Skip to main content

With modern email phishing attacks, you can’t stop what you can’t…fingerprint?

(Image credit: Image Credit: ar130405 / Pixabay)

The FBI recently reported that the rising problem of business email compromise (BEC) has cost businesses nearly $26 billion globally since June 2016. However, this data should come as no surprise to enterprises, as payload-less cyberattacks driven by social engineering, such as BEC and account takeover (ATO), are growing in sophistication and frequency for a variety of reasons.

For one, traditional human and technical email security controls, such as security awareness training and secure email gateways (SEGs), are all but blind to such modern phishing attack techniques. SEGs were originally designed to stop high-volume spam at the gateway level, so it is not effective against advanced and more targeted phishing attacks at the mailbox level. Likewise, no matter how hyper-phishing-aware employees are trained to be, it only takes one carefully crafted message sent to a distracted worker to jumpstart a chain of events that leads to financial, operational or reputational harm.

Experts have also long promoted the adoption of authentication and encryption protocols, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) as means to improve email security. However, even though the combination of these protocols can reduce some risk, they are just merely one small piece to a much larger email protection puzzle.

Revisiting the limitations of email security protocols & standards

For DMARC to work as intended, both the sender and the receiver need to implement it correctly. But even if they have done so, exact domain spoofing attacks can still exploit vulnerabilities in email clients to mislead end users on the validity of a message. In fact, in a direct spoofing attack, an adversary can exploit a vulnerability in a web browser or in a code to change the return path details. For example, Mailsploit, a dangerous phishing technique, can easily render DMARC obsolete by exploiting how mail servers handle text data differently than operating systems.

Additionally, protocols like DMARC do not protect against phishing attacks when attackers purchase a domain. While these protocols can be effective at reducing risk from exact domain spoofing, they are not built to stop exact sender name and similar sender name impersonations as well as look-alike (aka cousin domain spoofing) attacks, which impersonate not just an email but the actual domain itself. 

One such situation could have an attacker purchase the domain www.paypaI.io (using a capital I instead of an L), and build out various email addresses to launch a series of attacks, but no signatures, standards or protocols would immediately identify messages coming from this domain as malicious - as it is yet to be associated with a negative reputation. And without suspicious DNS activity or malicious signatures, such as links and attachments, the phishing attack would easily bypass most traditional email security solutions and all protocols, ultimately landing in the inbox and luring clicks.

Identifying senders with fingerprinting technology

Understandably, complying with email security standards and protocols is beneficial to organisations. However, it’s important for businesses to realise that adoption is only one risk mitigation factor within the complex email protection puzzle. On the plus side, email security protocols such as DMARC serve to protect companies and brand domains from being used in phishing attacks. On the downside, DMARC is traditionally an outbound protection protocol and does not serve as comprehensive inbound protection against other impersonation and spoofing tactics.

To supplement DMARC and legacy email security tools in order to further protect the inbox, organisations must look to pseudo-authentication, also known as “sender fingerprinting,” which uses advanced machine learning to more accurately identify senders. Specifically, sender fingerprinting can help businesses:

  • Protect against all types of BEC including domain spoofing, display spoofing, and impersonation attempts by analysing data the mailbox-level.
  • Scan every message for the implementation level, sending IP addresses, normal communication context, and email data/metadata. The sum of this information can then be used to create a baseline and fingerprint of what “normal” communications should look like between every email address and sender.
  • Detect any deviation from the norm and notify recipients through inline messaging of any potential threat.
  • Enable anomalies in communications to be more easily spotted and flagged as suspicious to help people make smarter and faster decisions for the SOC to investigate, analyse and respond accordingly.

While DMARC, DKIM, and SPF are practical in theory, they can, in fact, be difficult to use and maintain. Most importantly, they are only effective at stopping exact domain spoofing which actually accounts for only a small subset of advanced email phishing threats in today’s cyber-landscape. As a result, organisations need to take steps to further secure the inbox. And by adding sender fingerprinting to their capabilities, organisations will thus be able to discover the true identity of any sender, no matter the technique or sophistication of the phishing attack.

Eyal Benishti, founder and CEO, IRONSCALES