6.8 Email Security | Vicky's Page

Section 6.8 Email Security

As you study this section, answer the following questions:

What can email users do to protect themselves from email attacks?
What is a phishing attack, and how can you protect against it?
What information can you learn from an email header?

In this section, you will learn to:

Analyze email traffic for spoofed addresses
Analyze email traffic for sensitive data

The key terms for this section include:

Key Terms and Definitions

Key Terms and Definitions
Term	Definition
Parts of an email	Email headers and block signatures. Headers are code at the beginning of an email that contains information such as the recipient's name, send date, timestamps, and names of servers that handled the transfer. Block signatures contain information about the sender, such as name, company position, address, and phone number.
Malicious payload	In cyber interactions and communications, a malicious payload can take many forms. It must be delivered and activated to execute its malicious intent. One way this can be done is through email. The destruction caused by the payload can include pop-up ads, information theft, modified user files, malicious files downloaded to the system, and execution of malicious background processes.
Email authentication tools	Tools available for authenticating email so that the receiver can be sure that the email is safe. These include DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
Phishing	A crime in which an attacker sends a target an email purporting to be from a legitimate organization. The attacker often uses official company logos and graphics to make the email look legitimate. Attackers use this official-looking email to lure the recipient into entering personal information or clicking on a malicious link embedded in the email.
Forwarding	Forwarding an email means that you send to another person an entire email that you have received. If you forward an email with a malicious payload, it can potentially damage anyone who receives it.

This section helps you prepare for the following certification exam objectives:

Exam	Objective
CompTIA CySA+ CS0-003	1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity Common techniques Email analysis Header Impersonation DomainKeys Identified Mail (DKIM) Domain-based Message Authentication, Reporting, and Conformance (DMARC) Sender Policy Framework (SPF) Embedded links
TestOut CyberDefense Pro	1.2 Monitor software and systems Monitor email for malware Analyze email headers and impersonation attempts

6.8.1 Email Analysis Overview

Click one of the buttons to take you to that part of the video.

Email Analysis 00:00-00:33 While email can be an incredible communication tool, we also need to watch out for bad actors. Just like regular mail, email can contain wonderful things, like a letter from a friend or family member. But it can also contain harmful things, like a mail bomb or its digital equivalent. Knowing what to look for when you analyze emails can help you stay safe as you communicate electronically with others. In this video, I'll go over how you can make sure your email communication stays as secure as possible.

Malicious Payload 00:33-01:26 Let's look at an analogy. If someone fires a missile, the payload is the part that blows up, causing the destruction. The same is true when talking about email. The payload is the part of a malicious email that causes damage when opened. With a missile, it's possible that the payload sits harmlessly on the ground until it's disarmed or until something else comes along to make it explode.

With a malicious email, though, the payload can lay dormant for a long time. A payload could be something that's attached to the email, or it could be associated with a link in the email as well. For example, things like viruses, worms, and Trojans could all be malicious payloads. It's basically anything that can cause harm to the recipient. The sender can do a variety of things once a payload is activated, like steal data, display unwanted ads, modify user files, download harmful new files, or run malicious background processes.

DKIM 01:26-01:50 DomainKeys Identified Mail, or DKIM, is often used to authenticate emails in an effort to mitigate harm. DKIM lets an email's recipient verify that the email was sent by the domain owner. This is possible because emails have a sort of encrypted digital signature. The encryption is taken care of on the server side, so it's not something an end user can usually see.

SPF 01:50-02:14 Spam emails often carry malicious messages that can make your organization look bad if people see that the emails are coming from your domain. Sender Policy Framework, or SPF, is another email authentication method that helps weed out attackers who want to send out spam emails under someone else's name. This program lets you specify which email servers are allowed to send out email under your domain and which aren't.

DMARC 02:14-02:53 Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is another kind of email authentication and reporting policy. It builds on the security that's provided by DKIM and SPF. DMARC lets the sender inform the recipient that their emails are protected by DKIM and SPF and tells them what to do if an email doesn't pass these security checks. The response is usually to delete the message or to automatically put it in the junk folder. DMARC also allows the recipient to report back to the sender about which emails failed the security measures. This helps isolate end users from potential attacks.

