A recent vendor report has highlighted the vulnerability of email security standards to malicious email attacks. The report from security firm Cloudflare found that 89% of unwanted messages successfully passed at least one of the three major email security standards: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication, Reporting and Conformance (DMARC). These standards are designed to protect against threats such as phishing by verifying the authenticity of emails. However, attackers are able to exploit these standards by using deceptive links or new domains that comply with the authentication checks.
Oren Falkowitz, field chief security officer at Cloudflare, explained that threat actors can easily set up a domain with the correct email authentication records, allowing their malicious payloads or links to pass the necessary checks undetected. By leveraging a common email provider, attackers can gain access to their intended targets by bypassing authentication measures. This highlights the limitations of email authentication standards in fully protecting users from fraudsters and cyberattackers.
While the introduction of SPF, DKIM, and DMARC has made it more difficult for attackers to carry out their activities, it has not made their job impossible. Attackers quickly adapt to any security workaround, as demonstrated at the recent DEF CON hacking conference where a security researcher showed how to send messages on behalf of other domains that still pass DMARC checks. This underscores the need for a layered approach to email security, according to David Raissipour, chief technology and product officer at Mimecast.
Raissipour emphasized that no single security solution can offer 100% coverage. Just as having a lock on a front door does not prevent all burglaries, organizations should not rely solely on email authentication standards to protect against email threats. It is essential to implement a layered security system that includes multiple safeguards.
Cloudflare’s “2023 Phishing Threats Report” revealed additional challenges in preventing email attacks. The report noted that email security technologies do not effectively prevent lookalike email content, domains that resemble well-known brands, and some replay attacks. Approximately one in seven phishing emails attempts to camouflage the attack by imitating a reputable company’s branding. The most impersonated brands include Microsoft, the World Health Organization, and Google, with the top 20 brands accounting for more than half of all impersonation attempts.
In addition to impersonating brands, attackers frequently use deceptive links and emails from newly registered domains. Cloudflare’s analysis of data from hundreds of millions of attacks showed that attackers used deceptive links in 36% of cases and sent emails from newly registered domains in 30% of instances.
The adoption of SPF as a proposed standard has been gradual, with only about 60% of domains having a valid SPF policy in 2022. Furthermore, 31% of domains had no policy, and 9% had a misconfigured policy. While these standards play a critical role in ensuring emails originate from valid senders, they were not designed to detect the presence of malicious payloads or payload-less attacks.
Cloudflare’s analysis was based on a 12-month sample of approximately 13 billion email messages, including nearly 280 million email threat indicators, 250 million malicious messages, and around a billion instances of brand impersonation.
To enhance email security, Falkowitz suggests applying zero-trust principles to email security and implementing phishing-resistant multifactor authentication. Companies need to verify the domains and senders of email messages, even if they come from validated servers. Falkowitz emphasizes the importance of a preemptive approach, employing a diverse range of signals and techniques to detect different types and vectors of attacks.
Raissipour also highlights the need for organizations to consider the security of all communication channels, as many rely on platforms like Slack and Microsoft Teams for daily operations. A holistic approach to email security is crucial to effectively protect against malicious actors.
In conclusion, while email authentication standards have added a layer of protection to combat email threats, attackers are finding ways to exploit these standards. Organizations must adopt a layered approach to email security, incorporating multiple security measures and considering the security of all communication channels. By being proactive and vigilant, companies can enhance their defenses against fraudulent and malicious email attacks.