How to Defend Against and Identify Phishing Emails
By Tyler Dever
It doesn’t take long working in cybersecurity to understand how much of an impact email phishing has on organizations and individuals on a daily basis. The old adages of “Don’t click on suspicious links!” or “Don’t open unexpected attachments!” have been echoed for decades, yet hundreds, if not thousands, of organizations fall victim to new and old email phishing techniques year after year.
Part of the complexity in outright squashing email phishing altogether stems from the fact that there are so many avenues that actors can take when attempting to target their subjects. Is the phish of the week going to be a CEO-fraud campaign against the finance team? Maybe a work-from-home policy update from the “Human R3sources” department?
The email phishing scenarios aren’t the only aspects that have changed over the years. For example, instead of adversaries dedicating the time and resources to creating and maintaining malware sites and infrastructure, there has been a drastic shift towards the utilization of readily available cloud-infrastructure and the abuse of compromised websites.
Not only are these options typically a more cost-effective solution for cybercriminals but, depending on the provider, phishing websites (landing pages) and infrastructure can remain live and active for days, if not weeks at a time. Although the response and remediation efforts by Microsoft, Google and other providers have greatly increased over the last few years, it is still quite common to see attacker-created Microsoft Azure (*.azurewebsites.net, *.web.core) and Google (*.googleusercontent.com, *.appspot.com, *.web.app) domains being utilized to serve as credential harvesters.
Tips for defending against and identifying phishing emails
So how can an organization and its employees ever expect to win against dynamic and, at times, sophisticated threat adversaries? Like most things within information security, the answer is multi-faceted.
Security awareness training
Providing employees a safe environment where they can learn and understand the types of real-world phishing attacks that they may end up facing one day is important. Securing the human can at times be the last line of defense for a company and can determine whether a compromise occurs or is avoided.
Take into account the following items when implementing security awareness training within the organization:
- Email phishing awareness training doesn’t have to always be doom and gloom. There are entire companies out there that have made it their mission to facilitate and foster interesting and engaging cybersecurity training content. At the end of the day, yes, folks typically will be required to complete some type of training course or read corporate policies, but making the process engaging and even gamifying the content will be more effective in helping individuals learn.
- If and when simulated phishing tests are used at a company, a priority and goal should be to encourage learning and growth over time. Perceptions can mean everything to people. If the rest of the company perceives the cybersecurity team as trying to “trick” or “coerce” them into falling victim to simulated phishing tests without effective remedial training, it is easy to lose the trust of the individuals that are the most at risk.
- Does your cybersecurity team effectively understand how to analyze and triage the content within email headers (i.e. SPF, DKIM, DMARC)? In most organizations, a SOC or internal cybersecurity group is going to be the boots on the ground team working with phishing emails that are reported by the rest of the company. It’s important to train and test non-technical business departments and the defenders. And as your cybersecurity teams progress and develop, you can automate phishing playbooks or scripts so they can be managed simply as a mundane task, saving you time and effort. These playbooks can only be created if there is a fundamental understanding of what to look for when analyzing phishing emails.
Create a proper defense
Awareness training is a big component of combating email phishing, however, there are a number of technical controls that can be implemented in order to facilitate a defense-in-depth approach.
- Implement DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC is an email authentication, policy, and reporting protocol that builds on the widely deployed SPF and DKIM protocols. When implemented fully, this protocol allows for organizations to essentially stop domain spoofing emails in their tracks and protect their brand.
- Typosquatting domains, in essence, attempt to spoof or masquerade as a legitimate organization or company. An example of this for google[.]com would be a malicious actor registering the domain gooogle[.]com and utilizing it to serve a phishing site. Defending against typosquatting domain attacks can seem like a daunting task initially but when broken down into its components, can become much easier, especially when using specially designed tools.
- For cybersecurity teams, gathering intelligence and forensic artifacts from previously observed phishing emails can be a game changer. Sometimes attackers slip-up and leave their phishing kits fully visible on the compromised websites. Not only does this provide an opportunity to analyze how a specific phishing attack works, but it can also lead to understanding the tactics and procedures that other future email phishing campaigns might use. Additionally, if a company utilizes a SIEM solution such as Splunk, the possibilities are endless when it comes to tracking, correlating, and detecting potentially new attacks.
Be aware of new (and old) tactics
Many of the social engineering tactics that actors use to appeal to individuals haven’t changed a ton over the years, however, attackers are getting more advanced in trying to remain under the radar. Here are some key indicators of attack that are commonly seen in the wild to this day:
- The display name feature within most mail clients can be used to entice individuals to fall victim to phishing attacks. This can be especially true on mobile devices where the default mail applications typically will only show the display name of a sender on messages and not the full email address. These types of phishing emails can be combatted if an organization injects inbound messages that are from outside the organization with a text header such as “This email originated outside of <company_name>. Please be cautious of any included links or attachments.” This control can serve as an initial warning indicator to employees that the sender may not actually be who they perceived.
- Phishing emails that are designed to deliver malware rather than harvest user credentials haven’t changed too dramatically in recent years. Unsolicited email attachments continue to be one of the main infection mechanisms followed closely behind by drive-by download websites that are linked within the email. Word documents, PDFs, ZIP files, and other well-known, high-risk file types continue to be the main delivery platform for many malware payloads.
- Cloud services and infrastructure are commonly abused for email phishing. An example of this involves email delivery services and platforms such as SendGrid, MailChimp, and others. When abused by an attacker, these services allow for large-scale phishing campaigns to be launched with relative ease. Just because a message comes from one of these providers, it does not mean that it is “all clear” or “safe”.
- Websites that utilize HTTPS are no longer a definitive indicator that a website is safe. Over the last few years, a number of companies such as LetsEncrypt and ZeroSSL have come into existence which offer free and easy to obtain SSL/TLS certificates. Attackers have been quick to adopt this technology and deploy these types of certificates on email phishing landing pages to make them appear more legitimate.
Identifying phishing emails can keep you off the hook
Email phishing attacks will continue to proliferate the threat landscape for the foreseeable future, no matter the industry. A business’s security posture is only as strong as its weakest link. More often than not, unfortunately, this link typically ends up being an organization’s employees. Deepwatch works with companies on a daily basis to effectively monitor, identify, and remediate scenarios of compromise that stem from email phishing attacks. Learn more about the people, processes and technologies that can help safeguard your business and get in touch with us today.