TitanHQ

TitanHQ Blog

Stopping Identity Based Email Attacks

Posted by Geraldine Hunt on Thu, Jun 27th, 2019

Phishing attacks that target individuals in an effort to steal their private data are on the rise. In Verizon’s 2018 Data Breach Incident Report, it was reported that 93% of breaches start with phishing. Identity-based email attacks use customers, vendors or other employee information to trick recipients into giving up information either in a reply email or by accessing an attacker-controlled website.

Office 365 is one tool used within an organization that has some security flaws involving spam and phishing. Attackers use known email addresses and Office 365 flaws to overcome cybersecurity defenses. It’s imperative that email administrators take the proper steps to protect users, and the most effective way to defend against phishing is using sophisticated tools that incorporate DMARC and powerful email filtering.

Every Industry is a Target

It’s a common misconception that small businesses don’t have enough data or aren’t prime targets for attackers. This misconception leads to common mistakes and weak security protocols implemented across the organization. Attackers know that small businesses are much more prone to weak security due to smaller IT budgets and a lack of tools and staff that can protect from cyber attacks.

Financial and medical data are the most valuable to attackers, but many organizations store data that can be used in identity theft. It only takes one mistake and attackers can exfiltrate data within minutes. In the previously mentioned Verizon report, the average discovery and containment phase takes months before an organization is even aware that there has been a breach.

The Federal Bureau of Investigation (FBI) indicated that almost $1 billion was diverted or attempted to be diverted during real estate transactions. The cyber attack involves spear phishing, which means the attacker uses a known employee or vendor to send email to a targeted user with the attempt to trick the recipient into sending money to an attacker-controlled account. These attacks are effective and cost organizations millions in damages. The money is usually lost to an international attacker that moves funds so that they cannot be recovered.

Protecting Users from Spear Phishing Attacks

Although a common thought is that smaller organizations are less vulnerable, in fact, attackers can more easily find information about employees, contractors, and vendors and use phishing attacks for a large payout. They perform these attacks using spoofed sender addresses. A spoofed email means that the attacker sets the sender address as one that is known in the organizations, usually, it’s a business domain email. If your incoming email server is not equipped to handle spoofed messages, they go directly to the targeted user and nothing alerts the recipient. With DMARC rules, an administrator can avoid this type of attack and quarantine a message instead of allowing it to get to the targeted user’s inbox.

DMARC is a set of rules that incorporates two technologies. The first one is Sender Policy Framework (SPF). SPF is a DNS-based filter that sets authorized sender IP addresses on DNS servers. Recipient systems perform a lookup on SPF records to verify that the sender IP address matches an authorized sender IP set up on the organization’s DNS servers. If the sender’s IP is not in an SPF record, then the message gets rejected by the recipient’s email server.

The second part of DMARC technology is DomainKeys Identified Mail (DKIM). DKIM is a bit more complicated as it involves an encrypted signature that verifies the sender’s authenticity. The signature is created using the organization’s public key and then decrypted using the private key available to the email server. After the signature is decrypted, the email system can then look up DMARC rules on the DNS server.

An administrator can set different levels of security using DMARC. Failed emails could just be rejected and dropped, or the administrator can choose to quarantine the message in a safe location away from network users. When messages are quarantined, the administrator can review the message to verify its authenticity. Quarantining message gives administrators the ability to avoid false positive drops where users don’t receive important messages that were improperly flagged.

Another benefit of DMARC systems is that administrators can get aggregated reports to identify any false positives and review the number of dropped emails. If there is a sudden uptick in dropped, spoofed messages, it could indicate that attackers have targeted the organization and heightened monitoring should be implemented.

By adding strong 3rd party email filtering and anti-phishing protection, an organization using Office 365 greatly reduces the possibility of an identity-based email attack. Office 365 has some anti-malware security features, but attackers continually develop ways to avoid detection. Organizations can stop attackers before they can even reach a targeted user’s inbox. By removing inboxing capabilities of spear phishing attackers, an organization will avoid the high monetary damages that result from these attacks.

Never Miss a Blog Post

Sign-up for email updates...

Start Free Trial Request Demo
TitanHQ

Talk to a Trusted Security Advisor

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us