Documente Academic
Documente Profesional
Documente Cultură
In the following article, we will review the solution and the methods that we can use for dealing
with the threat of Phishing mail attacks and his derivative Spoof mail attack.
What Are The Ingredients That Are Needed For Successfully Dealing With
The Threat Of Attacks And Phishing And Spoofing Mail Attacks?
To be able to succeed in this task, we will need to acknowledge the simple truth about our
enemies they are professionals, that are familiar with every blind spot and weakness that we
have, and they will use it because they are highly motivated.
Modern spoof mail attack and phishing mail attacks are very sophisticated attacks, that consist
of a couple of parts, and exploit the weakness of our mail infrastructures and the weakness of
our users (the human factor that is exploited by that attacked that uses the social enginery
method).
In a scenario where a political candidate declares that he has the solutions to all the existing
problems, and he can solve all the problems in a short time, do not believe him!
Page 2 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The same logic goes relating to the subject of protecting our organization from spoof mail
attacks and Phishing mail attacks. There is no such thing as a single solution that will deal with
this sophisticated attack or a solution that will identify and block 100% of these attacks.
The solution that we are looking for, realized as a combination of solutions or, a logic fan of
solutions that will deal with each of the different parts of the Phishing mail attacks and its
derivative Spoof mail attack.
Page 3 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The first and the most important step is the need for acknowledgment.
1. The acknowledgment of the fact that Spoof mail attack and Phishing mail attacks are
sophisticated and include many moving parts.
2. The acknowledgment of the fact that we must learn to think like the attacker, and
understand the DNA and the characters of Spoof mail attack and Phishing mail attacks.
3. The acknowledgment that the solution will be a combination of technical solutions,
guidelines, educations and so on.
Page 4 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Before we get into the specific details, and the different options that we can use for dealing with
Spoof mail attacks and Phishing mail attacks, just a quick reference to the structure that we
need to use:
The phishing mail attack is exploiting the weakness of human factor by:
1. Using a spoofed identity of a trusted sender
2. Using a social engineering method for convincing and seduce the victim (our users) to
do something.
The first thing that we will need to deal with is the phenomenon of Spoof E-mail.
Luckily, at the current time, there are a couple of mail standard that we can use for
implementing and enforcing a process, in which we will be able to identify most of the Spoof Email scenarios.
The second thing that we will need to deal with is our users education. Allow our users to be
aware of the risks and characteristics of Phishing mail attack, so they will have the ability to
recognize Phishing mail.
The third thing that we will need to deal with is the way or the method in which the Phishing
mail attack is actualized.
The channels which are used by the attacked the executable Phishing mail attacks to attack his
victims are
1. Using a malware file seduce the victim to open seemingly innocent file (malware).
Page 5 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
2. Using a Phishing website seduce the victim to download + open seemingly innocent file
(malware), provide personal information (password, bank account, etc.) or deposit a sum of
money to the bank account of the attacker.
To be able to mitigate these risks, we will need to find a protection mechanism, that could
identify and block the specific malware and in addition, find a protection mechanism that could
identify and block the problematic URLs (links that lead our users to Phishing websites).
Dealing With A Spoof Mail Attack And Phishing Mail Attacks Effectively
As we know, there is no single solution that could help us to deal with the challenge of
Phishing mail attacks and his derivative Spoof mail attack.
Instead, the solution can be described as a collection or, a combination of different solutions
and methods that will need to be implemented.
Page 6 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Page 7 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Note if you want to read more information about the implementation of sender identity
verification by using the Exchange Online rule that will identify non- authenticated (anonymous)
sender you can read the article Detect spoof E-mail and send an incident report using
Exchange Online rule (Learning mode) |Part 2#12
Page 8 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Page 9 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Lets assume that the attacker (the part that relates to social engineering) convinces the victim
(our user), to open the file that is attached to the E-mail message, what can we do in this
scenario?
1. Implementing malware mail filters.
The purpose of the malware mail filters as the name implies is to detect a malware that appears
as an E-mail attachment.
Case 1 Phishing mail attack that includes Zero-day attack malware
The major disadvantage of the standard malware mail filters is his inability to cope with
Zero-day attack. The term Zero-day attack, describe a new attack that wasnt recognized,
classified, and was registered on the well-known attack database (have no signature).
The standard malware mail filter can detect E-mail malware, based on a signature database that
includes a documentation of malware signatures. For this reason, the standard malware mail
filters cannot deal with a zero-day attack.
In simple words, cannot detect new malware that his specific signature doesnt appear in the
identified malware database.
Page 10 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Page 11 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Page 12 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Note the definition of new type of malware can also be translated to a variation of a well
know malware.
The problem of identifying scenarios of zero-day attack considers as blind spot or, a
congenital weakness of antivirus products.
