Posts

Do you know how secure your domain is? Most organizations operate with the assumption that their domains are highly secure and in a short while, they learn it isn’t the case. One of the tell-tale signs of a low security score is if your domain name is being spoofed – this means that someone is using your domain in order to impersonate you (or create confusion) and fool email recipients. But why should you care? Because these spoofing activities can potentially endanger your reputation. 

In a world full of domain impersonators, email domain spoofing shouldn’t be something that companies take lightly. Those who do could be putting themselves, as well as their clients at risk. A domain’s security rating can have a huge effect on whether or not you get targeted by phishers looking to make a quick buck or to use your domain and brand to spread ransomware without you being aware!

Check your domain’s security rating with our Free DMARC Lookup tool. You may be surprised by what you learn!

How Do Attackers Spoof Your Domain?

Email spoofing can occur when an attacker uses a forged identity of a legitimate source, usually with the intent of impersonating another person or masquerading as an organization. It can be carried out by:

Manipulating the domain name: Attackers can use your domain name to send emails to your unsuspecting recipients who can fall prey to their malicious intentions. Popularly known as direct-domain spoofing attacks, these attacks are especially harmful to a brand’s reputation and how your customers perceive your emails.

Forging the email domain or address: wherein attackers exploit loopholes in existing email security protocols to send emails on behalf of a legitimate domain. The success rate of such attacks is higher as attackers use third-party email exchange services to carry out their malicious activities that do not verify the origin of email sending sources.

Since domain verification wasn’t built into the Simple Mail Transfer Protocol (SMTP), the protocol that email is built on,email authentication protocols that were developed more recently, such as DMARC, provide greater verification.

How Can a Low Domain Security Impact Your Organization?

Since most organizations transmit and receive data through emails, there must be a secure connection to protect the company’s brand image. However, in case of low email security, it can lead to disaster for both enterprises and individuals. Email remains one of the most widely used communication platforms. Email sent out from a data breach or hack can be devastating for your organization’s reputation. Using email can also result in the spread of malicious attacks, malware, and spam. Therefore, there is a huge need for revising how security controls are deployed within email platforms.

In 2020 alone, brand impersonation accounted for 81% of all phishing attacks, while a single spear-phishing attack resulted in an average loss of $1.6 million. Security researchers are predicting the numbers to potentially double by the end of 2021. This adds more pressure on organizations to improve their email security at the earliest.

While multinational enterprises are more open to the idea of adopting email security protocols, small businesses and SMEs are still reluctant. This is because it’s a common myth that SMEs do not fall in the potential target radar of cyber attackers. That, however, is untrue. Attackers target organizations based on the vulnerabilities and loopholes in their email security posture, rather than the size of the organization, making any organization with poor domain security a potential target.

Learn how you can get a higher domain security rating with our email security rating guide.

Leverage Authentication Protocols to Gain Maximum Domain Security

While checking your domain’s email security rating, a low score can be due to the following factors:

  • You don’t have email authentication protocols like SPF, DMARC, and DKIM deployed within your organization
  • You have deployed the protocols but have not enforced them for your domain
  • You have errors in your authentication records
  • You have not enabled DMARC reporting to gain visibility on your email channels
  • Your emails in transit and server communication are not secured over TLS encryption with MTA-STS
  • You have not implemented SMTP TLS reporting to get notified on issues in email delivery
  • You have not configured BIMI for your domain to improve your brand recollection
  • You have not resolved SPF permerror with dynamic SPF flattening

All of these contribute to making your domain more and more vulnerable to email fraud, impersonation, and domain abuse.

PowerDMARC is your one-stop email authentication SaaS platform that brings all the authentication protocols (DMARC, SPF, DKIM, MTA-STS, TLS-RPT, BIMI) across a single pane of glass to make your emails safe again and improve your domain’s email security posture. Our DMARC analyzer simplifies protocol implementation by handling all the complexities in the background and automating the process for domain users. This helps you leverage your authentication protocols to unleash their maximum potential and get the best out of your security solutions.

Sign up for your free DMARC report analyzer today to get a high domain security rating and protection against spoofing attacks.

