Posts

Impersonation attacks like phishing and spoofing can dramatically impact the health of your domain and lead to authentication failures, email compromise, and much more! This is why you need to improve your defenses against them, starting today. There are various methods you can deploy to ensure that your emails are adequately protected against phishing and spoofing attacks. Let’s discuss what they are!

Email Authentication Protocols to prevent impersonation attacks

  1. Sender Policy Framework (SPF)
    A good way to start out is by deploying SPF. Sender Policy Framework, which is based on the DNS of your domain name, can certify that the IP used for sending an email has the right to do so. It prevents fraudulent use of your domain name and prevents third parties from pretending to be you. The SPF protocol is particularly effective against phishing and spoofing attacks because they often take advantage of such mistakes. If a mail server states that it has been sent by a mail server whose IP address can be attributed to your domain then in general operating systems will check twice before delivering an email. In this way mail servers that do not respect SPF are ignored successfully. To put it simply, the “SPF Protocol” allows the owner of a domain (for example [email protected]) to send an authorization to its DNS authority.

  2. DomainKeys Identified Mail (DKIM)
    DomainKeys Identified Mail, or DKIM, is an email authentication system that uses digital signatures to verify the source and contents of a message. It is a set of cryptographic techniques for verifying the source and contents of email messages in order to reduce spam, phishing, and other forms of malicious email. Specifically, it uses shared private encryption keys to authenticate the sender of a given message (the key aspect here being that only the intended recipient should be in possession of this private key), ensuring that email cannot be “spoofed,” or falsely represented by impostors. It also allows an authorized recipient to detect any changes made to a message after it has been sent; if the organization responsible for validating these signatures detects data corruption in an email, they can simply reject it as false and notify its sender as such.

  3. Domain-based Message Authentication, Reporting, and Conformance (DMARC)
    DMARC exists for several reasons. First, DMARC provides you with a way to tell mail servers which messages are legitimate, and which ones are not. Second, DMARC provides you with reports of how well-protected your domain is from attacks. Third, DMARC helps protect your brand from being associated with messages that could harm your reputation. DMARC provides more protection against phishing and spoofing by verifying that an email message really originated from the domain it claims to have come from. DMARC also enables your organization to request reports about the messages you receive. These reports can help you investigate possible security issues and identify possible threats, such as malware infection or phishing attacks targeting your organization.

How can PowerDMARC help you protect your domain against phishing and spoofing attacks?

PowerDMARC’s email security authentication suite not only helps you with the seamless onboarding of your SPF, DKIM, and DMARC protocols but provides many more additional benefits including:

  • SPF flattening to ensure that your SPF record stays valid and under the SPF hard limit of 10 lookups
  • BIMI for visual identification of your business emails. BIMI ensures that the emails reaching your clients contain your brand logo that can be spotted by them even before they open the message
  • MTA-STS to encrypt your emails in transit

To enjoy free DMARC, you need only sign up and create a PowerDMARC account without any additional costs. Start your email authentication journey with us for a safer email experience!

Spoofing is one of the most universal kinds of attacks today. Fraudsters just love to take over names and email addresses on an email network (for example, Hotmail, Gmail) to send out thousands of fake emails that appear as if they were sent from someone you know – like the CEO or an executive at another company in your industry.

Don’t let identity thieves spoof your email address. Learn how to protect yourself from email spoofing and why you should care about this serious information security threat. Let’s get into it!

Spoofing emails: What are they?

Spoofing email is not a new thing but also doesn’t seem to be going away anytime soon. In some cases, the advancement of technology actually helps the fraudsters cheat. There are many reasons an email can be considered to be spoofed. The most common scenario is when an attacker hijacks a genuine server and uses it to send spoofed emails. The most common method to send emails is by exploiting a vulnerable SMTP server. Once they have compromised the SMTP server they can send spoofed emails to anyone.

Spoofing is a serious problem and one that’s only getting worse. The implications of spoofing can be far-reaching and damaging to big brands, but the recent flood of phishing had already been causing panic among the users. By providing a guide on how to avoid email spoofing, you’re helping your users (and yourself) get rid of this menace, and setting up best practices for those on your tech support list.

