CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Email Threats and Mitigation

PreviousMobile ThreatsNextData Loss Prevention (DLP)

Last updated 2 years ago

  • Phishing – Human link is the weakest link

    • Impersonate a trusted sender and ask for sensitive information

    • Subtypes:

      • Spearphishing – targeting specific users

      • Whaling – Target high profile individuals

      • Pharming – emails with links to a spoofed website

    • Email forwarding – Crafting an email to make it look like you were added later in an email conversation

    • Business email compromise (BEC) – taking over an email account

  • Email headers

    • Sender, recipient, transit servers

    • Can be used to determine spoofed emails

      • Display from

      • Envelope from or return-path

      • Received from/by

      • Delivered-to

      • Date and time

      • Return-path authentication-result

  • Malicious Payloads

    • Attachments

    • Embedded scripts in HTML code

    • Preview functionality in email clients

    • Malicious links

    • Email signature block (text)

  • Sender Policy Framework (SPF)

    • SPF entry published in DNS TXT record. List of servers allowed to send email for a domain.

    • Clients use the return-path header field to validate SPF record.

    • What to do with email received from servers not on the list

      • -all (rejecting)

      • ~all (flagging)

      • +all (accepting)

  • Domain Keys Identified Mail (DKIM)

    • Replaces or improves SPF, uses PKI

    • TXT record published in DNS

    • TXT record contains public key

    • Sent emails are digitally signed by the servers prive key (digital signature)

    • Receiver checks the digital signature using the public key in the DNS TXT record of the companys domain

  • Domain-Based Message Authentication, Reporting and Conformance (DMARC)

    • A policy for implementing SPF and DKIM

    • Published as a DNS record

    • The DMARC policy is an authentication procedure telling the receiver of the email:

      • Which technologies are in use

      • How to validate the sender

      • What to do if either checks fail

    • Secure/Multipurpose Internet Mail Extensions (S/MIME)

      • SPF, DKIM, DMARC don’t ensure confidentiality

      • S/MIME can digitally sign and encrypt emails

      • If I want to send a secure email to you:

        • I need a digital certificate

        • Uses PKI

        • My email content is hashed, the hash is encrypted with my private key

        • My email content is encrypted with your public key

        • I send my message to you in a blank email with an S/MIME attachment

      • What do you do?

        • You decrypt my message with your private key

        • You validate my digital signature with my public key

    • Email Logs

      • Don’t forget to inspect email logs

https://testconnectivity.microsoft.com/tests/OutboundSMTP/input
https://mha.azurewebsites.net
https://testconnectivity.microsoft.com/tests/o365