In the current article, we will review the options that are available for analyzing the…
Let’s start with a declaration about a strange phenomenon: Spoof mail attacks and Phishing mail attacks, are well-known attacks, and consider as a popular attack among the “hostile elements.”
Most of the existing organizations, do not have effective defense mechanisms against the above attacks, and there is a high chance, at some point, that your organization will experience the bitter taste of Spoofing or Phishing attacks!
In other words – most of the organizations are exposed to Spoof and Phishing mail attacks, and it’s only a matter of “when”.
Article table of content | Click to expand
Dealing with Spoof and Phishing mail attacks | Article Series
- Dealing with a Spoof mail attack and Phishing mail attacks | a little story with a sad end | Part 1#9
- What are the possible damages of Phishing and spoofing mail attacks? | Part 2#9
- What is so special about Spoof mail attack? |Part 3#9
- What is the meaning of mail Phishing attack in simple words? | Part 4#9
- Why our mail system is exposed to Spoof and Phishing mail attacks |Part 5#9
- Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
- The questions that we will need to answer before we start the project of – building a defense system that will protect us from Spoof mail attacks | Part 7#9
- Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC, Exchange and Exchange Online |Part 8#9
- How does sender verification work? (How we identify Spoof mail) | The five hero’s SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Why our mail system is exposed to Spoof and Phishing mail attacks
So the most obvious questions could be:
- Is this statement correct?
- And if this Is this statement is correct is correct, how could it be that no one pays attention to this problem, and doing something accordance?
In the current article, I would like to give you some “food for thought” regarding this strange phenomenon, which we prefer to ignore the danger of Spoof mail attack and Phishing mail attacks, close our eyes, and continue to declare that “we are doing our best for protecting our mail infrastructure!”
The common misconception that causes us to ignore the threat of Spoof mail attack and Phishing mail attacks
1. It will not happen to me.
From time to time, we read some story about a company that attacked by a Phishing mail and a sad story such as – a story about the CEO, who was lured to transfer a large amount of money to the attacker’s bank account, but we don’t really believe that it will happen to us.
My answer is that it’s not a matter of “if” but only a matter of “when.”
Most of the chances are that your organization will experience Spoof E-mail attacks and Phishing mail attacks at some point.
2. Too much on my mind
Every average IT member or IT manager is going through the feeling of – “too much on my mind.”
Every day “invites” new challenges and new crises.
“I know that the subject of Spoof mail attack and Phishing mail attacks is important, but I have more critical issues that I need to take care of them at the moment.”
The little secret is that probably; you will never have the required time!
If you do not find the required time, the next Spoof mail attacks and Phishing mail attacks will find you unprepared, and the result can become very critical!
Only when you can acknowledge the importance of this risk, you will “make the time.”
3. My organization well protected from Spoof mail and Phishing mail attacks.
All of us, have the strong need to believe that someone watches us and will protect us when it’s needed.
This is a very basic human need.
When relating to the risk of – Spoof E-mail attacks and Phishing mail attacks, most of the time, we prefer not to be realistic.
Instead, we prefer to cling to the general thought that “they” (my IT, my mail provider and so on), are doing what they know to do, and that “they,” are doing whatever it takes for protecting our organization from Spoof E-mail attacks and Phishing mail attacks.
The reality is much more complicated!
Most of the time, the “IT” doesn’t include a professional authority who is specialized in the subject of “mail security” or doesn’t know what are the unique threats that relate to a modern mail infrastructure, what are the specific characters of Spoof mail attack and Phishing mail attacks, what is the available solution? And so on.
Hosted mail infrastructure such as Office 365 (Exchange Online) | My mail infrastructure automatically protected!
In a scenario in which your mail infrastructure hosted at “external mail provider” such as Office 365 and Exchange Online, this Incorrect assumption is manifested most strongly.
Most of the mail provider such as Office 365, have all the required tools and infrastructures for dealing and preventing Spoof E-mail attacks and Phishing mail attacks.
The “little thing” that we are not aware of the simple fact that these “defense mechanisms,” are not activated by default. Instead, they are just sitting there waiting for us to use them!
The main reason that this defense mechanism is not activated automatically is – because this defense mechanism can intercept accidentally legitimate E-mail.
The important thing that most of us are not aware of being – that the responsibility to use the existing defense mechanism is our responsibility!
For example, when relating to the subject of Spoof mail attack, Exchange Online support three mail standards, that implements sender verification + support the option of creating an Exchange rule that will identify events of the Spoof mail attack.
