Page 1 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Dealing with the threat of Spoof and Phishing

mail attacks |Part 6#9

In the following article, we will review the solution and the methods that we can use for dealing
with the threat of Phishing mail attacks and his derivative Spoof mail attack.

What Are The Ingredients That Are Needed For Successfully Dealing With
The Threat Of Attacks And Phishing And Spoofing Mail Attacks?
To be able to succeed in this task, we will need to acknowledge the simple truth about our
enemies they are professionals, that are familiar with every blind spot and weakness that we
have, and they will use it because they are highly motivated.
Modern spoof mail attack and phishing mail attacks are very sophisticated attacks, that consist
of a couple of parts, and exploit the weakness of our mail infrastructures and the weakness of
our users (the human factor that is exploited by that attacked that uses the social enginery
method).
In a scenario where a political candidate declares that he has the solutions to all the existing
problems, and he can solve all the problems in a short time, do not believe him!

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 2 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The same logic goes relating to the subject of protecting our organization from spoof mail
attacks and Phishing mail attacks. There is no such thing as a single solution that will deal with
this sophisticated attack or a solution that will identify and block 100% of these attacks.

The solution that we are looking for, realized as a combination of solutions or, a logic fan of
solutions that will deal with each of the different parts of the Phishing mail attacks and its
derivative Spoof mail attack.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 3 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

The first and the most important step is the need for acknowledgment.
1. The acknowledgment of the fact that Spoof mail attack and Phishing mail attacks are
sophisticated and include many moving parts.
2. The acknowledgment of the fact that we must learn to think like the attacker, and
understand the DNA and the characters of Spoof mail attack and Phishing mail attacks.
3. The acknowledgment that the solution will be a combination of technical solutions,
guidelines, educations and so on.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 4 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Before we get into the specific details, and the different options that we can use for dealing with
Spoof mail attacks and Phishing mail attacks, just a quick reference to the structure that we
need to use:
The phishing mail attack is exploiting the weakness of human factor by:
1. Using a spoofed identity of a trusted sender
2. Using a social engineering method for convincing and seduce the victim (our users) to
do something.

The first thing that we will need to deal with is the phenomenon of Spoof E-mail.
Luckily, at the current time, there are a couple of mail standard that we can use for
implementing and enforcing a process, in which we will be able to identify most of the Spoof Email scenarios.
The second thing that we will need to deal with is our users education. Allow our users to be
aware of the risks and characteristics of Phishing mail attack, so they will have the ability to
recognize Phishing mail.
The third thing that we will need to deal with is the way or the method in which the Phishing
mail attack is actualized.
The channels which are used by the attacked the executable Phishing mail attacks to attack his
victims are
1. Using a malware file seduce the victim to open seemingly innocent file (malware).

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 5 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
2. Using a Phishing website seduce the victim to download + open seemingly innocent file
(malware), provide personal information (password, bank account, etc.) or deposit a sum of
money to the bank account of the attacker.

To be able to mitigate these risks, we will need to find a protection mechanism, that could
identify and block the specific malware and in addition, find a protection mechanism that could
identify and block the problematic URLs (links that lead our users to Phishing websites).

Dealing With A Spoof Mail Attack And Phishing Mail Attacks Effectively
As we know, there is no single solution that could help us to deal with the challenge of
Phishing mail attacks and his derivative Spoof mail attack.
Instead, the solution can be described as a collection or, a combination of different solutions
and methods that will need to be implemented.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 6 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

A- Dealing with the part of Spoof m ail attack

As we know, the Spoof mail attack is one of the main characters of Phishing mail attack.
For this reason, we need to implement a solution in which our mail infrastructure will use a
mechanism of a sender verification process.
Each time that a sender addresses our mail infrastructure, our mail infrastructure will implement
a verification check, so we will be able to be sure that the sender is really who he claims to be.
In other words, using a protection mechanism, that will identify (and block) E-mail message that
has a spoofed sender identity. A scenario in which hostile element prettied to be one of our
legitimate users or legitimate sender from another organization.
The good news is that at the current time, there are a couple of mail security standard that was
created for the purpose of verifying sender identity such as SPF, DKIM and DMARC.
Note we will review the main characters of this sender verification solutions in the article
Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC, Exchange and
Exchange Online |Part 8#9
Note if you want to read more information about the implementation of DKIM in Office 365
based environment you can read the article Outbound DKIM signing and DNS infrastructure |
Building the required DNS records for Office 365 | Part 4#5
In addition, in case that your mail infrastructure is based on Exchange architecture, we can use
additional option for verify sender identity by, identify authenticated versus non- authenticated
(anonymous) senders who use our organization domain name.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 7 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Note if you want to read more information about the implementation of sender identity
verification by using the Exchange Online rule that will identify non- authenticated (anonymous)
sender you can read the article Detect spoof E-mail and send an incident report using
Exchange Online rule (Learning mode) |Part 2#12