A common antivirus software detects malware is by examining the existing file and compare the
file characters to a signature database, that include information about malware that was
detected, classified as malware and registered in the malware signature database.
Page 13 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Because in the specific scenario of zero-day attack the malware is not registered in the
malware signature database, its hard for the antivirus application to detect and mark the zeroday file as malware.
The solution for a zero-day attack is a technology (technology that is offered by a couple of
manufacturers) that was built to deal with the problem by implementing a mechanism named
sandbox.
The concept of Sandbox is implemented in the following way:
When an E-mail that includes an attachment is sent to a destination recipient who is protected
by security gateway that uses the mechanism of Sandbox, the E-mail will not be sent directly
to the destination recipient but instead, will be Intercepted by the security gateway.
The security gateway will simulate the exact action that was supposed to be performed by the
end user, such as, open the E-mail message, and try to open the attachment (double-click on
click on the file).
The activation of the attached file is executed in a dedicated and isolated memory space (the is
the meaning of the term Sandbox).
Page 14 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The security gateway, will watch the file behavior and check if the attachment (the file) is trying
to do something that is not standard such as trying to access the hard disk, try to access a
suspicious area in the RAM that a standard file will not access, try to create a buffer overflow
and so on.
In this way, we can locate malware thats disguised them self as Innocent file.
Additional reading
Zero-day attack
Zero-day (computing)
Responding to Zero Day Threats
The Best Defenses Against Zero-day Exploits for Various-sized Organizations
Page 15 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Video lectures
First Look at Advanced Threat Protection in Office 365 to Stop Unknown Malware and
Phishing Attacks
Leading the way in the fight against dangerous email threats
Page 16 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The purpose of this technology is to add an additional layer of security, in which the mail
security gateway (the EOP infrastructure) will check and verify each URL address (link) that
appears in E-mail message, and verifies the that the destination website is a legitimate website
and not a website that appears as a problematic website.
Additional reading
Safe attachments and safe links | Office 365 and Exchange Online
Page 17 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
C- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Users
Education & awareness program
Most of the time, when we use sentence such as fighting Spoof E-mail attacks and Phishing mail
attacks, the first association that comes to mind is related to some kind of high end
sophisticated products that will know how to deal with this terrible threat.
The simple truth is that we probably we will need to use this high-end sophisticated products
but, to be able to provide a complete and comprehensive for the problem that we are facing we
must add the layer of educating our users about the risk of the Spoof mail attack and Phishing
mail attacks, the specific characters of such attack, how to recognize these attacks and so on.
In other words, the technological solutions do not provide a complete solution!
Although there is a great importance to the subject of user education, most of us, tend to
underestimate this solution because the common association that is related to the term
education is boring, not needed, useless.
The interesting thing, that I would like to draw your attention is the fact that one of the most
effective and significant ways, to deal with the phenomenon of Spoof and Phishing mail attacks
is the subject of education.
Page 18 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
At the same time, one of the most neglected areas is the education. Because most of us are
sure that is just a non-useful nonsense.
Notice that I didnt use the common term user education because the subject of education is
related to different elements in the ecosystem:
1. Our education
Most of us (IT persons) have the misleading sense that we know everything about mail security,
the different type of mail Threats such as Spoof mail attack and Phishing mail attacks and so on.
The simple truth is that we dont.
Lets make it simple the purpose of the current boring article series is -to make you
understand that the subject of Spoof mail attack and Phishing mail attacks is not so simple and
that there is a lot of information that we should learn about this subject.
2. Management education
When I use the term management education, I relate to the concept of management
commitment.
The concept of management commitment must be realized in two ways:
The acknowledgment that Spoof mail attack and Phishing mail attacks could cause
serious damage.
The acknowledgment that there is no magic solution to this risk buy instead, a
combination of a different solution.
The acknowledgment that there is no magic solution that will block 100% of the
Spoofing or Phishing attacks.
Page 19 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The management will need to commit to the simple fact in which she needs to allocate the
required resources (time, money, education and so on).
3. Users education
Because the Phishing mail attack is so sophisticated and hard to detect one of the most effective
tools that we can use dealing with this risk is to make our user aware of this threat.
Teach them about the specific characters of Spoof E-mail attacks and Phishing mail attacks,
show an example of Spoof E-mail or Phishing mail and so on.
The outcome of the acknowledgment of the big importance to educate our user regarding the
subject of Spoof E-mail attacks and Phishing mail attacks is the user awareness program.
Additional reading
Security user awareness program.
Video lectures
Page 20 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
D- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Policy,
standards and regulations
1. Define a policy and regulation that will restrict the level of damage that could be caused by a
Phishing mail attack
One of the most neglected areas regarding the subject of dealing with a scenario of Spoof Email attacks and Phishing mail attacks is an area which I describe as Policy, standards and
regulations.
And again, most of the time, the first association that comes to mind regarding these terms is
boring or, not relay a useful solution that I can use.
