Just how bad is the problem with fake sender identity?
For years, secure email gateways have been playing a cat and mouse game with phishers, countering email attacks by constantly scanning for malware, viruses, bad links, and poor sender IP reputations. That has worked reasonably well — until now. Unfortunately, many email attacks are now malwareless, and the attack vector has shifted to faking sender identities.
For example, Barracuda recently published stats indicating that 83% of phishing attacks are brand impersonations, another 6% are impersonations of people, and only 11% do not use impersonation. In other words, about 9 out of 10 phishing attacks now use fake sender identity.
GreatHorn reports that the number of threats slipping through email defenses has increased by 25% over the last year. Meanwhile, Google reports that 68% of phishing emails blocked by Gmail today are new variations that were never seen before.
It’s all about faking sender identity
Cyber-criminals are spoofing unsecured domains to send out phishing email messages to employees, customers, and partners. These messages look like they came directly from the impersonated domain, and often pass right through most secure email gateways because they have none of the bad content or other characteristics that the secure email gateway can detect.
For example, the World Health Organization recently issued warnings that scammers are impersonating the organization’s officials, with emails that appear to come directly from the WHO’s own domain. This story from Vox explains how coronavirus scammers send fake emails from real domains, and why it’s so easy for them to get away with this.
It’s so easy to impersonate sender identity from an unsecured domain that literally anyone can send a fake email. There are a variety of free tools available on the internet for anyone to fake any open domain’s identity, and it’s also simple to launch spoofing attacks at scale with just a few lines of PHP.
Messages with fake sender identities often raise no red flags and pass right through most secure email gateways, particularly if they lack malware or identifiable links. Business email compromise (BEC) messages often use this approach, avoiding malware that might trigger an SEG to block the message, while taking advantage of the implicit trust that people tend to place in email messages that appear to come from their employer or someone they do business with. When these messages utilize exact-domain spoofs, no amount of training can help as it is impossible to tell the good email from the bad.
Exact-domain attacks are the messages that use your domain name in the From: field but are not originating from your organization or one of the cloud services you’ve authorized. Because companies today tend to have a large number of cloud services, and most of those need to send email on their behalf, some messages coming “from” your domain are legitimate — they were sent by your HR tool, marketing automation service, or CRM. Other messages are unknown in origin. And some may even come from a malicious sender trying to impersonate you.
The consequences of unauthenticated sender identity
When attackers use your organization’s emailing domain to phish your own employees, the risks are obvious. Employees may be duped into thinking that the messages come from their boss, the CEO, or even someone in IT, and then click on links, enter passwords onto malicious sites, or install Trojan horse software.
But it’s also a problem when those messages are sent to recipients outside your organization. Your customers and partners who learn they have been phished will stop trusting your brand. Your messages will get flagged as spam. Your legitimate emails won’t get delivered.
Most organizations do not see the problem until someone lets them know about a phishing email they received. When these spoofed emails are being sent to partners or customers, that notification may never happen, and if the company is not monitoring how its domain is being used, it will never know.
How to spot the fake sender identity problem
Some organizations are more proactive and start the process to monitor their domain using DMARC’s reporting capabilities. This gives them visibility into how their domains are being used for email — regardless of whether recipients are inside the company or not.
In monitoring mode, we simply set a DMARC policy of p=none, which allows all outbound traffic to arrive at its destination uninhibited. Mail receivers then send daily reports to the address listed in your DMARC record, aggregating information about what senders were using your domain and whether they passed the authentication rules you set up in SPF or DKIM.
DMARC aggregate reports are a rich store of data, but they can be difficult to parse. Valimail DMARC Monitor aggregates these reports and displays them in an intuitive, graphical format that makes it easy to see trends over time. DMARC Monitor also helps because, unlike other DMARC tools, it doesn’t present inscrutable lists of IP addresses — it translates those into readable, named senders, so you can see exactly which cloud services are sending on your behalf.
How Valimail simplifies DMARC visibility
Valimail lets you see at a glance the total number of messages sent “from” your domain, how many passed authentication with DMARC, how many failed, and how many came from suspicious senders.
The number of email messages that appear in the “Suspicious emails” column are surprisingly large for most unsecured domains. For example, an insurance company using Valimail discovered half of its outbound email was coming from suspicious sources.
How to stop fake email messages from your domain
Another Valimail customer, a financial institution serving the elderly community, started domain monitoring in March 2018. They worked with Valimail to identify all the services sending email from their domain and validated the ones they wanted to keep.
Once the institution validated all the sending services they wanted to keep, they moved their DMARC policy from monitoring (p=none) to a quarantine enforcement policy (p=quarantine). This quarantine policy told the receiving mail providers to put any unvalidated messages into their recipients’ spam or junk mail folders.
Within two months, the financial institution had identified all the services they wanted to approve, updated DMARC records and DNS using Valimail’s automated solution, and were ready to turn their enforcement policy to p=reject, which instructs receiving mail providers to delete unvalidated messages completely.
Once at p=quarantine or p=reject, attempts to spoof the domain typically start to taper off, as attackers realize that their spoofed messages aren’t getting through to inboxes any more. You can see that effect in the red bars in the chart below, showing the volume of email messages that were rejected by mail gateways after this domain moved to a reject policy. In other words, the volume of domain spoofing declines once you implement DMARC enforcement.
Start your journey towards identifying and blocking fake senders using your domain: Set up Valimail DMARC Monitor. It’s free, configuration takes 5 minutes, and there’s zero impact on your email flow. Try DMARC Monitor today.