In this series so far, we’ve seen how email authentication is a great thing at stopping phishing under some circumstances, and where it isn’t that useful in other circumstances. A circumstance where it isn’t that useful is a variant of Business Email Compromise (BEC) that we call an Impersonation Attack. An Impersonation Attack is when the phisher uses a visual display trick and makes you think that who you are communicating with is a person that you know, but in reality is not that person.
You may think “That’s what Business Email Compromise is” and you’re right, but those can be further classified into Exact-Domain attacks (where the sender and recipient domain is the same), or Springboard attacks (where the sender and recipient have a relationship, but the sender domain is spoofed).
An Impersonation Attack is more general and makes use of many different techniques to fool the user:
- The message has a lookalike sending domain: where one letter is substituted for another
- One letter is substituted for another, microsoft.com vs. micros0ft.com
- Two letters are substituted for a single, nn -> m, cl -> d, rn -> m, and so forth
- The letters are rearranged where your eyes gloss over, mircosoft.com
- The letters in the sender domain use different charsets
- The message is sent from a free email account using the name of a high ranking executive in the Display Name, but the email address is completely random
- And so forth
But, what sets them apart is that the sending domain is not being spoofed.
For example:
In this above example:
- The sender domain, tovota-europe.com, is a lookalike of a real domain, toyota-europe.com, which is a real domain and brand associated with Toyota. If you weren’t looking closely you wouldn’t have noticed. The example below is a real message, and the phisher actually registered the domain with a registrar
. - The sender’s display name is a real contact within the actual organization
. - The sending domain is hosted on legitimate infrastructure, such as Office 365 or Google Apps (or some other place that regularly hosts email). This happens because these services offer free sign ups with low messaging limits, but as a phisher you don’t need a lot of email to send out, you just need legitimate infrastructure to avoid IP reputation lists
. - The contents of the message contain no malware nor URL, it’s text-based. That makes it harder for filters to find malicious content
The key point is #1 and #2. The phisher has registered this domain for the intent of sending phishing messages, and they have even set up SPF records for the domain. Using email authentication to detect this as a spoof will fail, because it is not spoofing the domain; instead, it is spoofing the brand by using a heuristic that is easy for humans to interpret (and be fooled by), but hard for machines to interpret meaningfully. The filters do not have a lot of content to pick up, and the sending infrastructure is legitimate.
The Impersonation Attack is one of the more difficult phishing attacks to defend against.
.
Stopping Impersonation Attacks with techniques other than email authentication
Disclaimer: As I say in other blog posts where we haven’t released the protection yet to the general public, this is me theorizing about how something could be done, not that it will be done this way.
One method that we are thinking about within Office 365 is leveraging Safety Tips to give users visual warnings when something in their email stream is out of place. One of the things we are working on is First Contact.
First Contact builds a sender/recipient profile of users; when you get a message from someone you haven’t seen before, we’ll add a gray Safety Tip that says it’s one of the first messages you’ve received from that person.
The idea is you regularly communicate with the same people over and over. So, when spammers and phishers try to trick you by impersonating someone you trust, this new warning makes it clear that we – your spam filter protecting you – don’t recognize the sender as a regular communicator, so you may want to be more cautious when you interact with it.
Of course, not every First Contact is bad, that’s why we’re refining the algorithms to make them smarter. We exclude:
- Marketing email from known bulk mailers
- Email discussion lists
- Senders with good reputation
First Contact messages go away after we’ve generated enough history of them sending to you.
This is currently being trialed internally. Initial feedback is that it’s too noisy, so we’re going back and making some more refinements. The risk of notifying too much is that when you actually have something to say, people will ignore it. The jury is out on this one.
//unsure smiley face
First Contact is only available to customers with Advanced Threat Protection.
But the power of First Contact is not necessarily when it is used by itself. No, the power of First Contact is when it is combined with Impersonation Detection. For you see, if we keep track of who normally sends you email, and then you get a message from someone outside of the way they normally send you email, that is suspicious. And probably even fraudulent.
In that case, just adding a safety tip that says it failed fraud detection checks wouldn’t be enough. Why? Because you might say “Huh? What’s wrong the message? I can’t see anything!” So, we’d add a red safety tip that says the message appears like someone you normally communicate with, but isn’t that person:
I think this is a powerful feature. By detecting anomalies in sending patterns from people you communicate with, it tightens up against tricks that phishers use to get around email authentication.
This means that if someone you normally communicate with usually, or always, fails authentication, and sends a legitimate message from a new source that also fails authentication, it will be treated as suspicious since the de facto sending patterns it has already established a baseline for have now been deviated from.
Impersonation Detection initially will only be available to Advanced Threat Protection customers.
Conclusion
At this point, we’ve seen where email authentication is useful in the fight against phishing. However, we should not be lulled into a false sense of security that it solves all spoofing or phishing problems.
But what it does do is tighten up the perimeter so we can be more strict about enforcing security, forcing the cost of spamming to go up. That means the title of this post is incorrect; while email authentication falls flat when fighting Impersonation attacks, what it can do is drive a wedge into unauthenticated email and force phishers and spammers into places where they can be identified instead of hiding behind a mask.
There is no such thing as perfect security, only defense-in-depth. We use email authentication to protect ourselves, protect others from us being spoofed, and then add in other pieces of technology to stop the rest.