It is common knowledge that any system is as strong as its weakest link. Unsurprisingly, threat actors constantly probe enterprise networks for such loopholes that can become shortcuts for easy compromise. In many scenarios, the human factor is the biggest vulnerability, and for a good reason.
Social Engineering, the Driving Force of Cybercrime
Manipulating users is easier than getting around automated security mechanisms every organization uses. Unsuspecting employees may load an eye-catching email attachment or click on a dodgy link, only to get on an attacker’s hook.
Such a seemingly minor slip-up is a recipe for disaster. It is a common launch pad for ransomware raids, RDP hacking, data theft, and sabotage perpetrated by business rivals. To top it off, it fuels business email compromise (BEC) and other forms of social engineering geared toward obtaining sensitive information or defrauding victims of money.
Join our weekly newsletter and get the latest cybersecurity updates delivered directly to your inbox
That said, cybersecurity awareness seems to be the silver bullet that should prevent the above-mentioned foul play from happening. True, but with the caveat that it must be a continuous process. Since users are highly adept at identifying “classic” phishing hoaxes, crooks think outside of the box.
As an illustration, below are several examples of lesser-known recent tricks in phishers’ repertoire:
- Using ZIP attachments with two archive structures, one of which contains a benign image file and the other (hidden one) holds a harmful executable.
- Mishandling URL shortening services to disguise malicious links.
- Parasitizing trusted cloud sharing platforms such as SharePoint to deliver phishing links while instilling a false sense of legitimacy.
- Abusing web browsers’ link preview feature that automatically clips unusually long URL strings for the sake of user experience and may therefore keep the evil part of the link hidden in plain sight.
Ultimately, simulating trust is the core element of every phishing scam. Out of all email-borne social engineering stratagems, a technique called email spoofing is particularly effective in this regard.
Why Do Threat Actors Forge Email Domains?
The logic of email spoofing is to mimic a reputable domain so that the recipient falls for the attacker’s narrative. In this scenario, the crook’s train of thought is as follows: if you know the sender, you are more likely to follow the embedded instructions.
This mechanism is also so potent because it combines social engineering with exploitation at the protocol level. The latter stems from a gaping hole in the Simple Mail Transfer Protocol (SMTP) that is widely used by email services. Believe it or not, it lacks a proper method for verifying the authenticity of the sender’s address.
As a result, anyone with evil intentions and a little bit of tech expertise may be able to forge an email domain and hide their real identity to spread trustworthy-looking spam or phishing messages on behalf of an organization.
If a well-known brand’s domain is fabricated this way, online riff-raff can orchestrate large-scale frauds to wheedle out sensitive information or deposit malware onto recipients’ devices.
Sure-Shot Methods to Harden Email Domain Security
As important as it is, security awareness alone is not enough to fend off such attacks. Companies need to add extra layers of protection to identify and block spoofed emails proactively.
Thankfully, there is no need to reinvent the wheel. A trio of readily available authentication tools can pull the plug on domain spoofing attempts. These are Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
These three acronyms should be in every IT professional’s vocabulary. Let us go over each approach to get the big picture:
SPF Keeps Tabs on IP Addresses
First introduced in 2006, SPF is an incredibly reliable way for a mail server to verify if a message came from the right domain. It inspects email headers and checks whether the sender’s IP address matches one of the whitelisted entries.
Depending on the policy defined in the SPF record, emails from unrecognized IPs can be blocked, flagged as suspicious, or even accepted. Therefore, enterprise security teams should specify these rules wisely to get maximum mileage out of this technique.
DKIM Adds Cryptography to the Mix
DKIM revolves around cryptographic signatures that serve as unique identifiers for each email sent from a protected domain. Technically, these IDs are private keys concatenated to message headers.
The email system verifies that the private key in the DKIM header corresponds to the public key previously published in the domain’s DNS record. If there is a discrepancy, the message is rejected. This principle also helps pinpoint emails that were modified in transit.
DMARC Glues It All Together
The role of DMARC is to enhance the efficiency of SPF and DKIM through domain-level policies and streamlined reporting. Proposed in 2015, it standardizes both the email verification process and the actions (None, Quarantine, or Reject) that kick in when a message fails these checks. DMARC also allows domain owners to get comprehensive statistics about emails that went through and ones that were blocked.
Summing It Up
When it comes to phishing prevention, security awareness training for employees is half the battle. Every team member should refrain from clicking links or downloading files that arrive in messages from strangers.
Wire transfer requests that appear to come from colleagues should be confirmed in person. Also, since many scammers and malware distributors do not proofread their emails, it is a good idea to check incoming correspondence for typos and other inaccuracies.
However, vigilance may not do the trick if an attacker spoofs an email address. In this case, no giveaways of fraud are visible to the naked eye. That is when email domain security best practices should step in.
If configured properly, these mechanisms stop the most treacherous phishing scams in their tracks and complement users’ prudence to form rock-solid protection against social engineering artifice.
Written by: David Balaban
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.