The responsibility of knowing the specific characters of each of the sender verification mail standards, the required configuration settings for each of this standard, how to configure the required adjustment that will suit our particular organization needs is our responsibility!
What is the weakness that the hostile element exploits when using Spoof mail attack and Phishing mail attacks?
The base for Spoof mail attack and Phishing mail attacks, relies on two major weaknesses:
- The SMTP protocol weakness
- The Human factor weakness
Spoof E-mail attack and SMTP as Innocent protocol
When we hear or experience a Spoof E-mail attack, the first question that can appear in our mind could be:
Q1: Why mail servers don’t know how to protect themselves from Spoof E-mail attacks and Phishing mail attacks?
A1: The simple answer is that the “creator” of the SMTP protocol, didn’t relate to the issue of “mail security” and instead, concentrated on creating mail protocol, that will deliver an email message from point A to point B efficiently and reliably.
The issue of “mail security” was neglected because at that time, the popularity of the SMTP protocol was not so great, and the use of the SMTP protocol was not so common.
In a standard mail communication that involves two parties, the SMTP protocol is based on the concept in which the destination mail servers (side B) “believe” in the identity
(E-mail address) that the sender (side A) provides.
The sender (side A), doesn’t need to prove his identity!
Phishing mail attack and we as a human being
Regarding Phishing mail attack, the base for this attack is – the ability to exploit the “thing” that makes us “human”.
Q1: Why is it so hard to deal with Phishing mail attacks? Or, why there are so many people that fall prey to Phishing mail attack?
The standard Phishing mail attack based on two “parts” that exploit the human character:
The Phishing mail attack starts with the “trust part”, in which the hostile element uses an E-mail address of someone we are confident or E-mail address that looks like an E-mail that sent from respectable and trusted source.
The “sender trusts part,” relies on the “innocence” of the SMTP protocol, that doesn’t include a built-in mechanism for verifying the identity of the “other side.”
The second part of the Phishing mail attack based on the “content” that appears in the E-mail message.
As the famous song of Michael Jackson – the “human nature” – the hostile element that executes the Phishing mail attack, is aware of different “human button” that can push and manipulated.
The Phishing mail content is designed to address a common human character such as pity, fear, greed, curiosity and so on.
The attacker address one of this “human failing” for manipulating the victim to “do something” such as – open a particular file (malware) or click on a specific link in the Phishing mail that will lead the victim to a Phishing website.
The Awakening of our awareness of the problem of Spoof mail attack and Phishing mail attacks | Additional obstacles
Let’s assume that you decide that you agree that Spoof mail attack and Phishing mail attacks constitute a great risk to your organization and that you are willing to make the effort and take this threat seriously.
In this section, I would like to review additional obstacles that may appear on the way.
To be able to start handling the Spoof mail attack and Phishing mail attack threat, you will need to overcome these obstacles.
1. The fair from doing something that will harm the organization mail flow.
Let’s talk about the most prominent obstacle: the fear of a scenario, in which the solution that will implement will damage the regular mail flow.
A scene of false positive, in which a legitimate E-mail that sent to our users will mistakenly identify as Spoof E-mail or Phishing mail and for this reason, will be “blocked” or deleted by the particular Spoof E-mail protection mechanism that we use.
When implementing a security mechanism that deals with Spoof E-mail, we are facing two problematic scenarios:
In a standard mail flow, we welcome every E-mail message that sent to one of our users, as long as the destination recipient exists. In other words, we don’t care about the element that originates the E-mail message (the sender), but instead, the mail server that represents our organization is only responsible for verifying the information about the destination recipient (that he hosts the mailbox of the target recipient).
When we implement a defense mechanism that should protect us from Spoof mail attack, we can compare it to a scenario in which we place a “guard” at the entrance to our base (our mail infrastructure).
Versus a scenario in which every guest is welcomed to enter our perimeter when we force the use of sender verification, we implemented a process in which we try to verify the identity of each entity that wants to “enter our base.”
When we use this additional layer of security, there is a reasonable chance that we will experience a scenario of false positive.
In this scenario, some of our “legitimate guests,” will not be allowed to enter our base and will be rejected because they do not have the required proof of their identity or from any technical problem that relates to the evidence of their identity (their E-mail message will rejected).
The other aspect of implementing sender verification mechanism is the ability to “stamp”
a legitimate E-mail message that sent by our legitimate users, so, the “other side” will be able to verify our identity, and will be able to differentiate our legitimate sender from E-mail messages that send by hostile elements that spoof our organizational identity.