I would like to give you an example of a regulation \ policy that seemingly doesnt relate directly
to the subject of Phishing mail attack.
A policy which restricts the specific amount if the money, that specific employee is authorized to
transfer to another bank account by himself.
The main purpose of such regulation \ policy is to reduce the level of damage in a scenario in
which a company employee, maliciously execute a criminal activity in which he will steal money
by transferring money from the company bank account to his bank account.
A specific type of Phishing mail attack, and especially Spear phishing attack, is directed to a very
specific organizations role such as the company CEO, CFO, etc.
In this Phishing attack, the hostile element used a false identity and lures his victim to transfer
a specific amount of money to a specific bank account (the hostile element bank account).
In this case, one of the most effective operations that can be implemented is define a very
clear and simple company policy that deals with subject such as:
2. Appointing a dedicated authority that will be responsible for managing the defense
infrastructure.
Page 21 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Another subject that I would like to emphasize is they need to decide about a person or
persons, that will be responsible for managing the enforcement and the ongoing day to day
tasks, that are related to the protection mechanism that deals with Spoof E-mail attacks and
Phishing mail attacks.
For example, lets assume that we configure a protection mechanism which monitors our
incoming mail flow, and identifies an event, in which there is high chance that the sender spoofs
his identity.
In our specific scenario, we dont block such as E-mail message, but instead, generate an
incident report, that is sent to a dedicated mailbox which stores this incident reports that include
a copy of the E-mail message that was identified as Spoof E-mail.
The major questions that I would like to ask are:
Q1: Who is the person\s that will have access to the mailbox that stores the information about
the Spoof E-mail events?
Q2: How often this person needs to access the mailbox that stores the information about the
Spoof E-mail events?
Q3: What is the procedure that needs to be implemented in a scenario in which we identify
a scenario of Spoof mail?
What is my point?
My point is that the fact that we recognize and send a suspicious E-mail message (Spoof mail)
to a dedicated mailbox that will store the information about this E-mail doesnt solve the
problem.
We need to define a very clear and precise procedure, which will define what is the scope of the
responsibility of this person, what he needs to need, who should he report about a Spoof E-mail
event, what are the actions that will be implemented in a scenario of Spoof E-mail events and
so on.
Page 22 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
E- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Client
side security
In this section, I would like to review the client side of the formula.
In an event of Spoof E-mail attacks or Phishing mail attacks, we can use a client side
mechanism, that will help us to deal with this problem.
1. Using antivirus
Most of the common antivirus clients, was not created for identifying an event of Spoof E-mail.
The main benefit of using antivirus client is in a scenario in which the Phishing mail seduces the
user to download an open a malware file, and the malware manage to slip that server side
defense systems.
For example a scenario in which the Antivirus client can be useful is a scenario in which the
user downloads a malware from a specific URL address that appears in the E-mail message
(Phishing website).
In this scenario, the Antivirus client provides an additional layer of protection because, the mail
security gateway is useful when the malware appears as part of the E-mail message, and not a
scenario in which the user uses his browser for downloading the malware to his desktop.
2. Using additional desktop smart defense mechanism
As mentioned, the antivirus software is good for detection of well know malware. The problem
is with zero-day malware that their signature is not listed.
The solution for this blind spot is using a smart client, that have the capabilities to identify
programs that behave strangely and not in a proper way or a scenario of anomaly in which a
specific process or service behaves strangely.
Page 23 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
There is no specific name for this feature because each of the providers of desktop security
product uses other names or terms.
An example of such a solution is a desktop security product that includes IDS\IPS (intrusiondetection detection system \ intrusion prevention system) that can identify and detect software
component that doesnt beehives on a legitimate way.
3. Harding the policy that related to Microsoft office documents such as disabling macro
Some of the malware will appear as E-mail attachment and some wont.
Some of the malware will appear as E-mail attachment using an executable file and some
wont.
What is my point?
My point is that in a perfect scenario, the malware will be implemented as an executable file
that will be recognized by the malware filter as a malware and will be blocked.
Most of the time, the attacker who uses a Phishing mail attack is a professional, that will make
the required effort to make our life difficult, by using attachments that appear as a legitimate file
such as Microsoft office file.
The malware will be hidden in the office document as a macro, and will be executed when the
user opens the file.
Besides of implementing a mechanism that can perform Sandbox verification test, one of the
simplest solutions that, can we implement is by configuring and enforcing the policy that will
prevent from our user to use Microsoft office document that includes macro.
In case that now your mind says something like I cannot do it, some of my users must use the
document with macros!
My answer is its your decision; you will need to weigh the business need versus the security
need and make the right decision.
Page 24 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Additional reading
Manage macro setting of office documents
In the following diagram, we can see a summary of the client side elements that we can use for
dealing with Spoof E-mail attacks and Phishing mail attacks.
Page 25 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9