As with many other forms of cybercrime, Tolar Systems has been seeing an uptick in email spoofing attempts against the businesses we serve. In this post we’ll discuss email spoofing: what it is, why you should be concerned, and how to prevent spoofed emails from putting your business at risk with Microsoft Office365 Advanced Threat Protection.
As with many other forms of cybercrime, Tolar Systems has been seeing an uptick in email spoofing attempts against the businesses we serve. In this post we’ll discuss email spoofing: what it is, why you should be concerned, and how to prevent spoofed emails from putting your business at risk with Microsoft Office365 Advanced Threat Protection.
What is Email Spoofing?
Email spoofing is when a cybercriminal sends an email that appears to be from someone else. Typically, a spoofed email will appear to be from someone you know and trust, such as a friend, a coworker, a person with whom you have a business relationship, or someone you’d be more likely to trust than “[email protected]”.
Cyber criminals do this for several reasons, typically in an attempt to gain your trust and get you to do something you otherwise wouldn’t, such as opening an email, clicking a link, or downloading a document. Sometimes, the intent might be somewhat less malicious – they might just want to send you spam – but the person’s email has been blacklisted and they’re forced to send emails under a fake identity.
Worst case scenario These criminals are looking to steal your identity, unleash ransomware to hold your business data hostage, or ruin the reputation of the individual whose email identity they’ve hijacked.
They might even attempt to blackmail you. One of the most insidious types of email spoofing attacks we’ve seen recently involves criminals impersonating individuals known to their victims, claiming to have damaging information that they’ll publish unless they’re paid a hefty ransom. In this case, it’s not precisely a ransomware attack, but if you fall for it, it can still be costly to your business.
Microsoft Office365 ATP: Putting a Stop to Email Spoofing
These disturbing trends are one more reason why we’ve been excited to roll out Microsoft Office365 ATP. It provides tools to help identify and respond more effectively to email spoofing.
How does it work? To answer that question, it’s helpful to understand the various ways that a sender can be identified in an email. These are:
- Display Name – The name of the person the email appears to come from. Usually this will be shown as “Bob Jones”, or “Amazon customer service” or some other easily identifiable name. This may be how an individual human user identifies who has sent them an email, but on the back end, the email is identified by one of the following:
- From Address – This is the email address that the email appears to come from, such as [email protected]
- MailFrom Address – This is the “return address” for the email, i.e., if there is a problem and the email bounces, the email will send bounce notices to this address.
- Server IP Address – This is a numerical address that identifies the server that is sending the email. This is tied to a physical location.
In an email spoofing attempt, typically one or more of these will not align. That’s why authentication efforts are focused on analyzing and responding when, for instance, an email address doesn’t come from the right server or IP address.
Microsoft ATP Takes Aim Against Spoofing
Microsoft ATP uses several authentication protocols to prevent email spoofing. These include:
- SPF or Sender Policy Framework, which creates a record that matches the MailFrom Address with an IP address, thus identifying which servers are allowed to send email from a custom domain.
- DomainKeys Identified Mail, or DKIM, which uses cryptographic authentication to create a digital signature for emails coming from your domain. DKIM matches the From address with the IP address.
- Domain-based Message Authentication, Reporting, and Conformance, or DMARC, which checks against SPF and DKIM together to ensure that an email is authentic.
Microsoft ATP uses an algorithm called Composite Authentication that applies results from the above three checks to determine if an email is authentic. If it is, it is passed through to the recipient. If not, the email may be rejected or given a “soft pass,” in which case it might be quarantined.
What You Can Do
To help prevent the spread of email spoofing, one of the best things you can do is make sure your Office365 administrator has set up your authentication tools and policies properly. You can also help maintain your organization’s list of whitelisted senders and keep in mind that these authentication tools are not 100 percent effective at preventing the spread of email spoofing.
As a user, we also urge you to be vigilant, even if you’re using ATP. Email spoofing can be carried out in a number of ways, some of which are undetectable by authentication technology, such as when a hacker gains access to a user’s business email. Be careful when opening any unsolicited email, and be on the lookout for some of the other signs that an email could be a spoof or phishing attempt, as illustrated in the graphic below.
Contact Tolar Systems
If your organization needs help to reduce your vulnerability to email spoofing and other email-based cyberattacks, contact Tolar today.
