’s assume that we configure a protection mechanism which monitors our incoming mail flow, and identifies an event, in which there is high chance that the sender spoofs his identity.
In our particular scenario, we don’t block such as E-mail message, but instead, generate an incident report, that sent to a dedicated mailbox which stores this incident reports that include a copy of the E-mail that identified as Spoof E-mail.
The major questions that I would like to ask are:
Q1: Who is the person\s that will have access to the mailbox that stores the information about the Spoof E-mail events?
Q2: How often this person needs to access the mailbox that stores the information about the Spoof E-mail events?
Q3: What is the procedure that needs to be implemented in a scenario in which we identify
a scenario of Spoof mail?
What is my point?
My point is – that the fact that we recognize and send a suspicious E-mail message (Spoof mail) to a dedicated mailbox that will store the information about this E-mail doesn’t solve the problem.
We need to define a very clear and precise procedure, which will determine what is the scope of the responsibility of this person.
What this person needs to do, who should he report about a Spoof E-mail event, what are the “actions” that implemented in a scenario of Spoof E-mail events and so on.
E- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Client side security
In this section, I would like to review the “client side” of the formula.
In an event of Spoof E-mail attacks or Phishing mail attacks, we can use a “client side” mechanism; that will help us to deal with this problem.
1. Using antivirus
Most of the common antivirus clients, was not created for identifying an event of Spoof E-mail.
The main benefit of using antivirus client is in a scenario in which the Phishing mail seduces the user to download an open a malware file, and the malware manage to slip that “server side defense systems.”
For example – a scenario in which the Antivirus client can be useful is – a situation in which the user downloads a malware from a particular URL address that appears in the E-mail message (Phishing website).
In this scenario, the Antivirus client provides an additional layer of protection because, the mail security gateway is useful when the malware appears as part of the E-mail message, and not a scenario in which the user uses his browser for downloading the malware to his desktop.
2. Using additional desktop “smart defense mechanism”
As mentioned, the antivirus software is useful for detection of “well know malware.” The problem is with zero-day malware that their signature is not listed.
The solution for this “blind spot” is – using a “smart client,” that have the capabilities to identify programs that behave strangely and not in a proper way or a scenario of “anomaly” in which a particular process or service behaves strangely.
There is no specific name for this feature because each of the providers of “desktop security product” uses other names or terms.
An example of such a solution is a desktop security product that includes IDS\IPS (intrusion-detection detection system \ intrusion prevention system) that can identify and detect software component that doesn’t beehives on a legitimate way.
3. Harding the policy that related to Microsoft Office documents such as disabling macro
- Some of the malware will appear as E-mail attachment and some won’t.
- Some of the malware will look as E-mail attachment using an executable file and some won’t.
What is my point?
My point is that in a “perfect scenario,” the malware will be implemented as an executable file that will be recognized by the malware filter as a malware and will block.
Most of the time, the attacker who uses a Phishing mail attack is a professional, that will make the required effort to make our life difficult, by using attachments that appear as a legitimate file such as Microsoft Office file.
The malware will be “hidden” in the office document as a macro, and will execute when the user opens the file.
Besides of implementing a mechanism that can perform “Sandbox” verification test, one of the simplest solutions that, can we implement is – by configuring and enforcing the policy that will prevent from our users to use Microsoft Office document that includes macro.
In case that now your mind says something like – I cannot do it, some of my users must use the document with macros!
My answer is – it’s your decision; you will need to weigh the business need versus the security need and make the right decision.
Manage macro setting of office documents
- Enable or disable macros in Office documents
- Enable or disable macros in Office files
- Macro malware
- Plan security settings for VBA macros for Office 2013
- Plan security settings for VBA macros in Office 2016
Manage Protected View setting of office documents
In the following diagram, we can see a summary of the “client side elements” that we can use for dealing with Spoof E-mail attacks and Phishing mail attacks.
The next article in the current article series is
It is important for us to know your opinion on this article