How can spoofed emails harm you?

Do you remember the last time you clicked a link in an email that said it was from a company you trusted? You probably found yourself on a website you had never visited before because the sender instructed you to click on a link. How did you know that this new address wasn’t a nefarious attempt to spy on your personal data? The answer is simple: Legitimate businesses will never ask for private information like usernames, passwords, and credit card numbers via email.

However, if a fraudulent source forges your address to send such malicious messages to your customers, rest assured that it will harm your business. The credibility and reputation that you have worked so hard to build will suffer the blows of such attacks, and your clients would hesitate before opening your legitimate marketing emails.

How to stop continuous spoofing emails from being sent from my email address?

Make email authentication protocols a part of your email suite!

  1. SPF: One of the basics of email authentication that will help you avoid spoofing emails is SPF. While configuring it is effortless, maintaining it is a challenge. There is often a risk of exceeding the 10 DNS lookup limit, which results in emails failing authentication despite proven authenticity. We offer you a quick solution to bypass this issue with our dynamic SPF flattening tool.Create an SPF record today for free, with our SPF record generator.
  2. DKIM: DKIM is a method to sign all outgoing messages to help prevent email spoofing. Spoofing is a common unauthorized use of email, so some email servers require DKIM to prevent email spoofing. With its use, all of your outbound mail will get authenticated with a digital signature that lets mail servers know that it actually came from you.
  3. DMARC: DMARC is an email authentication standard for organizations to help protect them from spoofing and phishing attacks that use email to trick the recipient into taking some action. DMARC works as a layer on top of SPF and DKIM to help email receivers recognize when an email isn’t coming from a company’s approved domains, and provide instructions on how to safely dispose of unauthorized email.

If you want to start building up your defenses against spoofing, we recommend you take a trial for our DMARC report analyzer. It will help you in onboarding the protocols at the fastest market speed, staying abreast of errors, and monitoring your domains easily on a multi-purpose DMARC dashboard.

As a DMARC services provider, we get asked this question a lot: “If DMARC just uses SPF and DKIM authentication, why should we bother with DMARC? Isn’t that just unnecessary?”

On the surface it might seem to make little difference, but the reality is very different. DMARC isn’t just a combination of SPF and DKIM technologies, it’s an entirely new protocol by itself. It has several features that make it one of the most advanced email authentication standards in the world, and an absolute necessity for businesses.

But wait a minute. We’ve not answered exactly why you need DMARC. What does it offer that SPF and DKIM don’t? Well, that’s a rather long answer; too long for just one blog post. So let’s split it up and talk about SPF first. In case you’re not familiar with it, here’s a quick intro.

What is SPF?

SPF, or Sender Policy Framework, is an email authentication protocol that protects the email receiver from spoofed emails. It’s essentially a list of all IP addresses authorized to send email through your (the domain owner) channels. When the receiving server sees a message from your domain, it checks your SPF record that’s published on your DNS. If the sender’s IP is in this ‘list’, the email gets delivered. If not, the server rejects the email.

As you can see, SPF does a pretty good job keeping out a lot of unsavoury emails that could harm your device or compromise your organisation’s security systems. But SPF isn’t nearly as good as some people might think. That’s because it has some very major drawbacks. Let’s talk about some of these problems.

Limitations of SPF

SPF records don’t apply to the From address

Emails have multiple addresses to identify their sender: the From address that you normally see, and the Return Path address that’s hidden and require one or two clicks to view. With SPF enabled, the receiving email server looks at the Return Path and checks the SPF records of the domain from that address.

The problem here is that attackers can exploit this by using a fake domain in their Return Path address and a legitimate (or legitimate-looking) email address in the From section. Even if the receiver were to check the sender’s email ID, they’d see the From address first, and typically don’t bother to check the Return Path. In fact, most people aren’t even aware there is such a thing as Return Path address.

SPF can be quite easily circumvented by using this simple trick, and it leaves even domains secured with SPF largely vulnerable.

SPF records have a DNS lookup limit

SPF records contain a list of all the IP addresses authorized by the domain owner to send emails. However, they have a crucial drawback. The receiving server needs to check the record to see if the sender is authorized, and to reduce the load on the server, SPF records have a limit of 10 DNS lookups.

