Why our mail system is exposed to spoof and phishing mail attacks part 5#9

Page 1 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part

5#9

Written by Eyal Doron | o365info.com | Copyright © 2012-2016

Why our mail system is exposed to Spoof and

Phishing mail attacks |Part 5#9

Let’s start with a declaration about a strange phenomenon: Spoof mail attacks and Phishing mail

attacks, are well-known attacks, and consider as a popular attack among the “hostile elements.”

Most of the existing organizations, do not have effective defense mechanisms against the above

attacks, and there is a high chance, at some point, that your organization will experience the

bitter taste of Spoofing or Phishing attacks!

In other words – most of the organizations are exposed to Spoof and Phishing mail attacks, and

it’s only a matter of “when”.

Dealing with Spoof and Phishing mail attacks | Article Series -Table of content

So the most obvious questions could be:

http://o365info.com/why-our-mail-system-is-exposed-spoof-phishing-mail-attacks-part-5-of-9/


https://il.linkedin.com/in/eyaldoron1

http://o365info.com/


5#9


1. Is this statement correct?

2. And if this Is this statement is correct is correct, how could it be that no one pays

attention to this problem, and doing something accordance?

In the current article, I would like to give you some “food for thought” regarding this strange

phenomenon, which we prefer to ignore the danger of Spoof mail attack and Phishing mail

attacks, close our eyes, and continue to declare that “we are doing our best for protecting our

mail infrastructure!”

The Common Misconception That Causes Us To Ignore The Threat Of Spoof

Mail Attack And Phishing Mail Attacks

1. It will not happen to me.

From time to time, we read some story about a company that was attacked by a Phishing mail

and a sad story such as – a story about the CEO who was lured to transfer a large amount of

money to the attacker’s bank account, but we don’t really believe that it will happen to us.

My answer is that it’s not a matter of “if” but only a matter of “when.”

Most of the chances are that your organization will experience Spoof E-mail attacks and

Phishing mail attacks at some point.






5#9


2. Too much on my mind

Every average IT member or IT manager is experiencing the feeling of – “too much on my mind.”

Every day “invites” new challenges and new crises.

“I know that the subject of Spoof mail attack and Phishing mail attacks is important, but I have

more critical issues that I need to take care of them at the moment”

The little secret is that probably; you will never have the required time!

If you do not find the required time, the next Spoof mail attacks and Phishing mail attacks will

find you unprepared, and the result can become very critical!

Only when you are able to acknowledge the importance of this risk, you will “make the time.”

3. My organization is well protected from Spoof mail and Phishing mail attacks.

All of us, have the strong need to believe that someone watches us and will protect us when it’s

needed.






5#9


This is a very basic human need.

When relating to the risk of – Spoof E-mail attacks and Phishing mail attacks, most of the time,

we prefer not to be realistic.

Instead, we prefer to cling to the general thought that “they” (my IT, my mail provider and so

on), are doing what they know to do, and that “they,” are doing whatever it takes for protecting

our organization from Spoof E-mail attacks and Phishing mail attacks.

The reality is much more complicated!

Most of the time, the “IT” doesn’t include a professional authority who is specialized in the

subject of “mail security” or doesn’t know what are the unique threats that relate to a modern

mail infrastructure, what are the specific characters of Spoof mail attack and Phishing mail

attacks, what is the available solution? and so on.

Hosted mail infrastructure such as Office 365 (Exchange Online) | My mail infrastructure is

automatically protected!

In a scenario in which your mail infrastructure is hosted at “external mail provider” such as Office

365 and Exchange Online, this Incorrect assumption is manifested most strongly.

Most of the mail provider such as Office 365, have all the required tools and infrastructures for

dealing and preventing Spoof E-mail attacks and Phishing mail attacks.

The “little thing” that we are not aware of the simple fact that these “defense mechanisms,” are

not activated by default. Instead, they are just sitting there waiting for us to use them!






5#9


The main reason that this defense mechanism is not activated automatically is – because this

defense mechanism can intercept accidentally legitimate E-mail.

The important thing that most of us are not aware of being – that the responsibility to use the

existing defense mechanism is our responsibility!

For example, when relating to the subject of Spoof mail attack, Exchange Online support three

mail standards, that implements sender verification + support the option of creating an

Exchange rule that will identify events of the Spoof mail attack.

The responsibility of knowing the specific characters of each of the sender verification mail

standards, the required configuration settings for each of this standard, how to configure the

required adjustment that will suit our specific organization needs is our responsibility!

What Is The Weakness That The Hostile Element Exploits When Using Spoof

Mail Attack And Phishing Mail Attacks?

