Email Threats and Mitigation

Phishing – Human link is the weakest link
- Impersonate a trusted sender and ask for sensitive information
- Subtypes:
  - Spearphishing – targeting specific users
  - Whaling – Target high profile individuals
  - Pharming – emails with links to a spoofed website
- Email forwarding – Crafting an email to make it look like you were added later in an email conversation
- Business email compromise (BEC) – taking over an email account
Email headers
- Sender, recipient, transit servers
- Can be used to determine spoofed emails
  - Display from
  - Envelope from or return-path
  - Received from/by
  - Delivered-to
  - Date and time
  - Return-path authentication-result
- https://testconnectivity.microsoft.com/tests/OutboundSMTP/input
- https://mha.azurewebsites.net
- https://testconnectivity.microsoft.com/tests/o365
Malicious Payloads
- Attachments
- Embedded scripts in HTML code
- Preview functionality in email clients
- Malicious links
- Email signature block (text)
Sender Policy Framework (SPF)
- SPF entry published in DNS TXT record. List of servers allowed to send email for a domain.
- Clients use the return-path header field to validate SPF record.
- What to do with email received from servers not on the list
  - -all (rejecting)
  - ~all (flagging)
  - +all (accepting)
Domain Keys Identified Mail (DKIM)
- Replaces or improves SPF, uses PKI
- TXT record published in DNS
- TXT record contains public key
- Sent emails are digitally signed by the servers prive key (digital signature)
- Receiver checks the digital signature using the public key in the DNS TXT record of the companys domain
Domain-Based Message Authentication, Reporting and Conformance (DMARC)
- A policy for implementing SPF and DKIM
- Published as a DNS record
- The DMARC policy is an authentication procedure telling the receiver of the email:
  - Which technologies are in use
  - How to validate the sender
  - What to do if either checks fail
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
  - SPF, DKIM, DMARC don’t ensure confidentiality
  - S/MIME can digitally sign and encrypt emails
  - If I want to send a secure email to you:
    I need a digital certificate
    Uses PKI
    My email content is hashed, the hash is encrypted with my private key
    My email content is encrypted with your public key
    I send my message to you in a blank email with an S/MIME attachment
  - What do you do?
    You decrypt my message with your private key
    You validate my digital signature with my public key
- Email Logs
  - Don’t forget to inspect email logs

PreviousMobile Threats NextData Loss Prevention (DLP)

Last updated 2 years ago