Marketers are the designers of brand image, hence they need to be aware of these 5 famous Phishing terms, that can wreak havoc on a company’s reputation.  Phishing is a type of attack vector that involves a website or email that looks as if it is from a reputable organization but is actually created with the intent of gathering sensitive information such as usernames, passwords, and credit card details (also known as Card Data). Phishing attacks are common in the online world.

When your company falls victim to a phishing attack, it can cause brand name harm and interfere with your search engine ranking or conversion rate. It should be a priority for marketers to protect against phishing attacks because they are a direct reflection of your company’s consistencies. Hence, as marketers, we need to proceed with extreme caution when it comes to phishing scams.

Phishing scams have been around for many years. Don’t worry if you didn’t hear about it before, it isn’t your fault. Some say that the cyber scam was born 10 years ago but phishing officially became a crime in 2004. As Phishing techniques continue to evolve, encountering a new phishing email can quickly become confusing, and sometimes it’s hard to tell if the message is legitimate or not. You can better protect yourself and your organization by being alert to these five common phishing techniques.

5 Common Phishing Terms You Need to Know

1) Email Phishing 

Phishing emails are usually sent out in bulk from a domain that mimics a legitimate one. A company might have the email address [email protected], but a phishing company might use [email protected] The goal is to fool you into clicking on a malicious link or sharing sensitive information by pretending to be a real company you do business with.  A fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.

Phishing attacks are constantly evolving and getting more and more undetectable with time. Threat actors are using social engineering tactics to spoof domains and send fraudulent emails from a legitimate domain, for malicious ends.

2) Spear Phishing 

A spear phishing attack is a new form of cyberattack that uses false information to gain access to accounts that have a higher level of security. Professional attackers have a goal of compromising a single victim, and in order to carry out this idea, they research the company’s social profile and the names and roles of employees within that company. Unlike phishing, Spear phishing is a targeted campaign against one organization or individual. These campaigns are carefully constructed by threat actors with the sole purpose of targeting a specific person(s) to gain access into an organization.

3) Whaling

Whaling is a highly targeted technique that can compromise the emails of higher-level associates. The objective, which is similar to other phishing methods, is to trick employees into clicking on a malicious link. One of the most devastating email attacks to pass through corporate networks is the whaling scam. These attempts at personal gain using powers of persuasion to lower victims’ resistance, tricking them into handing over company funds. Whaling is also known as CEO fraud, as attackers often impersonate people in authoritarian positions such as the CEO of a company.

4) Business Email Compromise 

Business Email Compromise (BEC) is a form of cyber crime which can be extremely costly to businesses. This type of cyber attack uses email fraud to influence organizational domains into partaking in fraudulent activity resulting in the compromise and theft of sensitive data. Examples of BEC can include invoice scams, domain spoofing, and other forms of impersonation attacks. Each year an average organization can lose up to $70 million dollars to BEC scams, learn more about 2020 BEC attack statistics. In a typical attack, fraudsters target specific employee roles within an organization by sending a series of fraudulent emails that claim to be from a senior colleague, customer, or business partner. They may instruct recipients to make payments or release confidential data.

5) Angler Phishing 

Many corporations have thousands of customers and receive hundreds of complaints daily. Through social media, companies are able to escape the confines of their limitations and reach out to their customers. This enables a corporation to be flexible and adjust to the demands of its customers. Angler phishing is the act of reaching out to disgruntled customers over social media and pretending to be part of a company. The angler phishing scam is a simple ploy used to trick casual social media users into thinking that a company is trying to remedy their problems when in reality, the person on the other end is taking advantage of them.

How to Protect Your Organization from Phishing and Email Fraud

Your email service provider may come with integrated security packages as a part of their service. These however act as spam filters that offer protection against inbound phishing attempts. However, when an email is being sent by scammers using your domain name to recipient inboxes, like in the case of BEC, whaling, and other forms of impersonation attacks listed above, they won’t serve the purpose. This is why you need to avail of email authentication solutions like DMARC, immediately and shift to a policy of enforcement.

