April 20, 2020 | By Avi Walles, TSOC Manager
Email Advanced Anti Impersonation & Spoofing Defenses
One of the major mechanisms used in today’s date to protect from email spoofing is the Sender Policy Framework (SPF) mechanism. This mechanism primarily relays on the TXT record in the DNS server, which defines what servers are authorized to send emails on behalf of the domain name. Each recipient needs to define an SPF policy for validating and checking the sender SPF record and implement the action for the SPF check results.
In this write-up, we would lay emphasis on a specific technique that is predominantly used by adversaries to bypass SPF limitations. In this specific technique, the attacker changes only the “from” header to the desired spoofed sender and leaves the “envelope sender” or “x-sender” header with the real sender.
In this case on the recipient side, the SPF validation will be performed only on the envelope sender header and when it’s authenticated against the sender domain no validation will be done against the “from” spoofed sender header.
The example below shown illustrates a Telnet connection with multiple “from” header, with different sender:
Figure 1 Telnet connection indicating multiple “From” header
On the email header, the above example reflects as illustrated in the below image:
Figure 2 Email header for the Telnet instance displayed in Figure 1
There are several options to provision the anti-spoofing mechanisms. We have explained some of them as follows:
Domain-based Message Authentication, Reporting & Conformance (DMARC) is the policy defined to be enforced on both SPF and DKIM validation check results. Additionally, this protection also protects from “from” header spoofing. If DMARC is defined in block mode, it will eliminate potential risks corresponding to spoofing threats.
- Sender ID
Sender ID is one of the other methods for email authentication, which enables organizations to explicitly state which mail servers are authorized to send emails in their respective name. As with SPF, Sender ID is used as an anti-spoofing technique. As SPF doesn’t verify the header addresses, Sender ID principally improves on SPF by verifying the domains listed in the “From” or “Mail From” and not only the envelope sender.
- Exchange & O365 Protection Rules
Across the exchange and O365 environments, a spoof protection rule can be enforced to avoid external senders to send an email with spoofed headers. These measures merely work on inbound email traffic to your domain and don’t protect on external attackers, spoofing your user’s email to a third party.
Unfortunately, there have been multiple scenarios wherein a legitimate mail distribution or ERP system distributes emails primarily from vendors or cloud domains on behalf of an organizational mailbox.
This behavior does make it quite challenging to handle such threats. With that being said, we recommend testing the solutions for a limited period to exclude legitimate systems from being blocked.
Stay Safe with TrustNet!