Imagine this scenario: You’re a teacher that gets an urgent email from a principal asking you to get five $20 gift cards for a special project and to send the activation codes back in an email. Being a great employee who goes above and beyond, you happily go to the nearest grocery store, grab the gift cards and send back the activation codes as requested. Later in the day, you see the principal in the hallway and ask about the gift cards only to be met with the surprise that the principal never sent an email about gift cards. In fact he hasn’t used a gift card in the last 20 years! Hook, line, and sinker. You have been phished.
Believe it or not, that exact scenario actually happened to a school district probably not all that different from yours. But, we do have some technical control advice to help mitigate successful phishing and other malicious social engineering attempts. The controls we will be looking at in this article are SPF and DKIM, used in conjunction with DMARC records, in order to help to verify email senders and set up rules for what kinds of emails can enter your domain. We will also touch on Sandboxing and how it can help prevent malicious email attachments and suspicious URLs from reaching your domain successfully.
DMARC, SPF, and DKIM
The main technical controls that we can use to prevent successful phishing attempts are SPF, DKIM, and DMARC records. These are text records in the domain’s DNS that can help prevent unwanted or suspicious traffic coming into our email server. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. An SPF record is a DNS record that has to be added to the DNS zone of your domain. In this SPF record you can specify which IP addresses and/or hostnames are authorized to send email from the specific domain.The mail receiver will use the “envelope from” address of the mail (mostly the Return-Path header) to confirm that the sending IP address was allowed to do so. This will happen before receiving the body of the message. When the sending email server isn’t included in the SPF record from a specific domain, the email from this server will be marked as suspicious and can be rejected by the email receiver.
Using SPF records helps limit the email spoofing that can be done against your domain by providing valid mail servers that can send mail on your behalf. When set up correctly, if an outside entity is trying to send a phishing email using email spoofing and it does not come from a valid mail server on the SPF record, that email can be rejected by the receiving mail server and never delivered to the recipient’s inbox.
SPF alone will not be enough to prevent successful phishing attempts. DKIM records should also be used to verify the sending domain names. DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam. DKIM uses a pair of keys, one private and one public, to verify messages. A private domain key adds an encrypted signature header to all outgoing messages sent from your Gmail domain. A matching public key is added to the DNS record for your domain. Email servers that get messages from your domain use the public key to decrypt the message signature and verify the signed message sources.
If a malicious actor sent a spoofed email with an invalid DKIM selector and the public key was unable to decrypt the message, then the spoofed email would either be marked as spam or not delivered at all. DKIM helps reduce spoofed emails, however, it alone cannot fully protect against spoofing and phishing attacks because it cannot validate the domain itself to prevent spoofing of the domain.
So if neither SPF or DKIM records can fully help prevent successful phishing attempts then what can? DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that is designed to give email domain owners the ability to protect their domain from spam or phishing attempts by aligning what the receiver knows about the sender. It does this by trying to tie the SPF record and the DKIM record together with the From: header domain to see if they align correctly.
For example, let’s say you have SPF, DKIM, and DMARC setup on the schooldistrict.org domain and want to send an email. The DMARC records will look at the Return-Path header for an @schooldistrict.org email address, it will also look for the DKIM signature of d=schooldistrict.org in the Received header, and will then look at the From: header for an @schooldistrict.org header. If all these align to the DMARC record, then the email is passed through as valid. One of the benefits of setting up DMARC is you can set a specific DMARC policy about what to do if the DMARC record does not align correctly. These options are either; do nothing, quarantine the message, or reject the message, in order to allow for some granularity in controls.
SPF, DKIM, and DMARC are good ways to help prevent successful phishing attempts, but if it’s so good why isn’t everyone using it? Well for one it can be a bit tricky to get setup as you do need access to and knowledge about DNS and how to create or modify DNS records. Moreover, in a blog from Sophos’ NakedSecurity, researchers found that even most fortune 500 companies were not implementing DMARC because, “The biggest flaw of all is simply that DMARC only solves part of the problem. Even if universally adopted, criminals can find ways around using it a toolbox of tricks including hijacking or using legitimate domains (which pass authentication) to send emails mocked up to look genuine. Domain abuse isn’t the only game in town.” The trend has barely changed in recent years. According to Armen Najarian CIO of Agari, studies in 2020 have shown that 80% of Fortune 500 companies still haven’t adopted standard email authentication protocols. But many researchers have found that most criminals are “lazy” and try to find the easiest way possible to exploit a network. If one more thing is blocking their attack, it might be just enough to make it not worth their time. So implementing just a few of these methods, will make a significant difference.
Email Sandboxing is either a 3rd party program or a built-in feature of popular email providers, such as Google or Microsoft, that can scan attachments, URLs or both for known malicious payloads or even unknown malicious payloads otherwise known as “zero days.” A sandbox in cybersecurity terms is essentially a safe place to click, open,or use something potentially malicious, or to simply view and evaluate code without affecting the underlying network. By taking advantage of sandboxing techniques, we can limit the amount of malicious links and files entering the domain. Sandboxes do have some limitations though, one being the process of sandboxing can be resource intensive if the size of the domain is very large or if the file it’s sandboxing is very large. The other drawback of sandboxing is that if an attacker knows that the domain uses email sandboxing they have ways to get around the sandbox and still land in the domain untouched. However, if there is another step in the way of the attacker it may just be enough to deter a possible attack.
Unfortunately there is no one silver bullet when it comes to completely preventing successful phishing attempts but that alone should not be the reason that our defenses are down and domains are insecure. With the help of SPF, DKIM, DMARC, and Email Sandboxing, these technical controls can help prevent successful phishing attempts from penetrating your district’s network but alone are not enough to fully stop phishing attempts from ever reaching your domain. When these technical controls are coupled with proper user training on how to identify phishing attempts you will see a dramatic decrease in successful phishing attempts making your district more secure over time.
We advise taking a look at the above and implementing them to better protect your domain. If you are a customer, please reach out to us if you need assistance or guidance in implementing these methods. For more information or help protecting your district from social engineering attacks, please contact firstname.lastname@example.org!