  • DMARC authenticates your emails by aligning them against SPF and DKIM authentication standards.
  • It specifies to receiving servers how they should respond to emails failing authentication checks.
  • DMARC aggregate (RUA) reports provide you with enhanced visibility into your email ecosystem and authentication results and helps you monitor your domains easily.
  • DMARC forensic (RUF) reports give you an in-depth analysis of your DMARC failure results, helping you respond to impersonation attacks faster.

How Can PowerDMARC Help Your Brand?

PowerDMARC is more than just your DMARC service provider, it is a multi-tenant SaaS platform that provides a wide range of authentication solutions and DMARC MSSP programs. We make email authentication easy and accessible for every organization, from small businesses to multinational enterprises.

  • We help you move from p=none to p=reject in no time, so as to protect your brand from impersonation attacks, domain spoofing, and phishing.
  • We help you easily configure DMARC reporting for your with comprehensive charts and tables and RUA report views in 6 different formats for ease of use and amplified visibility
  • We cared about your privacy, so you can encrypt your DMARC RUF reports with your private key
  • We help you generate scheduled PDF reports on your authentication results
  • We provide dynamic SPF flattening solution like PowerSPF so that you never exceed the 10 DNS lookup limit
  • We help you make TLS encryption mandatory in SMTP, with MTA-STS to protect your domain from pervasive monitoring attacks
  • We help you make your brand visually identifiable in your recipient inboxes with BIMI

Sign up with PowerDMARC today to get your free DMARC analyzer tool trial, and shift from a policy of monitoring to enforcement to provide your domain maximum protection against BEC, phishing, and spoofing attacks.

Email serves as a critical channel for B2B lead generation and customer communications, but it is also one of the most widely targeted channels for cyberattacks and email fraud scams. Cybercriminals are always innovating their attacks in order to steal more information and financial assets. As organizations continue to fight back with stronger security measures, cybercriminals must constantly evolve their tactics and improve their phishing and spoofing techniques.

In 2021, a drastic increase in the use of machine learning (ML) and artificial intelligence (AI) based phishing attacks that are going undetected by traditional email security solutions have been detected by security researchers from around the world. The main aim of these attacks are to manipulate human behaviour and trick people into performing unauthorized actions – like transferring money to fraudsters’ accounts.

While the threat of email-based attacks and email fraud are always evolving, don’t stay behind. Know the email fraud trends that will take place in the following years in terms of fraudster tactics, tools, and malware. Through this blog post I’ll show you how cybercriminals are developing their tactics, and explain how your business can prevent this kind of email attack from taking place.

Types Of Email Fraud Scams to Beware of in 2021

1. Business Email Compromise (BEC)

COVID-19 has compelled organizations to implement remote-working environments and shift to virtual communication between employees, partners, and customers. While this has a few benefits to list down, the most apparent downside is the alarming rise in BEC over the past year. BEC is a broader term used for referring to email fraud attacks like email spoofing and phishing.

The common idea is that a cyber attacker uses your domain name to send emails to your partners, customers, or employees trying to steal corporate credentials to gain access to confidential assets or initiate wire transfers. BEC has affected more than 70% of organizations over the past year and has led to the loss of billions of dollars worth of company assets.

2. Evolved Email Phishing Attacks

Email phishing attacks have drastically evolved in the past few years although the motive has remained the same, it is the medium to manipulate your trusted partners, employees and clients into clicking on malicious links encapsulated within an email that appears to be sent from you, in order to initiate the installation of malware or credential theft. Evolved email scammers are sending phishing emails that are hard to detect. From writing impeccable subject lines and error-free content to creating fake landing pages with a high level of accuracy, manually tracing their activities have become increasingly difficult in 2021.

3. Man-In-The-Middle

Gone are the days when attackers sent out poorly-written emails that even a layman could identify as fraudulent. Threat actors these days are taking advantage of SMTP security problems like the use of opportunistic encryption in email transactions between two communicating email servers, by eavesdropping on the conversation after successfully rolling back the secured connection to an unencrypted one. MITM attacks like SMTP downgrade and DNS spoofing have been increasingly gaining popularity in 2021.