This means that if your organization uses multiple third party vendors who send emails through your domain, the SPF record can end up overshooting that limit. Unless properly optimized (which isn’t easy to do yourself), SPF records will have a very restrictive limit. When you exceed this limit, the SPF implementation is considered invalid and your email fails SPF. This could potentially harm your email delivery rates.

 

SPF doesn’t always work when the email is forwarded

SPF has another critical failure point that can harm your email deliverability. When you’ve implemented SPF on your domain and someone forwards your email, the forwarded email can get rejected due to your SPF policy.

That’s because the forwarded message has changed the email’s recipient, but the email sender’s address stays the same. This becomes a problem because the message contains the original sender’s From address but the receiving server is seeing a different IP. The IP address of the forwarding email server isn’t included within the SPF record of original sender’s domain. This could result in the email being rejected by the receiving server.

How does DMARC solve these issues?

DMARC uses a combination of SPF and DKIM to authenticate email. An email needs to pass either SPF or DKIM to pass DMARC and be delivered successfully. And it also adds one key feature that makes it far more effective than SPF or DKIM alone: Reporting.

With DMARC reporting, you get daily feedback on the status of your email channels. This includes information about your DMARC alignment, data on emails that failed authentication, and details about potential spoofing attempts.

If you’re wondering about what you can do to not get spoofed, check out our handy guide on the top 5 ways to avoid email spoofing.

Breaking Down DMARC Myths

For a lot of people, it’s not immediately clear what DMARC does or how it prevents domain spoofing, impersonation and fraud. This can lead to serious misconceptions about DMARC, how email authentication works, and why it’s good for you. But how do you know what’s right and what’s wrong? And how can you be sure you’re implementing it correctly? 

PowerDMARC is here to the rescue! To help you understand DMARC better, we’ve compiled this list of the top 6 most common misconceptions about DMARC.

Misconceptions about DMARC

1. DMARC is the same as a spam filter

This is one of the most common things people get wrong about DMARC. Spam filters block incoming emails that is delivered to your inbox. These can be suspicious emails sent from anyone’s domain, not just yours. DMARC, on the other hand, tells receiving email servers how to handle outgoing emails sent from your domain. Spam filters like Microsoft Office 365 ATP don’t protect against such cyberattacks. If your domain is DMARC-enforced and the email fails authentication, the receiving server rejects it.

2. Once you set up DMARC, your email is safe forever

DMARC is one of the most advanced email authentication protocols out there, but that doesn’t mean it’s completely self-sufficient. You need to regularly monitor your DMARC reports to make sure emails from authorized sources are not being rejected. Even more importantly, you need to check for unauthorized senders abusing your domain. When you see an IP address making repeated attempts to spoof your email, you need to take action immediately and have them blacklisted or taken down.

3. DMARC will reduce my email deliverability

When you set up DMARC, it’s important to first set your policy to p=none. This means that all your emails still get delivered, but you’ll receive DMARC reports on whether they passed or failed authentication. If during this monitoring period you see your own emails failing DMARC, you can take action to solve the issues. Once all your authorized emails are getting validated correctly, you can enforce DMARC with a policy of p=quarantine or p=reject.

4. I don’t need to enforce DMARC (p=none is enough)

When you set up DMARC without enforcing it (policy of p=none), all emails from your domain—including those that fail DMARC—get delivered. You’ll be receiving DMARC reports but not protecting your domain from any spoofing attempts. After the initial monitoring period (explained above), it’s absolutely necessary to set your policy to p=quarantine or p=reject and enforce DMARC.

5. Only big brands need DMARC

Many smaller organizations believe that it’s only the biggest, most recognizable brands that need DMARC protection. In reality, cybercriminals will use any business domain to launch a spoofing attack. Many smaller businesses typically don’t have dedicated cybersecurity teams, which makes it even easier for attackers to target small and medium-sized organizations. Remember, every organization that has a domain name needs DMARC protection!

6. DMARC Reports are easy to read

We see many organizations implementing DMARC and having the reports sent to their own email inboxes. The problem with this is that DMARC reports come in an XML file format, which can be very difficult to read if you’re not familiar with it. Using a dedicated DMARC platform can not only make your setup process much easier, but PowerDMARC can convert your complex XML files into easy-to-read reports with graphs, charts, and in-depth stats.

