Phishing Email

Introduction to Phishing:

↪ Phishing attack is a type of attack aimed at stealing personal data of the user in general by clicking on malicious links to the users via email or running malicious files on their computer.

↪ Phishing attacks correspond to the "Delivery" phase in the Cyber Kill Chain model created to analyze cyber-attacks. The delivery stage is the step where the attacker transmits the previously prepared harmful content to the victim systems / people.

The Phishing attack is the most common attack vector for initial access. The only purpose of the attack is not to steal the user's password information... the purpose of such attacks is to exploit the human factor. Attackers use phishing attacks as the first step to infiltrate systems.

Simple example:

↪ What is phishing email analysis?

Phishing email analysis involves studying the content of phishing emails to ascertain the techniques the attacker used.

↪ What is a common indicator of a phishing email?

Common indicators of a phishing email include suspicious addresses, links, or domain names, threatening language or a sense of urgency, errors in the email, the inclusion of suspicious attachments, and emails requesting sensitive information.

Phishing attack flow:

↪ What is an Email Header?

Email headers contain tracking information for an individual email, detailing the path a message took as it went through various mail servers. The headers contain time-stamps, IP addresses and sender/recipient information. Providing this information to Technology Help staff will help them troubleshoot and resolve issues with emails, such as emails not sending, bouncing incorrectly, or being marked as spam when they should not be.

↪ How to Access Your Email Header?

Outlook:

- Open the relevant e-mail;

- File;

- Info;

- Properties;

- Internet Headers.

The website below can help you to analyze those information:

https://mxtoolbox.com/EmailHeaders.aspx

SPF, DKIM, and DMARC? 🤷🏽‍♂️

For those of you that are new to the email security subject, you've probably heard about SPF, DKIM, and DMARC. But what are they, and how do they relate to each other?

Like regular postal mail, someone could send you a letter in an envelope and forge the sender's name on the envelope or the letter itself. The same is possible for email. Email is involved in more than 90% of all network attacks through scams such as spear phishing. To better protect against fraud, SPF, DKIM, and DMARC were introduced.

⊳ SPF

Sender Policy Framework is a mechanism that allows a domain to specify which sources (IP addresses) are allowed to deliver email on behalf of that domain.

In the postal mail analogy, this would mean that upon receiving an envelope, you contact the sender printed on the envelope and ask them if postman Pat can be trusted to deliver a letter on their behalf.

⊳ DKIM

Domain Keys Identified Mail is a mechanism that allows a domain to claim responsibility for the message and protect it against modifications by adding a digital signature.

In the postal mail analogy, this means that the envelope has a stamped seal that proves that the letter inside was not altered by anyone who could have had access to the envelope, and the stamp can be verified to be from the sender on the envelope. (not the sender mentioned in the letter, this is a big difference).

⊳ DMARC

Domain-based Message Authentication, Reporting, and Conformance is a mechanism built on top of SPF and DKIM. It checks the SPF and DKIM validation results and if the 'Header From' domain matches the domain used for the SPF and DKIM checks. The 'Header From' address is the email address that recipients see in their email client.

When SPF and DKIM checks fail or do not align with the 'Header From' address, the recipient server should honor the DMARC policy. For example, it could instruct the receiving server to quarantine (p=quarantine), reject (p=reject), or ignore the results and deliver the email (p=none).

Like with regular mail, the sender's name on the letter does not have to match the sender's name on the envelope. The problem with email is that the envelope is not visible to the recipient, which causes risks.

Imagine your email server as a person handling your incoming messages. If you do not implement SPF, DKIM, and DMARC, this person will receive an envelope from anyone, open it, and put the letter on your desk without checking anything. Unfortunately, now, there is no way for you to check if the sender's name on the letter is trustworthy.

Results and alignment:

Only when both SPF and DKIM fail validation and alignment, the DMARC policy will be honored. However, as long as either SPF or DKIM produces a pass and aligns, DMARC will not quarantine or reject the message.

Stay tuned!