Email is an indispensable collaboration tool for businesses and their day-to-day operations. Love it or hate it, email is now a digital resource everyone must use. Criminals know this and they have figured out over the years how to use it to their advantage. Over the years, malicious actors learned to use email as a tool to carry out their exploits. These range from simple spam, to fraud, to credential theft through phishing attacks, and more.
We’ve all heard the nightmare stories of how Bob in accounting authorized a wire transfer to a vendor for an urgent project that Jenny in Product Development needs to get his new product out the door only to find out that Jenny never sent that mail because she retired three weeks ago. Or you’ve gotten the email notifying you that your Netflix payment failed – but on closer inspection, that email isn’t actually from NETFLIX.COM but actually from NETFIIX.COM.
In the long run, bad actors will always find new ways to circumvent security measures, so to be truly secure in your email usage you must be eternally vigilant and always on guard looking for that next attempt to compromise your business. Does this mean you should resign yourself to the fact that someone, somewhere is going to click on the wrong link or respond to a cleverly crafted email asking for funds? Absolutely not. There are several steps that you can take that will greatly enhance your mail security. Some of these are simple and no-cost, while others may require more effort or incur additional expenses, but all will help make your environment more secure.
Mark What’s Not Yours
One of the simplest ways to help protect yourself from being phished internally is to add some type of banner or other visual notification to emails that come from outside your organization. In an Exchange or Office 365 environment, this is easily accomplished with a transport rule. This provides you with a visual indicator that an email is not coming from your servers. That way when Bob in accounting sees that email from the imposter e-mail address masquerading as Jenny, there will be an indicator that it didn’t come from your servers.
Verify and Validate What is Yours
The next step up from that is to implement Domain-Based Message Authentication, Reporting, and Conformance (DMARC). Think of your email system as a big part of your brand’s reputation; it is used to send correspondence, marketing surveys, sales campaigns, and all other manner of messages. So the last thing that you want is for that reputation to be sullied by senders masquerading under your good name. DMARC is probably the biggest utility in defending your email reputation and even better, it costs you nothing to activate.
If you are unsure of everything that currently sends an email as you, start simple and enlist help using tools such as DMARC Analyzer, DMARCIAN, or EasyDMARC to help identify what sends as you. Put the basic policy in place that does nothing (p=none) and identify anything that might be a legitimate sender that is failing DMARC. Work to get these sending sources compliant.
These tools can be used to provide more than just insight into what is failing DMARC and why: they can identify bad actors attempting to send mail on your behalf (up to and including those pesky guys in marketing who keep sending email campaigns from unauthorized applications) and alert you when this happens. By capturing the forensic data (via an option in the DMARC record settings), these services can also help you identify malicious senders and take appropriate action to stop them.
If you have a complex email environment and are hitting SPF lookup limits or otherwise find yourself having to make constant changes to your records to keep things from failing, don’t be afraid to break emails into subdomains with their own SPF, DKIM, and DMARC policies. For instance, you could send marketing emails from @marketing.domain.tld instead of @domain.tld. This makes maintaining your DMARC environment much simpler in the long run.
Finally as a bonus, in the DNS records realm you can implement Brand Indicators for Message Identification (BIMI). This allows you to insert your logo into your emails, which not only helps ensure that emails from you have a visual indicator, but it helps build brand recognition as well. Think of it as another layer of identification and a way to stand out from your competition.
Add Defense in Depth
DMARC is great for identifying and securing emails sent as your domain. But what about other threats? Bad links, bad attachments, display name spoofing, or partners that don’t implement DMARC for their domains? This is where we cross over the threshold from free to paid services. Third-party email security platforms or add-ons such as the Office 365 Advanced Threat Protection Plan 2 options allow you to protect against links that lead to phishing sites, protect against attachments with zero-day malware, and guard against display name spoofing so that someone can’t put up an email with a display name of Senior Executive (seniorexec@criminalorg.tld) and use it to pretend to be Senior Executive (seniorexec@yourcompany.com).
Finally, these offerings can also check for lookalike domains for partner organizations (remember that NETFLIX and NETFIIX example earlier?) to help prevent against domain spoofing and failures from organizations that may not have implemented DMARC or may otherwise be at high risk of falsified traffic to your recipients. These options impose additional costs to implement but often pay for themselves with the first prevention.
Train Your User Base
Finally, don’t neglect the human element of email security. Consider investing in email security awareness training such as the offerings by KnowBe4. This can help train users to identify and avoid email perils such as malware, credential theft, or phishing attempts. Further, at the organizational level, it can help your IT team identify what areas of email security need to be shored up or worked on.
Nobody can eliminate threats to your organization entirely but by following these basic steps, you can greatly reduce your organization’s vulnerability to most email-borne threat vectors.