4. CEO Fraud

CEO fraud refers to the schemes that are being conducted that target high-level executives in order to gain access to confidential information. Attackers do this by taking the identities of actual people such as CEOs or CFOs and sending a message to people at lower levels within the organization, partners and clients, tricking them into giving away sensitive information. This type of attack is also called Business Email Compromise or whaling. In a business setting, some criminals are venturing to create a more believable email, by impersonating the decision-makers of an organization. This allows them to ask for easy money transfers or sensitive information about the company.

5. COVID-19 Vaccine Lures

Security researchers have unveiled that hackers are still trying to capitalize on the fears tied to the COVID-19 pandemic. Recent studies shed light on the cybercriminal mindset, revealing a continued interest in the state of panic surrounding the COVID-19 pandemic and a measurable uptick in phishing and business email compromise (BEC) attacks targeting company leaders. The medium for perpetrating these attacks is a fake COVID-19 vaccine lure that instantly raises interest among email receivers.

How Can You Enhance Email Security?

  • Configure your domain with email authentication standards like SPF, DKIM and DMARC
  • Shift from DMARC monitoring to DMARC enforcement to gain maximum protection against BEC, CEO fraud and evolved phishing attacks
  • Consistently monitor email flow and authentication results from time to time
  • Make encryption mandatory in SMTP with MTA-STS to mitigate MITM attacks
  • Get regular notifications on email delivery issues with details on their root causes with SMTP TLS reporting (TLS-RPT)
  • Mitigate SPF permerror by staying under the 10 DNS lookup limit at all times
  • Help your recipients visually identify your brand in their inboxes with BIMI

PowerDMARC is your single email authentication SaaS platform that assembles all email authentication protocols like SPF, DKIM, MTA-STS, TLS-RPT and BIMI on a single pane of glass. Sign up today to get your free DMARC analyzer! 

Encryption is optional in SMTP which implies that emails can be sent in plaintext. Mail Transfer Agent-Strict Transport Security (MTA-STS) is a relatively new standard that enables mail service providers to enforce Transport Layer Security (TLS)  to secure SMTP connections, and to specify whether the sending SMTP servers should refuse to deliver emails to MX hosts that do not support TLS. It has been proven to successfully mitigate TLS downgrade attacks and Man-In-The-Middle (MITM) attacks.

Enabling MTA-STS is simply not enough as you require an effective reporting mechanism to detect failures in establishing an encrypted channel. SMTP TLS Reporting (TLS-RPT) is a standard that enables the reporting of issues in TLS connectivity that is experienced by applications that send emails and detect misconfigurations. It enables the reporting of email delivery issues that take place when an email isn’t encrypted with TLS.

Easy MTA-STS Implementation with PowerMTA-STS

Implementing MTA-STS is an arduous task that involves a lot of complexities during adoption. From generating policy files and records to maintaining the web server and hosting certificates, it is a long drawn process. PowerDMARC has got you covered! Our hosted MTA-STS services provide the following benefits:

  • Publish your DNS CNAME records with just a few clicks
  • We take the responsibility of maintaining the policy web server and hosting the certificates
  • You can make MTA-STS policy changes instantly and with ease, through the PowerDMARC dashboard, without having to manually make changes to the DNS
  • PowerDMARC’s hosted MTA-STS services are RFC compliant and support the latest TLS standards
  • From generating certificates and MTA-STS policy files to policy enforcement, we help you evade the tremendous complexities involved in adopting the protocol

Why Do Emails Require Encryption in Transit?

Since security had to be retrofitted in SMTP to make sure it was backward compatible by adding the STARTTLS command to initiate TLS encryption, in case the client doesn’t support TLS the communication falls back to cleartext. This way emails in transit can fall prey to pervasive monitoring attacks like MITM, wherein cybercriminals can eavesdrop on your messages, and alter and tamper with information by replacing or deleting the encryption command (STARTTLS), making the communication roll back to plaintext.

This is where MTA-STS comes to the rescue, making TLS encryption mandatory in SMTP. This helps in reducing the threats of MITM, DNS Spoofing and Downgrade attacks.

After successfully configuring MTA-STS for your domain, what you need is an efficient reporting mechanism that would help you detect and respond to issues in email delivery due to problems in TLS encryption at a faster pace. PowerTLS-RPT does exactly that for you!