The problem of “false positive” can also realized when relating to the scenario of outgoing mail flow, meaning, an E-mail message that is sent by our user to external destination recipients.
In a complex mail infrastructure, the ability to “stamp” all of the E-mail messages that is sent from our mail infrastructure entirely and in a “proper,” way is a quite a challenging task!
In case that we didn’t manage to correctly “stamp” each E-mail message that uses our organizational identity (E-mail message in which the sender uses our domain name), this could lead to a scenario, and which a legitimate E-mail message that sent from our users, will be rejected by the “other” mail infrastructure.
2. Fear of hurting business activity
Every implementation of any solution security mechanism will probably cause some disruption to the business activity, at least in the first phase of the adoption and assimilation.
The fear of this anticipated disruption leads us to the attitude of – don’t rock the boat!
Alternatively, if no one complained, until now, I guess everything is OK!
The false sense that if, until now, everything was fine, in the future everything will be okay, will eventually explode in our face.
In other words – If you can’t stand the heat, get out of the kitchen.
3. The resources issue
To be able to clearly understand the “enemy” we will need to ask (and answer) many questions such as:
- How the enemy thinks and functions?
- What is the vulnerability of your mail infrastructure?
- What are the possible solutions for the existing mail infrastructure vulnerability?
- What is the difference between the different solution such as SPF, DKIM, DMARC?
You will need to have a patience and the willingness to devote the time required to read and internalize information.
4. The vanity syndrome
The fact that you are veteran IT professional doesn’t mean that you are a security professional and is not to say that you are familiar with the present risk that threatens your mail environment, and the possible solution to this risk.
5. The fear of the unknown syndrome
Like any “un-know territory”, the mail security standard territory, is an unknown territory” for most of us.
In the process of implementing a particular solution to the problem of Spoof E-mail attacks and Phishing mail attacks, you will undoubtedly encounter many questions and problems.
It’s OK; this expected as part of the process.
6. The need for simplicity syndrome
Most of the time, we are looking for a simple solution and try to avoid the need to understand and implement complex solutions.
The simple answer is – there is no simple solution for the task of dealing with Spoof E-mail attacks and Phishing mail attacks.
7. The military approach syndrome
This is one of the noticeable features of many managers.
The subtext of this approach is – I don’t care how, just make it work!
Well, we can make it work but, only if the “management” is obligated to the process, and is willing to allocate the require resource for the implementation of the possible solutions.
Why is there no simple solution for the problem of Spoof E-mail attacks and Phishing mail attacks?
The simple answer is that Phishing mail attack is not simple!
The phishing mail attack is a sophisticated attack that combines a couple of attacks, which we will have to deal with each of them separately.
Also, the ability to deal with the infrastructure for the Phishing mail attack – spoof mail attack is not so simple!
The common confusion between Spoof mail attack versus Phishing mail attacks
An imperative observation that I like to mention regarding the task of – “dealing with a scenario of Spoof E-mail attacks and Phishing mail attacks” is – that we should distinguish Spoof mail attack from Phishing mail attacks.
Each type of attack has different characters, and for this reason, need a different kind of solutions.
Most of the Phishing mail attacks, use the Spoof mail attack in the initial phase of the attack.
For this reason, it’s reasonable to assume that in case that we identify and block
Spoof E-mail; the derivative will be blocking the Phishing mail attack.
However, the important thing is, that we cannot build our defense infrastructure based on this assumption for a couple of reasons:
- Not all the Phishing mail attack uses the option of spoofing the sender identity.
There is a reasonable choice, in which the Phishing mail attacks will use just a standard E-mail address from well-known mail providers such as Gmail, Hotmail or Yahoo.
- It’s very reasonable to assume that even when we use some protection mechanism that will use to identify Spoof mail attack, we will not be able to identify and block 100% of the Spoof mail attacks.
Note – another aspect of Phishing attacks is that not all the Phishing attacks are “Phishing mail attacks”. It’s true that most of the Phishing attacks executed via the “mail channel”. At the same time it’s important that we will know that some of the Phishing attacks can be performed by using a phone call or a phone SMS, via a message that sent to instant messaging users, via a message that sent to social-network users and so on.
What are the challenges that we need to face when we want to fight Spoof E-mail attacks?
Regarding our ability to protect our mail infrastructure from Spoof mail attack, there are a couple of well-known mail standards; that created by completing the SMTP protocol “missing part” meaning, the ability to verify sender identity.