Phishing 02:53-03:54 Phishing is a digital crime in which a criminal contacts someone through email pretending to be from a legitimate organization. For example, an attacker might claim to be from your bank or from a well-known website, such as Netflix or Amazon, telling you that your account has been locked and that they need certain information to unlock it. Often, they use official company logos and graphics to make their email look legitimate.

Attackers use this official-looking email to try to lure the recipient into giving them personal information or clicking on a malicious link embedded in the email itself. In essence, they're fishing for information and the email is the bait. If the recipient sends the requested information or clicks on the link, he or she could have their identity stolen or their account hacked. To avoid falling prey to a phishing scam, it's a good idea to not click on links in emails unless you're sure you know the sender. Often, we see typos in these kinds of emails or slight misspellings of company names, such as amazun.com instead of amazon.com.

Forwarding 03:54-04:34 Forwarding an email simply means that you send an entire email that you've received to another person. If you forward an email that has a malicious payload, it can potentially damage anyone who receives it. Sometimes, emails specifically ask you to forward them on to other friends, which should be an immediate red flag.

Some people also set up automatic email forwarding from multiple accounts to a single account. While this isn't necessarily a security risk, it can open you up to problems if you send emails from a more secure account to a less secure one. You want to make sure that emails with sensitive information, like work emails, don't get forwarded to a service that's vulnerable to being hacked.

Email Parts 04:34-05:14 To fully analyze an email, an investigator needs to look at all of its parts.

Many emails contain a block signature at the bottom that shows the user's information, such as phone number, address, or company position. These things are often added automatically, so this becomes an important part of tracking where an email is coming from.

Another part of an email that contains a great deal of information is the header. This is a block of information at the top that's usually hidden from the recipient and includes things like the recipient's name, send date, timestamps, and the names of the servers that handled the transfer. This data can be vitally important to your investigation of a potentially malicious email.

Summary 05:14-06:11 That's it for this lesson. In this lesson, we went over email analysis as an important forensic tool to combat digital crimes, and we looked at some ways in which these crimes are committed. Some emails contain a malicious payload, like a virus or other malware, that can harm the recipient's computer. We have several methods to prevent this, such as DKIM, SPF, and DMARC.

Both headers and signatures are important parts of an email that we can gather information from. Phishing is another kind of email attack in which a criminal pretends to be someone else, usually someone from a trusted company, to try to steal personal information. Often, those who send malicious emails encourage the recipient to forward them to other friends in an effort to spread the damage even farther. It's important that you, as a security analyst, be aware of all the ways in which emails can be compromised so you can prevent any potential attacks.

6.8.2 Email Analysis Facts

There are several aspects of email analysis to consider in digital forensics.

This lesson covers the following topics:

Parts of an email
Malicious payload
Email authentication tools
Phishing
Forwarding

Parts of an Email

Understanding the parts of an email is the beginning of the analysis.

Email headers are:
- Code at the beginning of an email that contains such things as:
  - Recipient's name.
  - Send date.
  - Timestamps.
  - Names of servers that handled the transfer.
- Typically hidden from the reader's view at the top of the page.
Block signatures:
- Contain helpful information about the sender, such as:
  - Name.
  - Company position.
  - Address.
  - Phone number.
- Are often automatically included at the end of an email.

Malicious Payload

In cyber interactions and communications, a malicious payload can take many forms. A malicious cyber payload must be delivered and activated to execute its malicious intent. One way this can be done is through email.

As a security analyst, it is important to monitor your organization's email and train the employees about malicious payload risks and how to recognize them.