Receive Reports on Email Delivery Issues with PowerTLS-RPT

TLS-RPT is fully integrated into the PowerDMARC security suite so that as soon as you sign up with PowerDMARC and enable SMTP TLS Reporting for your domain, we take the pain of converting the complicated JSON files containing your reports of email delivery issues, into simple, readable documents that you can go through and understand with ease!

On the PowerDMARC platform, TLS-RPT aggregate reports are generated in two formats for ease of use, better insight, and enhanced user-experience:
  • Aggregate Reports Per Result
  • Aggregate Reports Per Sending Source

Moreover, PowerDMARC’s platform automatically detects and subsequently conveys the issues you are facing, so that you can promptly address and resolve them in no time.

Why Do You Need SMTP TLS Reporting?

In case of failures in email delivery due to issues in TLS encryption, with TLS-RPT you will get notified. TLS-RPT provides enhanced visibility on all your email channels so that you gain better insight on all that is going on in your domain, including messages that are failing to be delivered. Furthermore, it provides in-depth diagnostic reports that enable you to identify and get to the root of the email delivery issue and fix it without any delay.

For getting hands-on knowledge on MTA-STS and TLS-RPT implementation and adoption, view our detailed guide today!

Configure DMARC for your domain with PowerDMARC, and deploy email authentication best practices like SPF, DKIM, BIMI, MTA-STS and TLS-RPT, all under one roof. Sign up for a free DMARC Trial today!

In 1982, when SMTP was first specified, it did not contain any mechanism for providing security at the transport level to secure communications between the mail transfer agents. However, in 1999, the STARTTLS command was added to SMTP that in turn supported the encryption of emails in between the servers, providing the ability to convert a non-secure connection into a secure one that is encrypted using TLS protocol.

However, encryption is optional in SMTP which implies that emails can be sent even in plaintext. Mail Transfer Agent-Strict Transport Security (MTA-STS) is a relatively new standard that enables mail service providers the ability to enforce Transport Layer Security (TLS)  to secure SMTP connections, and to specify whether the sending SMTP servers should refuse to deliver emails to MX hosts that that does not offer TLS with a reliable server certificate. It has been proven to successfully mitigate TLS downgrade attacks and Man-In-The-Middle (MITM) attacks. SMTP TLS Reporting (TLS-RPT) is a standard that enables the reporting of issues in TLS connectivity that is experienced by applications that send emails and detect misconfigurations. It enables the reporting of email delivery issues that take place when an email isn’t encrypted with TLS. In September 2018 the standard was first documented in RFC 8460.

Why Do Your Emails Require Encryption in Transit?

The primary goal is to improve transport-level security during SMTP communication and ensuring the privacy of email traffic. Moreover, encryption of inbound and outbound messages enhances information security, using cryptography to safeguard electronic information.  Furthermore, cryptographic attacks such as Man-In-The-Middle (MITM)  and TLS Downgrade have been gaining popularity in recent times and have become a common practice among cybercriminals, which can be evaded by enforcing TLS encryption and extending support to secure protocols.

How Is a MITM Attack Launched?

Since encryption had to be retrofitted into SMTP protocol, the upgrade for encrypted delivery has to rely on a STARTTLS command that is sent in cleartext. A MITM attacker can easily exploit this feature by performing a downgrade attack on the SMTP connection by tampering with the upgrade command, forcing the client to fall back to sending the email in plaintext.

After intercepting the communication a MITM attacker can easily steal the decrypted information and access the content of the email. This is because SMTP being the industry standard for mail transfer uses opportunistic encryption, which implies that encryption is optional and emails can still be delivered in cleartext.

How Is a TLS Downgrade Attack Launched?

Since encryption had to be retrofitted into SMTP protocol, the upgrade for encrypted delivery has to rely on a STARTTLS command that is sent in cleartext. A MITM attacker can exploit this feature by performing a downgrade attack on the SMTP connection by tampering with the upgrade command. The attacker can simply replace the STARTTLS with a string that the client fails to identify. Therefore, the client readily falls back to sending the email in plaintext.