Along the current article series, we will review in details the different sender verification mail standard such as – SPF, DKIM and DMARC, and other optional solutions such as – solutions that we can implement in Exchange based environment.
If you think, you can sit back, relax and drink a refreshing cocktail because you found the perfect solution to all the Spoof E-mail problems, you are wrong!
It’s true that there are standards and solutions that created for dealing with the phenomena of Spoof E-mail but, this solution is very far from providing a perfect solution.
1. The implementation of the sender identification mechanism is not so simple.
Each of the different standards has advantages, disadvantages and “blind spots.” spots”.
The implementation of this standard is not so simple and required preliminary assessment, planning, and constant accompaniment.
For example – at the current time, we can mention three mail standard that was created for dealing with the need to verify the sender identity.
Each one of this standard uses a different method for verifying the sender identity and each one of this standard, required to implement different preparations and configuration settings.
The implementation of this standard (sender verification standard) becomes quite complicated and challenging, in a complex mail environment that includes many mail servers many sites, etc.
A standard such as SPF, considered as an easy to adapt standard, but have built-in “blind spot,” spot,” that can exploit by a hostile element that will bypass the existing “SPF wall.”
The DKIM standard can provide excellent protection, but because the solution based on Public-Key Infrastructure (certificate, digital signature and so on), it’s not so easy to implement this standard in a compound mail environment that includes many different entities that send mail on behalf of the organization.
2. Not all the organizations use sender identification mechanism.
Another major issue is that we should not forget – that the implementation of a complete solution for the problem of “Spoof E-mail,” depends on a “logical circuit” that will include two sides: the sending mail infrastructure and the receiving (the destination) mail infrastructure.
In case that “our side” is implementing all the necessary solutions for dealing with Spoof E-mail phenomenon, but the “other side” doesn’t implement any Spoof E-mail protection solution, the outcome is that every hostile element can use our identity and attack the “other side” using our organizational identity.
What are the challenges that we need to face when we want to fight Phishing E-mail attacks?
Regarding the subject of existing solutions for the problem of Phishing mail attacks, the situation is much poorer compared to the status of Spoof E-mail solutions.
The Phishing mail attack considers as sophisticated attacks. The ability to identify and block Phishing mail attacks is much more complicated than dealing with the Spoof mail attack.
The “exciting news” is that at the current time, there is no formal standard or a well know protection mechanism, that can directly deal and prevent all the types of Phishing mail attacks.
If you perform a simple search using a question such as – “solution for Phishing email attacks,” most of the results that appear are dealing with tips and tricks, guideline and best practices that instruct users how to avoid or to recognize a scenario of Phishing mail.
The “missing part” is that the answers and the solution are related to the “end point” meaning, the users and not to the “server side” meaning our mail infrastructure.
The information is not related to a particular technology or a standard, that can implemented on the “server side.”
Some links will lead you to a company that provides services for testing your mail infrastructure (by simulating a Phishing mail attack), and the reaction of your users to Phishing mail attack.
But, but the painful truth is – that there is no “tangible” standard, that promises to protect your mail infrastructure from all the Phishing mail attacks.
My answer to the question of – “Why is there no formal solution to the threat of Phishing mail attack?” is, that the Phishing mail attack made of “different parts.”
We cannot relate to Phishing mail attack as “one problem” but instead, as a “collection of problems.”
- One of the building blocks of Phishing mail attack is a Spoof mail attack.
To be able to deal successfully with a Phishing mail attack, we will need to find a good solution for the problem of Spoof mail attack such as – implementation of sender verification standard – SPF, DKIM, DMARC and so on.
- One of the building blocks of Phishing mail attack is infecting the user desktop with malware (most of the time, “smart malware” that injected into legitimate files).
To be able to deal successfully with a Phishing mail attack, we will need to find a good solution for the problem of malware such as – “send box” solutions.
- One of the building blocks of Phishing mail attack is social engineering.
To be able to deal successfully with a Phishing mail attack, we will need to find a good solution for the problem of social engineering such as – guide and instruct our users about the characters of Phishing mail attack.
Q1: Should I feel despaired from the fact that there is no formal solution to the threat of Phishing mail attack?
A1: No! although there is no “magic button”, that we can use for dealing with a Phishing mail attack, there are a couple of solutions that we can use, and the combination of these “solutions” can provide good and effective protection for most of the Phishing mail attack scenarios.
In the article – Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC, Exchange and Exchange Online |Part 8#9 , we will review the list of the solutions that we can use.