Email is often the first choice for a cybercriminal when they’re launching because it’s so easy to exploit. Unlike brute-force attacks which are heavy on processing power, or more sophisticated methods that require a high level of skill, domain spoofing can be as easy as writing an email pretending to be someone else. In a lot of cases, that ‘someone else’ is a major software service platform that people rely on to do their jobs.

Which is what happened between 15th and 30th April, 2020, when our security analysts at PowerDMARC discovered a new wave of phishing emails targeting leading insurance firms in the Middle East. This attack has been just one among many others in the recent increase of phishing and spoofing cases during the Covid-19 crisis. As early as February 2020, another major phishing scam went so far as to impersonate the World Health Organization, sending emails to thousands of people asking for donations for coronavirus relief.

In this recent series of incidents, users of Microsoft’s Office 365 service received what appeared to be routine update emails regarding the status of their user accounts. These emails came from their organizations’ own domains, requesting users to reset their passwords or click on links to view pending notifications.

We’ve compiled a list of some of the email titles we observed were being used:

*account details changed for users’ privacy

You can also view a sample of a mail header used in a spoofed email sent to an insurance firm:

Received: from [malicious_ip] (helo= malicious_domain)

id 1jK7RC-000uju-6x

for [email protected]; Thu, 02 Apr 2020 23:31:46 +0200

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

Received: from [xxxx] (port=58502 helo=xxxxx)

by malicious_domain with esmtpsa (TLSv1.2:ECDHE-RSA-AES2  56-GCM-SHA384:256)

From: “Microsoft account team” 

To: [email protected]

Subject: Microsoft Office Notification for [email protected] on 4/1/2020 23:46

Date: 2 Apr 2020 22:31:45 +0100

Message-ID: <[email protected]>

MIME-Version: 1.0

Content-Type: text/html;

charset=”utf-8″

Content-Transfer-Encoding: quoted-printable

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname – malicious_domain

X-AntiAbuse: Original Domain – domain.com

X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain – domain.com

X-Get-Message-Sender-Via: malicious_domain: authenticated_id: [email protected]_domain

X-Authenticated-Sender: malicious_domain: [email protected]_domain

X-Source: 

X-Source-Args: 

X-Source-Dir: 

Received-SPF: fail ( domain of domain.com does not designate malicious_ip_address  as permitted sender) client-ip= malicious_ip_address  ; envelope-from=[email protected]; helo=malicious_domain;

X-SPF-Result: domain of domain.com does not designate malicious_ip_address  as permitted sender

X-Sender-Warning: Reverse DNS lookup failed for malicious_ip_address (failed)

X-DKIM-Status: none /  / domain.com /  /  / 

X-DKIM-Status: pass /  / malicious_domain / malicious_domain /  / default

 

Our Security Operation Center traced the email links to phishing URLs that targeted Microsoft Office 365 users. The URLs redirected to compromised sites at different locations around the world.

By simply looking at those email titles, it would be impossible to tell they were sent by someone spoofing your organization’s domain. We’re accustomed to a steady stream of work or account-related emails prompting us to sign into various online services just like Office 365. Domain spoofing takes advantage of that, making their fake, malicious emails indistinguishable from genuine ones. There’s virtually no way to know, without a thorough analysis of the email, whether it’s coming from a trusted source. And with dozens of emails coming in everyday, no one has the time to carefully scrutinize every one. The only solution would be to employ an authentication mechanism that would check all emails sent from your domain, and block only those that were sent by someone who sent it without authorization.

That authentication mechanism is called DMARC. And as one of the leading providers of email security solutions in the world, we at PowerDMARC have made it our mission to get you to understand the importance of protecting your organization’s domain. Not just for yourself, but for everyone who trusts and depends on you to deliver safe, reliable emails in their inbox, every single time.

You can read about the risks of spoofing here: https://powerdmarc.com/stop-email-spoofing/

Find out how you can protect your domain from spoofing and boost your brand here: https://powerdmarc.com/what-is-dmarc/