The base for Spoof mail attack and Phishing mail attacks, relies on two major weaknesses:

1. The SMTP protocol weakness

2. The Human factor weakness






5#9


Spoof E-mail attack and SMTP as Innocent protocol

When we hear or experience a Spoof E-mail attack, the first question that can appear in our

mind could be:

Q1: Why mail servers don’t know how to protect themselves from Spoof E-mail attacks and

Phishing mail attacks?

A1: The simple answer is that the “creator” of the SMTP protocol, didn’t relate to the issue of

“mail security” and instead, concentrated on creating mail protocol, that will deliver an email

message from point A to point B effectively and reliably.

The issue of “mail security” was neglected because at that time, the popularity of the SMTP

protocol was not so great, and the use of the SMTP protocol was not so common.

In a standard mail communication that involves two parties, the SMTP protocol is based on the

concept in which the destination mail servers (side B) “believe” in the identity

(E-mail address) that the sender (side A) provides.

The sender (side A), doesn’t need to prove his identity!

Phishing mail attack and we as a human being






5#9


Regarding Phishing mail attack, the base for this attack is – the ability to exploit the “thing” that

makes us “human”.

Q1: Why is it so hard to deal with Phishing mail attacks? Or, why there are so many people that

fall prey to Phishing mail attack?

A1:

The standard Phishing mail attack is based on two “parts” that exploit the human character:

The Phishing mail attack starts with the “trust part”, in which the hostile element uses an E-mail

address of someone we trust or E-mail address that looks like an E-mail message that was sent

from respectable and trusted source.

The “sender trusts part,” relies on the “innocence” of the SMTP protocol, that doesn’t include a

built-in mechanism for verifying the identity of the “other side.”

The second part of the Phishing mail attack is based on the “content” that appears in the E-mail

message.

As the famous song of Michael Jackson – the “human nature” – the hostile element that

executes the Phishing mail attack, is aware of different “human button” that can be pushed and

manipulated.

The Phishing mail content is designed to address a common human character such as pity, fear,

greed, curiosity and so on.

The attacker address one of this “human failing” for manipulating the victim to “do something”

such as – open a specific file (malware) or click on a specific link in the Phishing mail that will

lead the victim to a Phishing website.






5#9


The Awakening Of Our Awareness Of The Problem Of Spoof Mail Attack

And Phishing Mail Attacks | Additional Obstacles

Let’s assume that you decide that you agree that Spoof mail attack and Phishing mail attacks

constitute a great risk to your organization and that you are willing to make the effort and take

this threat seriously.

In this section, I would like to review additional obstacles that may appear on the way.

To be able to start handling the Spoof mail attack and Phishing mail attack threat, you will need

to overcome these obstacles.






5#9


1. The fair from doing something that will harm the organization mail flow.

Let’s talk about the most prominent obstacle: the fear of a scenario, in which the solution that

will be implemented will damage the normal mail flow.

A scenario of false positive, in which a legitimate E-mail that sent to our users will be mistakenly

identified as Spoof E-mail or Phishing mail and for this reason, will be “blocked” or deleted by

the specific Spoof E-mail protection mechanism that we use.






5#9


When implementing a security mechanism that deals with Spoof E-mail, we are facing two

problematic scenarios:

Incoming mail

In a standard mail flow, we welcome every E-mail message that sent to one of our users, as long

as the destination recipient exists. In other words, we don’t care about the element that

originates the E-mail message (the sender) but instead, the mail server that represents our

organization is only responsible for verifying the information about the destination recipient

(that he hosts the mailbox of the destination recipient).

When we implement a defense mechanism that is should protect us from Spoof mail attack, we

can compare it to a scenario in which we place a “guard” at the entrance to our base (our mail

infrastructure).

Versus a scenario in which every guest is welcomed to enter our perimeter when we force the

use of sender verification, we implemented a process in which we try to verify the identity of

each entity that wants to “enter our base.”

When we use this additional layer of security, there is a reasonable chance that we will

experience a scenario of false positive.






5#9


In this scenario, some of our “legitimate guests,” will not be allowed to enter our base and will

be rejected because they do not have the required proof of their identity or from any technical

problem that relates to the proof of their identity (their E-mail message will be rejected).

Outgoing mail

The other aspect of implementing sender verification mechanism is the ability to “stamp”

a legitimate E-mail message that sent by our legitimate users, so, the “other side” will be able to

verify our identity, and will be able to differentiate our legitimate sender from E-mail messages

that send by hostile elements that spoof our organizational identity.

The problem of “false positive” can be realized also when relating to the scenario of outgoing

mail flow, meaning, an E-mail message that is sent by our user to external destination recipients.

In a complex mail infrastructure, the ability to “stamp” all of the E-mail messages that is sent

from our mail infrastructure fully and in a “proper,” way is a quite a challenging task!