B- Dealing with the part of malware and Phishing websites

In this part, we are dealing with the channels which are used by the attacker to executing his
specific attack.
Just a quick reminder, the Phishing mail attack channels are malware file or a Phishing
website.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 8 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Using a spam mail filter

For the sake of full disclosure, I dont think that a spam mail filter is very usefully for identify
Phishing mail because Phishing mail is not a spam mail.
Only in a scenario in which the Phishing mail has also characters of spam mail, the spam mail
filter can identify such as E-mail message.
Another scenario in which spam filter can be useful is in a scenario that the specific Phishing
mail attack was recognized as a Phishing mail attack, and specific characters of the E-mail
message (the signature) appear in the signature database of a well know problematic E-mail
messages.
Bottom line
Its recommended to use a spam mail filter, but we should not relate to the spam filter as the
ultimate solution for Phishing mail attacks.
Dealing with E-mail attachments
Many times, the Phishing mail attack is implemented by an E-mail message that includes
malware attachment that appears as an Innocent file.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 9 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Lets assume that the attacker (the part that relates to social engineering) convinces the victim
(our user), to open the file that is attached to the E-mail message, what can we do in this
scenario?
1. Implementing malware mail filters.
The purpose of the malware mail filters as the name implies is to detect a malware that appears
as an E-mail attachment.
Case 1 Phishing mail attack that includes Zero-day attack malware
The major disadvantage of the standard malware mail filters is his inability to cope with
Zero-day attack. The term Zero-day attack, describe a new attack that wasnt recognized,
classified, and was registered on the well-known attack database (have no signature).
The standard malware mail filter can detect E-mail malware, based on a signature database that
includes a documentation of malware signatures. For this reason, the standard malware mail
filters cannot deal with a zero-day attack.
In simple words, cannot detect new malware that his specific signature doesnt appear in the
identified malware database.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 10 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Case 2 Malware that doesnt implement as E-mail attachment

In many Phishing mail attacks, the malware doesnt appear as an E-mail attachment. Instead, the
victim is seduced to click on a link that will lead him to the hostile website and then asked to
download a specific file (the malware). In this scenario, the malware mail filter is not involved in
the process and cannot detect the malware.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 11 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

2. Implementing E-mail attachment policy.

The advice of Implementing mail attachment policy, in which block a specific type of E-mail
attachment such as the executable file is a good advice, and not just for the scenario of
dealing with a Phishing mail attack.
The main problem is that most of the time, Phishing mail attack that has an attachment, will use
an Innocent type of file such as Microsoft office files (Word, Excel etc.).
The main problem that we are facing is that most of the time, we cannot define mail
attachment policy that will block standard E-mail attachment such as a word document.
This is the weak spot that is exploited by the hostile element that sends the Innocent
attachment.
Note if you want to read more information about how to implement mail attachment policy in
an Exchange base environment by using Exchange rule, you can read the article series Manage
E-mail attachment policy in Office 365 part 1#4
3. Implementing sandbox solutions.
One of the most frustrating and challenging security threats is the subject of zero-day attack.
The simple meaning of this term can be translated into a new type of malware that is
distributed by hostile elements, that consider as UN knows malware meaning, the security,
defense systems that should protect our infrastructure from this specific malware are not
aware of the fact that this malware.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 12 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Note the definition of new type of malware can also be translated to a variation of a well
know malware.

The problem of identifying scenarios of zero-day attack considers as blind spot or, a
congenital weakness of antivirus products.
A common antivirus software detects malware is by examining the existing file and compare the
file characters to a signature database, that include information about malware that was
detected, classified as malware and registered in the malware signature database.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 13 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Because in the specific scenario of zero-day attack the malware is not registered in the
malware signature database, its hard for the antivirus application to detect and mark the zeroday file as malware.
The solution for a zero-day attack is a technology (technology that is offered by a couple of
manufacturers) that was built to deal with the problem by implementing a mechanism named
sandbox.
The concept of Sandbox is implemented in the following way:
When an E-mail that includes an attachment is sent to a destination recipient who is protected
by security gateway that uses the mechanism of Sandbox, the E-mail will not be sent directly
to the destination recipient but instead, will be Intercepted by the security gateway.
The security gateway will simulate the exact action that was supposed to be performed by the
end user, such as, open the E-mail message, and try to open the attachment (double-click on
click on the file).
The activation of the attached file is executed in a dedicated and isolated memory space (the is
the meaning of the term Sandbox).

