By: Will Young, Director of Technical Testing, MAD Security | January 10, 2019

Protecting users from phishing attacks requires utilizing a defense in depth strategy. Users are the last line of defense against phishing attacks and are also unfortunately, the weakest.  Ideally, your other protections ensure that phishing emails never make it to your users to begin with. In order to understand how to protect against phishing emails, let’s walk through a few examples of an attacker sending out a malicious email to one of your users and discussing the different steps in the delivery process where we could prevent this from happening.

Impersonation Protections

SPF, DKIM, and DMARC records all help weed out phishing emails that attempt to impersonate another organization. When configured by an organization, these records essentially dictate who is allowed to send emails on behalf of that organization.  Anyone sending an email attempting to impersonate an organization with these records will likely have their email rejected by most modern mail servers.

SPF Records

At a basic level, SPF (Sender Policy Framework) records establish a method for receiving mail servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. SPF records are TXT records that are configured on an authoritative DNS server for the sending domain.

Let’s suppose that your company’s domain name is “globalcorp.com” and let us also suppose that an attacker attempts to send an email from “[email protected]” to one of your employees using an SMTP server that is owned by the attacker. When your company’s mail server receives the email from the attacker’s mail server, if it is correctly configured, it should compare the IP address of the mail sender with the authorized IP addresses defined in the SPF record for “globalcorp.com”. If the attacker’s SMTP server is not listed as an authorized sender, then this email can be safely rejected or flagged for review. This one simple DNS record has essentially completely thwarted the attacker’s attempt to impersonate your organization.

DKIM Records

DomainKeys Identified Mail (DKIM) is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. DKIM works by adding a digital signature to the headers of an email message. This signature can be validated against a public cryptographic key in the organization’s DNS records, much like SPF. When an email is sent by an outbound mail server, the server generates and attaches a unique DKIM signature header to the message. This header includes two cryptographic hashes. When an inbound mail server receives an incoming email, it looks up the sender’s public DKIM key in DNS. The inbound server then uses this key to decrypt the signature and compare it against a freshly computed version. If these two values match then the message can be verified as authentic.

If we consider the same example above where an attacker attempts to send an email from “[email protected]” to one of your employees, your receiving email server would analyze the DKIM signature in the email’s header along with your company’s public DKIM key. If the cryptographic hash that is computed from these does not match, then this email should be rejected or flagged by your company’s email server and should never reach the intended victim.

DMARC Records

DMARC attempts to meld both SPF and DKIM authentication together. DKIM, SPF, and DMARC are all standards that enable different aspects of email authentication. They all address complementary issues. Key differences between them are:

  • SPF allows a domain to define which IP addresses are allowed to send mail for a particular domain.
  • DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
  • DMARC attempts to unify both SPF and DKIM authentication mechanisms into a common framework that allows domain owners to declare how they would like an email from that domain to be handled if it fails an authorization test.

Reputation-Based Protections

DNS and IP Blacklisting

Many Domain Name System-based Blackhole Lists (DNSBL) and Real-time Blackhole Lists (RBL) exist and are an effort to create a “blacklist” of locations on the Internet reputed to send email spam. These blacklists have different criteria for listing and delisting of addresses. These lists may include addresses of zombie computers that used to send spam, ISP addresses who willingly host spammers, or those who have sent spam to a honeypot system (a system setup to attract and catalogue attackers). These lists are maintained by various organizations and some of them are open source while some require payment to use. Spamhaus is a reputable organization that maintains a constantly updated listing of both IP and domain-based lists and is free for general use. Many solutions, including AlienVault, combine a number of these for maximum threat coverage and protection.

Configuring your mail protections to utilize these blacklists can be an extremely powerful tool to stop unwanted emails in their tracks. In addition to utilizing a blacklist of known spam addresses, you could also blacklist certain geolocations. For instance, if there is no business requirement where your organization would need to receive email from a Chinese-based source, you could blacklist IPs that are designated for that geolocation. While there are obviously ways that an attacker can get around these lists, this is an additional layer of defense that is very easy to implement and should be relatively easy to implement on any modern mail server.