5#9


In case that we didn’t manage to correctly “stamp” each E-mail message that uses our

organizational identity (E-mail message in which the sender uses our domain name), this could

lead to a scenario, and which a legitimate E-mail message that is sent from our users, will be

rejected by the “other” mail infrastructure.

2. Fear of hurting business activity

Every implementation of any security solution mechanism will probably cause some disruption

to the business activity, at least in the first phase of the adoption and assimilation.

The fear of this anticipated disruption leads us to the attitude of – don’t rock the boat!

Alternatively, if no one complained, until now, I guess everything is OK!

The false sense that if, until now, everything was fine, in the future everything will be fine will

eventually explode in our face.

In other words – If you can’t stand the heat, get out of the kitchen.

3. The resources issue

To be able to clearly understand the “enemy” we will need to ask (and answer) many questions

such as:

How the enemy thinks and functions?

What is the vulnerability of your mail infrastructure?

What are the possible solutions for the existing mail infrastructure vulnerability?

What is the difference between the different solution such as SPF, DKIM, DMARC?






5#9


You will need to have a patience and the willingness to devote the time required to read and

internalize information.

4. The vanity syndrome

The fact that you are veteran IT professional doesn’t mean that you are a security professional

and doesn’t mean that you are familiar with the existing risk that threatens your mail

environment, and the possible solution to this risk.

5. The fear of the unknown syndrome

Like any “un-know territory”, the mail security standard territory, is an un-know territory” for

most of us.

In the process of implementing a specific solution to the problem of Spoof E-mail attacks and

Phishing mail attacks, you will certainly encounter many questions and problems.

It’s OK; this is expected as part of the process.

6. The need for simplicity syndrome

Most of the time, we are looking for a simple solution and try to avoid the need to understand

and implement complex solutions.

The simple answer is – there is no simple solution for the task of dealing with Spoof E-mail

attacks and Phishing mail attacks.






5#9


7. The military approach syndrome

This is one of the noticeable features of many managers.

The subtext of this approach is – I don’t care how, just make it work!

Well, we can make it work but, only of the “management” is obligated to the process, and is

willing to allocate the require resource for the implementation of the possible solutions.

Why Is There No Simple Solution For The Problem Of Spoof E-Mail Attacks

And Phishing Mail Attacks?

The simple answer is that Phishing mail attack is not simple!

The phishing mail attack is a sophisticated attack that combines a couple of attacks, which we

will have to deal with each of them separately.

In addition, the ability to deal with the infrastructure for the Phishing mail attack – spoof mail

attack is not so simple!






5#9


The common confusion between Spoof mail attack versus Phishing mail attacks

A very important observation that I like to mention regarding the task of – “dealing with a

scenario of Spoof E-mail attacks and Phishing mail attacks” is – that we should distinguish Spoof

mail attack from Phishing mail attacks.

Each type of attack has different characters, and for this reason, need a different type of

solutions.

Most of the Phishing mail attacks, use the Spoof mail attack in the initial phase of the attack.

For this reason, it’s reasonable to assume that in case that we identify and block

Spoof E-mail; the derivative will be blocking the Phishing mail attack.






5#9


However, the important thing is, that we cannot build our defense infrastructure based on this

assumption for a couple of reasons:

Not all the Phishing mail attack uses the option of spoofing the sender identity.

There is a reasonable option, in which the Phishing mail attacks will use just a standard E-mail

address from well-known mail providers such as Gmail, Hotmail or Yahoo.

It’s very reasonable to assume that even when we use some protection mechanism that will

use to identify Spoof mail attack, we will not be able to identify and block 100% of the Spoof

mail attacks.

Note – another aspect of Phishing attacks is that not all the Phishing attacks are “Phishing mail

attacks”. It’s true that most of the Phishing attacks are executed via the “mail channel” but some

of the Phishing attacks can be executed by using a phone call or a phone SMS, via a message

that sent to instant messaging users, via a message that sent to social-network users and so on.

What are the challenges that we need to face when we want to fight Spoof E -mail

attacks?

Regarding our ability to protect our mail infrastructure from Spoof mail attack, there are a

couple of well-known mail standards, that was created by completing the SMTP protocol

“missing part” meaning, the ability to verify sender identity.

Along the current article series, we will review in details the different sender verification mail

standard such as – SPF, DKIM and DMARC, and other optional solutions such as – solutions that

we can implement in Exchange based environment.






5#9


If you think, you can sit back, relax and drink a refreshing cocktail because you found the perfect

solution to all the Spoof E-mail problems, you are wrong!

It’s true that there are standards and solutions that were created for dealing with the

phenomena of Spoof E-mail but this solution is very far from providing a perfect solution.

