Email impersonation

One common form of cyber attack is email impersonation.

An attacker is imposing to send emails on your behalf, misleading unsuspecting recipients, potentially causing them damage, and tarnishing your reputation.

It is important to understand how these attacks work and, more importantly, how they can be avoided using email authentication techniques.

 

When an email is sent it has two sets of "From" fields.

The first is in the external "email envelop" which is communicated between mail servers and states the email server domain. This information is extracted by the recipient mail server and is not presented to the end user, but can be typically traced in the email headers (most email clients allow you to investigate the headers).

Then, there is the internal message "From" field which is shown to you when you view the email in your email client (Outlook, Gmail, etc.) and provides the sender's name and email address.

There are plenty of tools that allow you to very easily spoof the internal (message) "From" field for your outgoing emails. Spoofing the envelop "From" field is requires a bit more sophistication but can be done quite easily if the attacker owns or controls a mail server and uses it to send out spoofed messages.

 

Over the years, multiple email delivery protections have been developed, but the three most common is use today are the following:

SPF: Guarantees the authenticity of the external envelope's "From" field by publishing the only IPs and/or hosts allowed to send out emails with this domain name.

A typical SPF DNS record may look like this:

v=spf1 include:spf.protection.outlook.com include:some_service_sending_emails_on_your_behalf.com -all

DKIM: Guarantees the authenticity of the internal "From" field. The legit sender encrypts part of the message that includes the "From" field, signs it and attaches a public key. The recipient decrypts the cyphered part using the valid key, and compares the "alignment" between the signature domain and the "From" field domain. 

DMARC: Complements the protection scope by providing an email security policy that guides the recipient email server (e.g. Office365 Exchange server) what to do in case the SPF test or the DKIM test fail. The potential actions are "no action", "quarantine" (typically the email will be sent to the Junk folder), "reject" and/or "send a report".    
Here is an example of a typical DMARC DNS record:
v=DMARC1; p=none; sp=none; adkim=r; aspf=r; rua=mailto:some@report_digestion_tool.com; ruf=mailto:some@report_digestion_tool.com; ri=86400; fo=1; pct=100


To apply these protection tools you need to modify your domain's DNS records. 

You can easily check if a customer has these protection in place by using https://analyzer.dmarcmonitor.net/check-domain or similar sites. 

Coronet can help you monitor and protect your own mailbox for incoming phishing attacks, but there is no way to prevent malicious actors from impersonating as your senders unless you properly configure your DNS records.

0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.