Be aware of the following about malicious email payloads:

Email attachments are often the favored form for malicious payloads. The attachments present as something that looks innocent and intriguing. The objective is to have the recipient open it.
Embedded links in the body of the email can contain malicious payloads.
Often the malicious payload includes viruses, worms, Trojans, or malware.
The destruction caused by the payload can include any of the following:
- Pop-up ads.
- Information theft.
- Modified user files and malicious files downloaded to the system.
- Execution of malicious background processes

Email Authentication Tools

There are tools available for authenticating email so that the receiver can be sure that the email is safe. The following table contains three such tools.

Authentication Tool	Description
DomainKeys Identified Mail (DKIM)	You can use DKIM to authenticate emails to mitigate potential harm. It works as follows: DKIM allows an email recipient to verify that the mail was sent by the domain owner. An email's encrypted digital signature makes the verification possible. The server encrypts the digital signature. The email recipient does not see the encrypted digital signature.
Sender Policy Framework (SPF)	SPF is a tool designed to stop attackers who send spam emails under someone else's name. It allows the sender to specify email servers that can send an email in the domain and which servers are not allowed to send emails.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)	DMARC is an email authentication policy and reporting protocol. It builds on DKIM and SPF security. The recipient is informed by the sender that the emails being sent are protected by DKIM and SPF. It includes instructions within its record that direct what happens if an email does not pass the safety checks (rejection, deletion, or quarantine, such as in a junk folder). It allows the recipient to report back to the sender the emails that failed the security measures.

Phishing

Phishing is a crime in which an attacker sends a target an email purporting to be from a legitimate organization. The attacker often uses official company logos and graphics to make the email look legitimate.

Attackers use this official-looking email to lure the recipient into entering personal information or clicking on a malicious link embedded in the email. If the recipient sends the requested information or clicks the link, the recipient's identity may be stolen or the account hacked.

To avoid phishing scams, do not click links in emails unless the email has been authenticated.

Forwarding

Forwarding an email means that you send to another person an entire email that you have received. If you forward an email with a malicious payload, it can potentially damage anyone who receives it.

There are times when someone may set up automatic email forwarding to a single account to simplify communications. This can be a security risk if the email is forwarded to a less secure account and contains a malicious payload.

6.8.3 Email Message Internet Header Analysis Facts

This lesson covers the following topics:

Email internet header
Email exploits
Spam messages

Email Internet Header

An email's internet header contains address information for the recipient and sender, plus details of the servers handling the message's transmission, using the fields set out in the Simple Mail Transfer Protocol (SMTP). When an email is created, the mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA).

The MDA should check that the sender is authorized to issue messages from the domain. Assuming the email is not being delivered locally at the same domain, the MDA adds or amends its own header and then transmits the message to a message transfer agent (MTA). The MTA routes the message to the recipient, using DNS to locate the recipient's MTA, with the message passing via one or more additional MTAs, such as SMTP servers operated by ISPs or mail security gateways. Each MTA adds information to the header.

Email Exploits

One element of email headers that is frequently exploited is the fact that there are three sender address fields:

Field	Description
Display from	The display from field indicates the sender's email address. This is the field displayed by an email client as the "From" field. It is submitted using a From: header in the message body and officially designated RFC5322.From. This field can be populated by both a "friendly" name string and the email address in angle brackets. Some email clients suppress the display of the email address part. This is bad practice as it makes it hard for the user to identify the message's source. Frequently, adversaries will enter a trustworthy domain string in the first part, hoping that the mail client will display that rather than the actual address. Compare: Friendly Guy<friendlyguy@isp.foo> with: friendlyguy@isp.foo<friendlyguy@xyz.foo>
Envelope from	Envelope from is the return address for use if the email is rejected by the recipient MTA. The value of this field is submitted using the MAIL FROM SMTP command and is officially designated as RFC5321.MailFrom. The mail client normally hides this field. It can take various labels, including return-path.
Received from/by	Received from/by is a list of the MTAs that processed the email. Each MTA identifies itself and the server that sent it the message. If an adversary is spoofing a domain, the true origin of the message is likely to be revealed by examining this list of servers. When starting a session with another SMTP server, a server identifies itself using the HELO/EHLO string.