1. The implementation of the sender identification mechanism is not so simple.

Each of the different standards has advantages, disadvantages and “blind spots.” spots”.

The implementation of this standard is not so simple and required preliminary assessment,

planning and constant accompaniment.

For example – at the current time, we can mention three mail standard that was created for

dealing with the need to verify the sender identity.

Each one of this standard uses a different method for verifying the sender identity and each one

of this standard, required to implement different preparations and configuration settings.

The implementation of this standard (sender verification standard) becomes quite complicated

and challenging, in a complex mail environment that includes many mail servers many sites, etc.






5#9


A standard such as SPF, considered as an easy to adapt standard, but have built-in “blind spot,”

spot”, that can be exploited by a hostile element that will bypass the existing “SPF wall.”

The DKIM standard can provide a good protection, but because the solution is based on Public-

Key infrastructure (certificate, digital signature and so on), it’s not so easy to implement this

standard in a compound mail environment that includes many different entities that send mail

on behalf of the organization.

2. Not all the organizations use sender identification mechanism.

Another major issue is that we should not forget is – that the implementation of a complete

solution for the problem of “Spoof E-mail,” is depended on a “logical circuit” that will include

two sides: the sending mail infrastructure and the receiving (the destination) mail infrastructure.






5#9


In case that “our side” is implementing all the required solutions for dealing with Spoof E-mail

phenomenon, but the “other side” doesn’t implement any Spoof E-mail protection solution, the

outcome is that every hostile element can use our identity and attack the “other side” using our

organizational identity.






5#9


What Are The Challenges That We Need To Face When We Want To Fight

Phishing E-Mail Attacks?

Regarding the subject of existing solutions for the problem of Phishing mail attacks, the

situation is much poorer compared to the status of Spoof E-mail solutions.

The Phishing mail attack considers as sophisticated attacks. The ability to identify and block

Phishing mail attacks is much more complicated than dealing with the Spoof mail attack.






5#9


The “interesting news” is that at the current time, there is no formal standard or a well know

protection mechanism, that can directly deal and prevent all the types of Phishing mail attacks.

If you perform a simple search using a question such as – “solution for Phishing email

attacks,” most of the results that appear are dealing with tips and tricks, guideline and best

practices that instruct users how to avoid or to recognize a scenario of Phishing mail.

The “missing part” is that the answers and the solution are related to the “end point” meaning,

the users and not to the “server side” meaning our mail infrastructure.

The information is not related to a specific technology or a standard, that can be implemented

on the “server side”.

Some links, will lead you to a company that provides services for testing your mail infrastructure

(by simulating a Phishing mail attack), and the reaction of your users to Phishing mail attack, but






5#9


the painful truth is – that there is no “tangible” standard, that promises to protect your mail

infrastructure from all the Phishing mail attacks.

My answer to the question of – “Why is there no formal solution to the threat of Phishing mail

attack?” is, that the Phishing mail attack made of “different parts.”

We cannot relate to Phishing mail attack as “one problem” but instead, as a “collection of

problems.”

For example-

One of the building blocks of Phishing mail attack is a Spoof mail attack.

To be able to successfully deal with a Phishing mail attack, we will need to find a good

solution for the problem of Spoof mail attack such as – implementation of sender

verification standard – SPF, DKIM, DMARC and so on.

One of the building blocks of Phishing mail attack is infecting the user desktop with a

malware (most of the time, “smart malware” that are injected into legitimate files).


solution for the problem of malware such as – “send box” solutions.

One of the building blocks of Phishing mail attack is social engineering.


solution for the problem of social engineering such as – guide and instruct our users

about the characters of Phishing mail attack.

Q1: Should I feel despaired from the fact that there is no formal solution to the threat of

Phishing mail attack?

A1: No! although there is no “magic button”, that we can use for dealing with a Phishing mail

attack, there are a couple of solutions that we can use, and the combination of these “solutions”

can provide good and effective protection for most of the Phishing mail attack scenarios.

In the article – Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC,

Exchange and Exchange Online |Part 8#9 , we will review the list of the solutions that we can use.





http://o365info.com/using-sender-verification-for-identifying-spoof-mail-spf-dkim-dmarc-exchange-and-exchange-online-part-8-of-9/

http://o365info.com/using-sender-verification-for-identifying-spoof-mail-spf-dkim-dmarc-exchange-and-exchange-online-part-8-of-9/


5#9


The next article in the current article series is

Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9





http://o365info.com/dealing-with-the-threat-spoof-phishing-mail-attacks-part-6-of-9/

Date post:	27-Jul-2016
Category:	Documents
Upload:	o365infocom
View:	220 times
Download:	1 times

Why our mail system is exposed to spoof and phishing mail attacks part 5#9

Documents