Attachment Protections

Attachment Restrictions and Sandboxing

All modern email systems have a way of restricting types of attachments. Attackers often send victims malicious email attachments in hopes that they can trick the user into downloading and opening them on their system. The most notorious of these are executable files (.exe) as well as macro enabled Microsoft Office documents (.docm, .dotm, .xlm, .xlsm, .xltm, .pptm, .potm, .ppsm). If there is no legitimate business requirement, emails containing these types of attachments should be filtered out in order to protect users. This can be accomplished by blacklisting certain file extensions or whitelisting only certain file extensions.

If your organization does have a business requirement for allowing potentially dangerous filetypes as email attachments, then email sandboxing technology is a potential solution for protecting users. Sandboxing technology examines one or more attachments and attempts to inspect them for malicious content. For example, in one type of sandboxing, if a file is flagged by the system, the attachment is sent to a virtual “sandbox” that perfectly mimics the user’s computer. In that “sandbox”, it is safe to statically and dynamically analyze the attachment for malicious activity. If the attachment is harmless, it is sent along to the original recipient. If it contains questionable code, harmful links, or malicious signatures, the attachment is kept out of the inbox entirely. That way there is no chance that users could be tricked or tempted to open the attachment.

End User Protections

User Security Awareness Training

Users are the last and weakest line of defense in a phishing attack. Despite your best efforts, it is difficult or nearly impossible to keep all phishing emails from reaching your users. At a minimum, users should receive security awareness training annually in order to learn about new attacks and threats. The focus of this training should be educating users on how to identify common tactics used in phishing campaigns. Attackers have a very wide variety of techniques for tricking users such as: deceptive domain names (E.g. linkedin.com vs. linked-in.com), subdomains (E.g. facebook.evil.com), impersonation of internal entities, deceptive hyperlinks in emails, or even just exploiting people’s natural tendency to want to help others.

In order to gauge the effectiveness of this security awareness training, organizations should also conduct social engineering testing against their own employees at least annually. In these types of engagements, a third-party attempts to act as a real-world attacker and trick the organization’s users into divulging sensitive information, running malicious files, or dangerous websites. This testing helps to gather important statistics and insight as to where an organization’s anti-phishing mechanisms are failing and also gauge the effectiveness of the current security awareness training program. Many effective security programs will also tie this information back into monitoring solutions and more closely watch “click happy” employees that fail these types of exercises.

So what’s the best strategy for preventing phishing attacks?

Out of all of the defenses discussed, SPF, DKIM, DMARC – domain and IP based blacklists, and attachment restrictions will have both the largest impact and are also extremely cost-effective.  Most of these protections are included in modern mail server configurations and need only to be configured. Implementing these protections will protect your users from a significant amount of phishing attacks.

After implementing the above, the next cost-effective defense against phishing attacks would be user security awareness training. This training is vital to ensuring your employees are able to identify and avoid phishing emails that make it past your initial defenses. The cost to implement this will vary based on number of employees and frequency of training.

Phishing attacks expend very little resources from attackers and are extremely effective. Users are generally the weakest link in the security of an organization and the path of least resistance for most attackers. Reducing the amount of phishing emails that reach your users is critical for decreasing the likelihood of a breach. Users that have been properly educated on how to identify, avoid, and report phishing attacks reduce this risk even further. Remember that it only takes one successful phishing attack to cause an organization catastrophic financial and reputational damage.

Scott Busby
Scott Busby is a Security Engineer at MAD Security with over 5 years of relative industry experience and more than 11 years as an InfoSec hobbyist. Scott has worked with both former Navy SEAL and CIA operatives performing full red-team engagements, consulted and worked cyber security projects for the Department of Defense, as well as multiple other government and commercial entities. Daily, Scott performs security testing and vulnerability research on a wide array of technologies and solutions including networks, web applications, mobile applications, industrial control networks, voting and polling systems, IoT devices and applications, cloud services, and virtual environments.