In short, a downgrade attack is often launched as a part of a MITM attack, so as to create a pathway for enabling an attack that would not be possible in case of a connection that is encrypted over the latest version of TLS protocol, by replacing or deleting the STARTTLS command and rolling back the communication to cleartext.

Apart from enhancing information security and mitigating pervasive monitoring attacks, encrypting messages in transit also solves multiple SMTP security problems.

Achieving Enforced TLS Encryption of Emails with MTA-STS

If you fail to transport your emails over a secure connection, your data could be compromised or even modified and tampered with by a cyber attacker. Here is where MTA-STS steps in and fixes this issue, enabling safe transit for your emails as well as successfully mitigating cryptographic attacks and enhancing information security by enforcing TLS encryption. Simply put, MTA-STS enforces the emails to be transferred over a TLS encrypted pathway, and in case an encrypted connection cannot be established the email is not delivered at all, instead of being delivered in cleartext. Furthermore, MTAs store MTA-STS policy files, making it more difficult for attackers to launch a DNS spoofing attack.

 

MTA-STS offers protection against :

  • Downgrade attacks
  • Man-In-The-Middle (MITM) attacks
  • It solves multiple SMTP security problems, including expired TLS certificates and lack of support for secure protocols.

Major mail service providers such as Microsoft, Oath, and Google support MTA-STS. Google being the largest industry player, attains centre-stage while adopting any protocol, and the adoption of MTA-STS by google indicates the extension of support towards secure protocols and highlights the importance of email encryption in transit.

Troubleshooting Issues in Email Delivery with TLS-RPT

SMTP TLS Reporting provides domain owners with diagnostic reports (in JSON file format) with elaborate details on emails that have been sent to your domain and are facing delivery issues, or couldn’t be delivered due to a downgrade attack or other issues, so that you can fix the problem proactively. As soon as you enable TLS-RPT, acquiescent Mail Transfer Agents will begin sending diagnostic reports regarding email delivery issues between communicating servers to the designated email domain. The reports are typically sent once a day, covering and conveying the MTA-STS policies observed by senders, traffic statistics as well as information on failure or issues in email delivery.

The need for deploying TLS-RPT :

  • In case an email fails to be sent to your recipient due to any issue in delivery, you will get notified.
  • TLS-RPT provides enhanced visibility on all your email channels so that you gain better insight on all that is going on in your domain, including messages that are failing to be delivered.
  • TLS-RPT provides in-depth diagnostic reports that enable you to identify and get to the root of the email delivery issue and fix it without any delay.

Adopting MTA-STS and TLS-RPT Made Easy and Speedy by PowerDMARC

MTA-STS requires an HTTPS-enabled web server with a valid certificate, DNS records, and constant maintenance. PowerDMARC makes your life a whole lot easier by handling all of that for you, completely in the background- from generating certificates and MTA-STS policy file to policy enforcement, we help you evade the tremendous complexities involved in adopting the protocol. Once we help you set it up with just a few clicks, you never even have to think about it again.

With the help of PowerDMARC’s Email Authentication Services, you can deploy Hosted MTA-STS at your organization without the hassle and at a very speedy pace, with the help of which you can enforce emails to be sent to your domain over a TLS encrypted connection, thereby making your connection secure and keeping MITM attacks at bay.

PowerDMARC makes your life easier by making the process of implementation of SMTP TLS Reporting (TLS-RPT) easy and speedy, at your fingertips! As soon as you sign up with PowerDMARC and enable SMTP TLS Reporting for your domain, we take the pain of converting the complicated JSON files containing your reports of email delivery issues, into simple, readable documents (per result and per sending source), that you can go through and understand with ease! PowerDMARC’s platform automatically detects and subsequently conveys the issues you are facing in email delivery, so that you can promptly address and resolve them in no time!

Sign up to get your free DMARC today!

Mail Transfer Agent-Strict Transport Security (MTA-STS) is a new standard that enables mail service providers with the ability to enforce Transport Layer Security (TLS)  to secure SMTP connections, and to specify whether the sending SMTP servers should refuse to deliver emails to MX hosts that that does not offer TLS with a reliable server certificate. It has been proven to successfully mitigate TLS downgrade attacks and Man-In-The-Middle (MITM) attacks. 

