This article is part of a series on the Identity & Security pillar covering the use cases outlined here.
Email is nowadays considered as a commodity way of communicating when compared to real-time collaboration technologies such as Microsoft Teams or SharePoint Online, but even if the email is something that we are used to working with every day, it does not mean that we should care less about its security.
As part of a multilayered security strategy, email is one of the first assets that must be protected for your company, but also for the network of partners you work with so that they maintain confidence and trust in your company’s brand.
According to independent researches by the Ponemon Institute and Varonis, malware, phishing, spear-phishing, and social engineering attacks are still among the most common attacks delivered by email.
Cybersecurity statistics 2020
Considering that phishing and spear-phishing attacks account for 90% of data breaches and that the global average cost of a data breach in 2019 amounted to 3.5M (IBM), we have to understand why do we need to invest in optimizing our email security as a priority. Below I’ve outlined the three steps that can help to achieve an optimized security posture against these types of attacks.
Step 1: Implement DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication framework that is designed to protect your domain from being exploited for phishing, spoofing and other types of cybercrime. DMARC relies on existing email authentication standards: SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). SPF is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send mail from their domain, while DKIM adds a digital signature to the headers of an email message so that the recipient can verify that an email message was sent from an authorized mail server. I will cover these two standards in future articles, but for now, let’s just remember these two concepts and focus on DMARC.
DMARC itself is not an authentication protocol but rather a framework that unifies SPF and DKIM authentications standards to provide control and reporting features for the domain(s) global mail flow, as it allows to instruct email receivers on how to handle unauthenticated mail via a policy, thus removing any ambiguity on how receivers should handle messages that fail DMARC authentication.
The two key concepts of DMARC are domain alignment and reporting. The alignment feature prevents spoofing of the header from email header by:
Matching the [header from] (the name the user sees in its mail client application) with the [envelope from] domain name that is used during an SPF check;
Matching the [header from] domain name with the [d=domain name] specified in the DKIM signature;
A message passes DMARC authentication if it passes SPF authentication and alignment, and/or passes DKIM authentication and alignment;
A message fails DMARC authentication if it fails SPF authentication or SPF alignment and DKIM authentication or DKIM alignment.
As mentioned before, domain owners can specify via a policy how receivers should handle messages that do not pass DMARC authentication. The policy can have the following settings:
Monitor all email, to analyze legitimate and unauthorized sources (spoofers of your domain) without interfering with the delivery of messages that fail DMARC authentication;
Quarantine messages that fail DMARC authentication (move the message to the junk/spam folder);
Reject messages that fail DMARC authentication (discard and delete the message)
Here is a visual that helps to understand how DMARC works.
Reporting is another critical feature of DMARC: email receivers send regular DMARC aggregate and forensic reports back to senders (according to the URI(s) specified in the sending domain DMARC policy), giving visibility into messages that authenticate, messages that fail authentication, and the reason why the authentication failed.
At Stellium we implement a reject policy and we constantly monitor our mail flow thanks to DMARC reporting. Here are two report samples.
DMARC aggregate report
DMARC email source report
Properly configuring DMARC helps receivers’ email servers determine how to evaluate messages that claim to be from your domain and it is the only widely deployed technology that can prevent the spoofing of the [header from] address (what users see in their email clients). This helps protect both your customers and the brand, and it also discourages cybercriminals who are less likely to go after a domain with a DMARC enforcement policy in place.
We can summarize the benefits of implementing DMARC as follows:
Aggregated reports give you visibility into the usage of your email domain(s) across the internet;
The use of reject or quarantine mode reduces the effectiveness of spoofing and will discourage malicious senders;
A reduced number of spoofed emails coming from your domain will increase the overall confidence score in your email domain amongst recipients, increasing your successful deliverability rate.
DMARC usefulness seems straightforward. right?
DMARC’s ability to prevent direct domain spoofing by validating the sender’s identity seems a no-brainer, but according to the 2019 Global DMARC Adoption report (250ok), most of the organizations aren’t taking advantage of DMARC to stop phishing attacks and looking at the statistics below, DMARC’s adoption is far from being optimal.
Global DMARC adoption 2019, image copyright: 250ok
If we aggregate figures for the domains without policy and domains with monitoring only policies, we can conclude that 90% of companies are susceptible to spoofing, used as part of phishing attacks
Let’s look at the situation in Switzerland.
I’ve analyzed 33 company domains (email domains with a valid MX record) across a mix of industry sectors (tobacco, public sector, pharmaceutical, healthcare, manufacturing, luxury, banking, non-profit, food processing) in the Romandy region, and, adoption is equally low, with only 5 out of 33 domains implementing a reject or quarantine policy.
Without a DMARC policy implemented in quarantine or reject mode, you and your partners are susceptible to phishing and domain spoofing, hence potentially leaving the choice to the end-users to determine if an email is legitimate or counterfeit.
DMARC should be the first go-to technology in a multilayered security strategy that covers information and messaging areas as it is the first foundational pillar that can secure your email domains across global mail flow on the internet. However, there are other types of threats where DMARC cannot help:
Look-alike domains: domains that mimic legitimate ones by using different combinations of characters or alphabet types (e.g. Cyrillic) to make recognition difficult to the naked eye.
Display name spoofing: attackers using a legitimate user display name or anything that looks realistic (like a variation of a brand name)
For these types of threats, we must implement additional layers in our security strategy.
Step 2: Implement AI-based spoofing protection
I assume, nowadays, that standard messaging protection has been adopted by most companies for their email domain(s), with messaging protection solutions. If we consider Exchange Online Protection (EOP), which is the service offered for any Exchange Online subscription, we can see what a standard solution should offer as baseline protection:
Connection filtering: IP and domain filtering based on publicly available blacklists.
