Why email is still the most significant vector that attackers exploit

The impact of the pandemic is spoken about every day. Never before have we had to react to a danger such as COVID. However, we’re now seeing more repercussions develop because of our enforced actions. With the majority of the UK forced to work remotely from home instead of offices, there was a steep rise in cyber security scams and attacks, with workers’ home internet security readily compromised compared to the office. At home, individuals naturally became less vigilant and more distracted, and therefore increasingly vulnerable to scams and attacks across messaging services, emails and through phone calls. Working remotely meant that instead of being able to rely on company firewalls or enterprise-level protection, there’s a risk attackers could get through their domestic defences.

In the first six months of the pandemic alone, HMRC recorded a 73% rise in email phishing attacks in the UK. Email is the single most significant attack vector attackers exploit to gain access to businesses and individuals, and one of the most significant risks to email communications is email spoofing. Email spoofing is where an attacker forges a sending address by pretending to be someone else.

Recent research conducted by 6point6 discovered that it’s simple to spoof emails from real users and accounts, mimicking them successfully and performing a spoofing attack without warning against 80% – 97% of domains. Using an automated scanner, this research found that the top million domains worldwide were shockingly 97% vulnerable, including 85% and 80% of the US and UK government domains respectively vulnerable to email spoofing and 74% of the FTSE 100 domains at risk.

The issues lie primarily with the understanding of email security protection. Essentially, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) do not protect the From header in email contents, which is the only address that end-users can see. Of the two addresses, ‘Envelope’ and ‘From’, it is possible to easily spoof the ‘From’ address which appears in the user’s inbox.

In addition, a new technology called Authenticated Received Chain (ARC) confuses the situation by helping to legitimise forged emails. The modern email ecosystem and security environments rely on SPF, DKIM and Domain-based Message Authentication, Reporting & Conformance (DMARC) to stop malicious emails. For a DMARC check to pass, both an SPF check and SPF alignment must pass, or a DKIM and DKIM alignment check must pass.

Comparing different AI approaches to email security

Dan Fein, director of email security products at Darktrace, dissects the various AI approaches to email security utilised by businesses. Read here

The tech and IT industry has spent years training users, businesses and employees to look out for misspelling and other subtle tricks attackers use. However, it’s not necessary to register similar domains to manipulate spoof emails. The research from 6point6 demonstrates that it’s a near certainty that attackers can imitate anyone’s email address and achieve a high legitimacy rating, including a line manager’s email addresses or even that of a company director and get through anti-spam or anti-spoofing filters.

If an organisation does not have a well-configured DMARC record, they are vulnerable.
Many IT security providers and solutions rely on the principle of SPF, and DKIM passes as positive indications — on their own, it is simply not true. Therefore, it’s easy to forge the vast majority of domains and have fake emails land in an end-users inbox.

There are free tools available that allow for email resiliency testing, as well as scanning DMARC records, to check for vulnerabilities. However, there is a relatively straightforward way of fixing it for most organisations — creating a valid DMARC record by adding the following line should be enough to protect your domain:

“v=DMARC1; p=reject;”

However, if you are a larger organisation with different services on subdomains, or use email marketing tools such as Sendgrid or MailChimp, then it may be necessary to receive external help for a solution. Most email security articles, online anti-spoofing checkers and security businesses provide confusing or incorrect information that may still leave a business vulnerable. Additionally, even if an organisation has a DMARC record, configuration can be complex, and getting it wrong may have dire consequences — such as explicitly allowing a domain to be spoofed or blocking outbound email messages.

With new methods of infiltrating organisations and attacking them from within are developed, it’s imperative that businesses continually test their resiliency and vulnerability against these attacks. Not only do organisations need to ensure that they are taking every measure possible to protect their email domain, but they should also reinforce training amongst staff to identify potential fake emails in the case that their email domain is spoofed. With many businesses considering a hybrid workplace, it’s essential we remain more vigilant than ever.

Written by Chris Powell, head of cyber labs at 6point6

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com