Over the past several months, we’ve had multiple tickets opened by customers concerned that their email had been hacked. In every case, emails were ‘sent’ by a mid to high-level executive in the company asking the financial department to pay an invoice of several thousand dollars.
After some investigation, we discovered that every case had been a spear phishing attack meaning that the user’s email wasn’t hacked, but had been spoofed. It appeared to come from one person but actually came from a third party by ‘spoofing’ the from field of the email.
The good news is that no one had actually gained access to their network. But spear phishing attacks like these (typically known as CEO impersonation attacks – we've written more about them in this blog post), can be very costly to businesses if they aren't caught.
So how does spoofing work? A spoofing attack is when an attacker disguises the email address as one that might be recognized, most likely an email address that you’ve corresponded with before, in the hopes that you will not see through the disguise. Most people know to send an email you are required to have at least two things: a ‘from’ address, and a ‘to’ address.
What most people don’t realize, though, is that each email actually contains two ‘from’ addresses: a ‘from’ address that displays the sender’s email address, and the actual ‘from’ address that displays where the email originally came from. If the two fields don’t match, the email could potentially be considered spoofed.
There are actually some legitimate reasons to allow spoofing – think about any email marketing you may do through a third party site like MailChimp or Constant Contact, any delegates you may have, or ‘scan to email’. It all works the same way, the two ‘from’ addresses don’t match because it was sent from one account, but it appears to have come from another account (sent from the CEO by an assistant). This is the reason that we, and many other companies, don’t automatically block these types of emails.
There are some tell-tale signs to look out for to catch a spoofed email:
Unfortunately, all of these warning signs rely on the recipient catching them after the email is already in your system. If an attacker has been studying your company (which they do), and can spoof your email address, they may be able to imitate your employees well enough that there won't be any warning signs.
A better method than relying on your employees’ ability to catch malicious spoofed emails is to prevent them from getting in your network in the first place (though you should still absolutely train your employees to recognize the warning signs). Unfortunately, there aren’t a lot of options for doing this.
You can beef up your spam settings to prevent any emails with spoofed from email addresses from getting in. But, since there are some legitimate reasons to allow spoofing, you may miss some emails sent to you for legitimate reasons.
Our preferred method of preventing spoofed emails from getting in is to use a service designed to detect and prevent malicious emails from getting in. We're big fans of Advanced Threat Protection in Office 365. Advanced Threat Protection is specifically designed to look for and help guard against cyber-attacks, including spear phishing and spoofing threats. We’ve been using it in our own network since it was released and have begun implementing it for our customers and have been very happy with it so far.
In the case of spoofed emails, Advanced Threat Protection will open the email in a virtual environment and monitor the behavior of links and executable files in the message. If it detects something malicious, Advanced Threat Protection alerts users when they receive an email that may be spoofed, making it easier for you and your employees to know when something isn’t right.
Advanced Threat Protection also protects against other email-based attacks by scanning for malicious emails and attachments before they get in your network. If any malware or viruses are found, it strips the attachment from the email so the user doesn’t even have the opportunity to follow a bad link. The email will still go through, but the malicious link and/or attachments will be taken out with a message saying why they were removed.
When it comes to data security, your best option is preventing as many threats as possible from getting into your environment. Pair this with a healthy dose of knowledge about what to watch out for and what to do when a malicious email or attack does get it (because it will happen), and your company can drastically reduce your chances of falling victim to an attack.