Transport rules administration and policy filtering: user-based rules for IP and domain blocking and how to handle messages with malware or spam detection confirmation (e.g. forward to a mailbox, quarantine or delete). This is the place where whitelist rules must be carefully checked to ensure that the organization is not vulnerable to external attacks.
Anti-malware filtering: multi-engine virus and malware detection engine.
Content filtering: multiple checks are performed to ensure that the sender and receiver are secure, the message text is machine-checked, the SPF and Sender ID filters are checked, as well as other controls such as mass email filters, international spam and whether the message is advanced spam (e.g. a phishing message).
User-based reporting: once a message is delivered to a user’s mailbox, he has still the possibility to report the message back as spam so that next time it will be properly classified by EOP.
Here is a high-level schema of the EOP architecture (Exchange on-premise organization is optional for a cloud-only deployment).
EOP architecture, image copyright: Microsoft
Additional capabilities can be enabled by adding Office 365 Advanced Threat Protection (ATP) licenses to your users (either as an ATP license add-on or part of a license bundle, such as Microsoft 365 E5):
ATP Safe Links: a warning page will be displayed when a user clicks on a link in an email and the URL has been blocked by your organization’s custom blocked URL list or if the URL is determined to be malicious.
ATP Safe Attachments: protects against unknown malware and viruses, and provides zero-day protection to safeguard your messaging system. All messages and attachments that don’t have a known virus/malware signature are routed to a special environment where ATP uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.
ATP for SharePoint Online, Teams and OneDrive: helps detect and block files that are identified as malicious in team sites and document libraries.
ATP advanced anti-phishing policies: enabled advanced evaluations by multiple machine learning models that analyze messages and take appropriate action based on the configured policies.
Advanced reporting: reports of security attacks or increased suspicious activity. In addition to highlighting areas of problems, smart reports and insights include recommendations and links to view and explore data and also take quick actions.
We can see the number of additional controls ATP enables on the inbound mail flow by looking at the threat intelligence reports below (EOP-only vs ATP).
Threat intelligence controls with EOP-only
Threat intelligence controls with ATP enabled
ATP can be enabled on selected mailboxes and my recommendation is to enable it at least for high-level executives, business owners, external board members and in general any zero-day attack targeted mailbox/user (disregarding the mail volume as a protection driver) so that these mailboxes can benefit from the additional protection controls.
Ideally, the entire organization must be protected by ATP in addition to EOP, but if a choice has to be made due to cost constraints, then, don’t leave out the most information-sensitive accounts.
ATP threat classification engine for unknown threats, image copyright: Microsoft
Is this enough to protect you?
Office 365 is a very popular service and attackers focus their efforts on this platform so they develop specific attacks for both EOP and ATP. Highly-targeted organizations are more than likely to be attacked using ATP-specific methodologies, and non-Microsoft technologies are less likely to be subject to the same vulnerabilities.
Our partner Avanan has a specific solution that covers Office 365 security and in the context of our multilayered protection strategy, it provides the following capabilities on top of EOP/ATP using an agentless deployment approach.
Avanan security dashboard
Agentless and proxy less deployment: deployment does not require an agent to be installed nor any modification of your email DNS records. Unlike a traditional secure email gateway (SEG), which sits in the middle between the Internet and your email system. Avanan takes a modern approach to email security by protecting each individual mailbox from internal and external threats, moving beyond the perimeter-based philosophy of security that was established in the 1990s. This renders also the platform invisible to hacker detection as the technology behind is not exposed directly (e.g. cannot be detected by inspecting the MX DNS records).
Zero-day malware and anti-phishing detection: dynamically detect malicious behaviour and quarantine dangerous files using machine learning to analyze emails for over 300 indicators of phishing. Self-training AI learns from attacks missed by both EOP and ATP platforms. The protection is extended also beyond messaging over Teams, OneDrive and SharePoint files.
File sanitization: every file is scanned for malware, and, malware-identified files are replaced with a sanitized version that includes the file content but is malware-free.
Advanced reporting: real-time reporting to analyze every aspect of a threat with granular details on network, process, and registry events.
The platform provides also account takeover detection capabilities and DLP/compliance management for Office 365. I will cover these capabilities in a future article along with Azure Identity and Information Protection.
We can check for you the efficacy of the solution with a 30 days trial and compare it against the EOP/ATP stack to analyze how the solution performs and work for you in a monitor-only mode, without changing your DNS records nor affecting the existing email flow. The deployment procedure takes as little as 5 minutes and you can review and consent the Avanan application requirements in your Office 365 tenant.
Once all these automated controls are in place, there is only one last point to address: the human factor.
Step 3: educate your users
Even if less than 1% of phishing emails (out of all the blocked mail flow that impacts your company every day) reach one of your users, it may have a huge impact on your business, and therefore, it is important to continuously train and educate your users:
Design and launch simulated phishing campaigns to assess and monitor how your users react to phishing emails.
Deliver on-demand security awareness training to prepare and teach your users how to recognize and avoid phishing attempts.
How can we help you?
At Stellium, we have supported many companies in the implementation of a multilayered security strategy, and we use the following high-level methodology to ensure customer success.
Assessment of your security posture and discovery of security use cases;
Analyze your security requirements and IT landscape;
Identify potential solutions to strengthen your multilayered security strategy.
Design your security architecture considering all components
Simulate architecture behavior and expected outcomes in a controlled environment;
Forecast the solution performance and costs in production.
Helping you negotiate contract terms with the vendor(s);
Implement the security architecture into your production environment;
Rollout to your users with a proper communication campaign and training.
Would you like some advice to help you with the implementation of a security strategy for your organization? Go ahead and set up an appointment for a free consultation call when it works best for you.