Protecting Email Accounts

Before They Are Phished

Email is consistently the number one entry point for information security threats, with 90% of breaches beginning with an email attack, such as phishing. This is especially prevalent in higher education where high value email addresses of top campus executives, as well as all contact details for staff and professors, are often publicly available online via employee directories allowing attackers to easily target them.

Phishing_web.jpg

Last year, attackers were able to compromise and hijack legitimate email accounts from several large universities and use those accounts in targeted phishing attacks. Not only does the use of legitimate accounts more easily trick the email recipients into providing sensitive information or taking action, it also allows the attackers to bypass email security controls.

In addition to continuing your ongoing employee awareness training and internal phishing simulations to build up your human-level defenses, below are some of the best methods and technology tools your teams can use to protect organizational email accounts before they are phished or used to send phishing emails to others.

1. Secure Email Gateways

A strong email gateway can act as a firewall for email communications and block email-based threats before they reach your email server by scanning incoming, outbound, and internal communications for signs of malicious content, viruses, dangerous links, and attachments. Gateways are designed to block bulk amounts of spam emails or phishing campaigns from reaching employee inboxes, or placing questionable emails into quarantine for closer review.

Email gateways can check the domain of incoming emails to verify they are from trusted senders. Administrators can blacklist (deny/block) domains to make sure known attackers are unable to contact staff and students. Gateways also scan outbound email for malicious activity, so that if one of your accounts compromised, the gateway can stop that account from sending out spam or phishing emails. Administrators can also configure the gateway to prevent sensitive documents from accidentally being sent outside of your organization, or automatically encrypt messages that appear to contain sensitive information.

2. Post-Delivery Protection Solutions

Post-delivery solutions protect users from threats that have made it to the email inbox. Like gateways, they can filter incoming email, looking for signs of threats (like ransomware) by identifying malicious links or attachments. But the key threat defense they provide is digital stylometry, or the ability to use algorithms to identify and track models for each email sender. This technology monitors things like the sender’s geographic location, headers, common greetings, content (language and tone), etc. and then over time can calculate what a sender’s normal email should look like. If an alert is triggered for suspicious or abnormal content, the system can insert a warning banner to inform the user that this email could potentially be harmful.

3. SPF, DKIM, and DMARC Authentication
The use of SPF, DKIM, and DMARC authentication methods allow Internet Service Providers (ISPs) and mail services to detect forged email messages, thereby protecting their users from possible spam or phishing attacks and improving email security / deliverability.

a. Sender Policy Framework (SPF)

SPF is used by email servers to detect fraudulent sender email addresses prior to delivering the email to the intended recipient.  Specifically, SPF allows the email server to compare the IP address of the email against the published list of authorized IP addresses belonging to that domain.  SPF is limited, though, to validating the “return-path” address (that which is used for bounce backs) and not the FROM domain.  To address this shortcoming, most organizations will also use DMARC as well. When used together, the email server is better able to detect (and quarantine) a spoofed email.

b. Domain Keys Identified Mail (DKIM)
DKIM provides an encryption key and digital signature to an email which verifies the sender actually composed the message.  DKIM helps to ensure that the sender of the message has not been spoofed and that the email has not been tampered with in transit.  

c. Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC builds upon and ties together SPF and DKIM into a common framework, adds in a reporting component, and was designed to allow domain owners to control who can send emails from their domain. By including a DMARC record in their published DNS record, they can see who is sending emails on behalf of their domain (email spoofing) and support their efforts to terminate that channel. DMARC also allows domain owners to specify how they would like their email to be handled if it fails an authorization test (i.e. quarantine the message, reject, etc.).

When used in conjunction, SPF, DKIM and DMARC can be a helpful defense against some attacks. However, because the main focus of these services is to authenticate the identity of the party sending the email in order to prevent spoofing, they are not designed to protect against attacks that don't rely on spoofing. Additionally, due to the complex configurations and common flaws in the implementation of these services, these services can be difficult to deploy, and attackers may still be able to successfully spoof legitimate sender domains.

The “Valimail’s Email Fraud Landscape 2020” report revealed that 40% of the top 20 universities in the United States lack proper DMARC protections. Without DMARC policies configured to the strictest settings, hackers can still impersonate the university’s email domain and convince recipients that they are opening a legitimate email from another student, professor, or staff member.  With the impact of COVID-19 and remote/distance learning, campaigns have more increasingly targeted students using spoofed domains, impersonating university libraries, student loan offices, online learning platforms, etc. and we have seen an uptick in successful attacks.

4. Passwords and/or Multi-Factor Authentication

Always require strong, unique passwords for email accounts. Provide your employees with an approved password management tool to help them create and easily recall strong passwords across multiple accounts. You may also want to consider adding password cracking to your next penetration test to help identify accounts using weak passwords. For more password best practices, click here.

Whenever possible (and this may just be the most important tool in your toolbox!), you should also consider the implementation of multi-factor authentication, which requires users to have a secondary token (such as a mobile device or a physical key) in addition to their password when signing into the account. Most organizations have implemented MFA for remote access and for critical systems, but may not have pushed out MFA for email accounts yet. With the continued increase in phishing, this is highly recommended.

Hackers are clever and they are persistent, always shifting their methods to regain access to email accounts. In order to protect your organization’s end users from the escalating risks of phishing and email hijacking, you must continue to evolve your security strategies and continue to push for the use of technologies, like multi-factor authentication, across your entire environment.

Some additional guidance from CampusGuard’s Offensive Security Team:

[Sullivan]: When thinking of phishing attacks, many users automatically think of the money laundering scams that involve sending money to a prince in a foreign land. While this scam has evolved to prey on people who are looking for companionship or have financial worries, one of the most common themes we see in attacks targeting organizations is to pressure users into opening financial documents or clicking on links that are fraudulent which lead to the installation of malicious software or attempt to compromise the user's credentials.

In CampusGuard’s phishing simulations, we often find that users are more likely to identify and report phishing emails when they have been trained to be suspicious of emails that play on their emotions rather than what is logical from a business perspective. Additionally, we find that organizations that implement layers of automated technical defenses are much harder to phish at scale and are more likely to disable attachments and links sent in phishing emails.

When combined with good end-user training and organizational support, well-implemented technical controls can help to provide a strong defense against even some of the most sophisticated phishing attacks.