In simpler terms, MTA-STS is an internet standard that secures connections between SMTP mail servers. The most prominent problem with SMTP is that encryption is completely optional and isn’t enforced during mail transfer. This is why SMTP adopted the STARTTLS command to upgrade from plaintext to encryption. This was a valuable step towards mitigating passive attacks, however, tackling attacks via active networks and MITM attacks still remained unaddressed.

Hence, the issue MTA-STS is solving is that SMTP utilizes opportunistic encryption, i.e if an encrypted communication channel cannot be established, the connection falls back to plaintext, thereby keeping MITM and downgrade attacks at bay.

What is a TLS Downgrade Attack?

As we already know, SMTP did not come with an encryption protocol and encryption had to be retrofitted later on to enhance the security of the existing protocol by adding the STARTTLS command. If the client supports encryption (TLS), it will understand the STARTTLS verb and will initiate a TLS exchange before sending the email to ensure it is encrypted. If the client doesn’t know TLS, it will simply ignore the STARTTLS command and send the email in plaintext.

Therefore, since encryption had to be retrofitted into SMTP protocol, the upgrade for encrypted delivery has to rely on a STARTTLS command that is sent in cleartext. A MITM attacker can easily exploit this feature by performing a downgrade attack on the SMTP connection by tampering with the upgrade command. The attacker simply replaced the STARTTLS with a garbage string which the client fails to identify. Therefore, the client readily falls back to sending the email in plaintext.

The attacker usually replaces the command with the garbage string containing the same number of characters, rather than chucking it out, because this preserves the packet size and therefore, makes it easier. The eight letters in the garbage string in the option command allow us to detect and identify that a TLS downgrade attack has been executed by a cybercriminal, and we can measure its prevalence.

In short, A downgrade attack is often launched as a part of a MITM attack, so as to create a pathway for enabling a cryptographic attack that would not be possible in case of a connection that is encrypted over the latest version of TLS protocol, by replacing or deleting the STARTTLS command and rolling back the communication to cleartext.

While it is possible to enforce TLS for client-to-server communications, as for those connections we know that the apps and the server support it. However,  for server-to-server communications, we must fail open to allow legacy servers to send emails. The crux of the problem is that we have no idea if the server on the other side supports TLS or not. MTA-STS allows servers to indicate that they support TLS, which will allow them to fail close (i.e. not sending the email) if the upgrade negotiation doesn’t take place, thereby making it impossible for a TLS downgrade attack to take place.

tls reporting

How Does MTA-STS Come to the Rescue?

MTA-STS functions by increasing the EXO or Exchange Online email security and is the ultimate solution to a wide range of SMTP security drawbacks and problems. It solves issues in SMTP security such as lack of support for secure protocols, expired TLS certificates, and certificates that are not issued by reliable third parties. 

As mail servers proceed to send out emails, the SMTP connection is vulnerable to cryptographic attacks such as downgrade attacks and MITM. Downgrade attacks can be launched by deleting the STARTTLS response, thereby delivering the message in clear text. Similarly, MITM attacks can also be launched by redirecting the message to a server intruder over an insecure connection. MTA-STS allows your domain to publish a policy that makes sending an email with encrypted TLS compulsory. If for some reason the receiving server is found to not support STARTTLS, the email will not be sent at all. This makes it impossible to instigate a TLS downgrade attack.

In recent times, the majority of mail service providers have adopted MTA-STS thereby making connections between servers more secure and encrypted over TLS protocol of an updated version, thereby successfully mitigating TLS downgrade attacks and nullifying the loopholes in server communication.

PowerDMARC brings to you, speedy and easy hosted MTA-STS services which make your life a whole lot easier as we take care of all the specifications required by MTA-STS during and after implementation, such as an HTTPS-enabled web server with a valid certificate, DNS records, and constant maintenance. PowerDMARC manages all of that completely in the background so that after we help you set it up, you never even have to think about it again!

With the help of PowerDMARC, you can deploy Hosted MTA-STS at your organization without the hassle and at a very speedy pace, with the help of which you can enforce emails to be sent to your domain over a TLS encrypted connection, thereby making your connection secure and keeping TLS downgrade attacks at bay.