Field

Description

Display from

The display from field indicates the sender's email address. This is the field displayed by an email client as the "From" field. It is submitted using a From: header in the message body and officially designated RFC5322.From. This field can be populated by both a "friendly" name string and the email address in angle brackets. Some email clients suppress the display of the email address part. This is bad practice as it makes it hard for the user to identify the message's source. Frequently, adversaries will enter a trustworthy domain string in the first part, hoping that the mail client will display that rather than the actual address. Compare:

Friendly Guy<friendlyguy@isp.foo>

with:

friendlyguy@isp.foo<friendlyguy@xyz.foo>

Envelope from

Envelope from is the return address for use if the email is rejected by the recipient MTA. The value of this field is submitted using the MAIL FROM SMTP command and is officially designated as RFC5321.MailFrom. The mail client normally hides this field. It can take various labels, including return-path.

Received from/by

Received from/by is a list of the MTAs that processed the email. Each MTA identifies itself and the server that sent it the message. If an adversary is spoofing a domain, the true origin of the message is likely to be revealed by examining this list of servers. When starting a session with another SMTP server, a server identifies itself using the HELO/EHLO string.

Headers aren't exposed to the user by most email applications, which is why they're usually not a factor in an average user's judgment. You can view and copy headers from a mail client via a message properties/options/source command. MTAs can add a lot of information in each received header, such as the results of spam checking. If you use a plain text editor to view the header, it can be difficult to identify where each part begins and ends. Fortunately, plenty of tools are available to parse headers and display them in a more structured format. One example is the Message Analyzer tool, available as part of the Microsoft Remote Connectivity Analyzer ( testconnectivity.microsoft.com ). This will lay out the hops that the message took more clearly and break out the headers added by each MTA. You can also implement software that inspects headers and triggers an alert if the headers match known malicious values.

Spam Messages

The following example shows the headers from a spam message. Some of the fields have been removed, and some of the original identifying information redacted and replaced with placeholders:

Received: from protection2.outlook.com (2603:10a6:208:ac::18) by exchangelabs.com with HTTPS ; Tue, 24 Dec 2019 19:30:08 +0000
Received: from protection1.outlook.com (10.152.16.53) by protection2.outlook.com (10.152.17.88) with Microsoft SMTP Server; Tue, 24 Dec 2019 19:30:08 +0000
Authentication-Results: spf=none (sender IP is w.x.y.z) smtp.mailfrom=spam.foo; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=none action=none header.from=spam.foo; Received-SPF: None (protection.outlook.com: spam.foo does not designate permitted sender hosts)

These fields show the receipt of the email by the recipient's mail gateway, which performs analysis on it. The sender's domain is identified as spam.foo.

Received: from openrelay.foo (w.x.y.z) by protection1.outlook.com (10.152.16.89) with Microsoft SMTP Server ; Tue, 24 Dec 2019 19:30:06 +0000

This field shows the SMTP server that originated the message. It comes from a different domain than spam.foo. The openrelay.foo domain and IP address are on many mail blacklists.

Subject: Your account is blocked by the administrator Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="UTF-8"; format=flowed; delsp=yes Date: Wed, 25 Dec 2019 06:30:07 +0000 MIME-Version: 1.0
From: Gmail Accounts <spammer@spam.foo>
To: recipient@hotmail.com Return-Path: spammer@spam.foo

The from and return-path fields list the same sender address, but note the attempt to disguise the nature of the sender by impersonating a Gmail account administrator.

X-MS-Exchange-Organization-Expiration StartTime: 24 Dec 2019 19:30:07.8963 (UTC) X-MS-Office365-Filtering-Correlation-Id: ca0b527c-0b59-4085-cfc2-08d788a7af58 X-Sender-IP: w.x.y.z X-SID-PRA: SPAMMER@SPAM.FOO X-Microsoft-Antispam: BCL:8;
X-MS-Exchange-Organization-SCL: 6

The X- headers indicate custom headers that are controlled by the SMTP server administrator. They are often used for message authentication and spam analysis, in this case by Microsoft ( docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers ).