Email security standards are proving porous where malicious email attacks are concerned, since attackers use a deceptive link or new domains that comply with the same email security standards regular users employ to blunt threats like phishing, according to a vendor report released this week.
Security firm Cloudflare found that the vast majority (89%) of unwanted messages passed a check of at least one of the three major email security standards: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication, Reporting and Conformance (DMARC). SPF typically uses a domain-name record to indicate which servers can send mail on behalf of the domain, while DKIM allows senders to sign parts of a message, such as the "from" address, to attest to their validity. Finally, DMARC is a way of specifying policies, which can include attestation by SPF and DKIM processing.
While these email authentication standards are crucial to make the Internet safer, they can only protect users from the threats against which they were designed to protect, says Oren Falkowitz, field chief security officer at Cloudflare.
"It is trivial for threat actors to set up a domain with the correct email authentication records, such that they pass all the necessary authentication checks while simultaneously including malicious payloads or links within the message to gain access to the organization," he says. "Leveraging a common email provider ensures that attack messages will pass all the typical authentication checks — ultimately providing a 'fast lane' to the intended target."
The data underscores that there remains much more work to do to protect users from fraudsters and cyberattackers who regularly use email to send scams and malware to victims. The addition of SPF, DKIM, and to organizations' anti-fraud toolboxes has certainly made attackers' jobs harder, but not impossible. Major email service providers like Google's Gmail have adopted the security standards, but so have attackers, who quickly adopt any workaround. At the recent DEF CON hacking conference, one security researcher demonstrated a way to use one mail service to send messages on behalf of other domains but that still pass DMARC checks.
For that reason, defenders need to take a layered approach, says David Raissipour, chief technology and product officer at Mimecast.
"Like any security solution, no one should assume 100% coverage," he says. "The easiest way to describe this would be like saying, 'We put a lock on our front door — that should prevent all burglaries.' That statement would not be accurate, yet you should never consider having a house without a lock on the front door — it is simply part of a layered security system."
In its "2023 Phishing Threats Report," Cloudflare noted that the email security technologies do not prevent lookalike email content, domains similar to a company brand, and some replay attacks. About one in every seven phishing emails attempts to camouflage the attack in the branding of a well-known company. The top impersonated brands include Microsoft, the World Health Organization, and Google, with the top-20 brands accounting for more than half (52%) of all impersonation attempts.
In addition to impersonating any of more than 1,000 brands, attackers used deceptive links more than a third of the time (36%); emails came from newly registered domains 30% of the time, according to Cloudflare's analysis of data from hundreds of millions of attacks.
Since its introduction at the turn of the century, and its adoption as a proposed standard nearly a decade ago, SPF has focused on making it harder for fraudsters to impersonate legitimate domains. However, in 2022, only about 60% of domains had a valid SPF policy, while 31% had no policy, and another 9% had a misconfigured policy, according to URIports.com.
"Having these standards helps ensure that emails originate from valid senders, which is a critical use case," Cloudflare's Falkowitz says. "But these standards were not meant to — nor do they — detect the presence of malicious payloads, links, or payload-less attacks, such as invoice fraud or business email compromise."
Cloudflare based its analysis on a 12-month sample of the approximately 13 billion email messages, including nearly 280 million email threat indicators, 250 million malicious messages, and about a billion instances of brand impersonation, the report stated.
Multilayered Security Required
Just because an email message comes from a validated server does not mean the message is not fraudulent, so companies need to check out the verified domains and senders of email messages. In effect, organizations need to apply zero-trust principles to their email security as well, including phishing-resistant multifactor authentication, Falkowitz says.
"Attackers find success by attempting to be authentic — both representing themselves as the brands we know and trust, as well as the people we know and do business with," he says, adding: "The only way to catch these attacks is by being preemptive in our approach and employing a diverse set of signals and techniques that span the various attack types and attack vectors seen in these campaigns."
In addition, security controls have to protect more than just email, since many companies rely on Slack, Microsoft Teams, or other messaging apps for daily operations, says Mimecast's Raissipour.
"We really need to think more holistically about what we can call 'email security'," he says. "Employees, partners, and customers use more than just email for communication. We have seen those platforms become a target for malicious actors, and organizations should be considering the security of all their communication channels."