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 14 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

The security gateway, will watch the file behavior and check if the attachment (the file) is trying
to do something that is not standard such as trying to access the hard disk, try to access a
suspicious area in the RAM that a standard file will not access, try to create a buffer overflow
and so on.
In this way, we can locate malware thats disguised them self as Innocent file.
Additional reading
Zero-day attack

Zero-day (computing)
Responding to Zero Day Threats
The Best Defenses Against Zero-day Exploits for Various-sized Organizations

Advanced Threat Protection Exchange Online

Introducing Exchange Online Advanced Threat Protection

Exchange Online Advanced Threat Protection
Exchange Online Advanced Threat Protection is now available
Exchange Online Advanced Threat Protection Service Description

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 15 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Advanced threat protection for safe attachments and safe links

Video lectures

First Look at Advanced Threat Protection in Office 365 to Stop Unknown Malware and
Phishing Attacks
Leading the way in the fight against dangerous email threats

Implementing a URL verification mechanism.

A very common method that is used in a Phishing mail attack is to infect the victims desktop
with a malware or hostile code, using a smart process which includes a two or three steps.
The first step is to convince the victim to do something by clicking on a specific link that will
lead him to a website which includes the malware.
The victim will need to download the file and open the file (the malware).
This method enables the attacker to bypass existing implementation of malware filter because
the malware doesnt appear as part of the E-mail message.
The only way to deal with this bypass method is, to implement a security mail filter that can
verify URL addresses that appear in the E-mail message by deciding if the specific URL considers
as a legitimate URL address or a hostile URL address such as Phishing website.
The security mail filter that needs to verify URL address can implement the verification process
in two methods:
1. URL address database
Using a database that includes information about a problematic website or a dangerous
website such as a Phishing website or websites that were compromised.
2. Simulate the access to the specific website instead of the original user
A process in which the URL filter tries to access to the URL address that includes in the E-mail
message before the recipient read the E-mail message and try to check if the website looks like
a legitimate website or a website that tries to manipulate the user desktop by trying to exploit
existing vulnerability.
An example of such URL verification filter is the Microsoft technology, that is implemented in
the EOP (Exchange Online protection) by using the feature named ATP (advanced threat
protection) which includes a component named safe links.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 16 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The purpose of this technology is to add an additional layer of security, in which the mail
security gateway (the EOP infrastructure) will check and verify each URL address (link) that
appears in E-mail message, and verifies the that the destination website is a legitimate website
and not a website that appears as a problematic website.

Additional reading
Safe attachments and safe links | Office 365 and Exchange Online

Exchange Online Advanced Threat Protection

Introducing Exchange Online Advanced Threat Protection
Advanced threat protection for safe attachments and safe links
Set up a safe links policy in EOP
Exchange Online Advanced Threat Protection Service Description

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 17 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
C- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Users
Education & awareness program
Most of the time, when we use sentence such as fighting Spoof E-mail attacks and Phishing mail
attacks, the first association that comes to mind is related to some kind of high end
sophisticated products that will know how to deal with this terrible threat.
The simple truth is that we probably we will need to use this high-end sophisticated products
but, to be able to provide a complete and comprehensive for the problem that we are facing we
must add the layer of educating our users about the risk of the Spoof mail attack and Phishing
mail attacks, the specific characters of such attack, how to recognize these attacks and so on.
In other words, the technological solutions do not provide a complete solution!
Although there is a great importance to the subject of user education, most of us, tend to
underestimate this solution because the common association that is related to the term
education is boring, not needed, useless.

The interesting thing, that I would like to draw your attention is the fact that one of the most
effective and significant ways, to deal with the phenomenon of Spoof and Phishing mail attacks
is the subject of education.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 18 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
At the same time, one of the most neglected areas is the education. Because most of us are
sure that is just a non-useful nonsense.

Notice that I didnt use the common term user education because the subject of education is
related to different elements in the ecosystem:
1. Our education
Most of us (IT persons) have the misleading sense that we know everything about mail security,
the different type of mail Threats such as Spoof mail attack and Phishing mail attacks and so on.
The simple truth is that we dont.
Lets make it simple the purpose of the current boring article series is -to make you
understand that the subject of Spoof mail attack and Phishing mail attacks is not so simple and
that there is a lot of information that we should learn about this subject.
2. Management education
When I use the term management education, I relate to the concept of management
commitment.
The concept of management commitment must be realized in two ways:

The acknowledgment that Spoof mail attack and Phishing mail attacks could cause
serious damage.
The acknowledgment that there is no magic solution to this risk buy instead, a
combination of a different solution.
The acknowledgment that there is no magic solution that will block 100% of the
Spoofing or Phishing attacks.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 19 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
The management will need to commit to the simple fact in which she needs to allocate the
required resources (time, money, education and so on).
3. Users education
Because the Phishing mail attack is so sophisticated and hard to detect one of the most effective
tools that we can use dealing with this risk is to make our user aware of this threat.
Teach them about the specific characters of Spoof E-mail attacks and Phishing mail attacks,
show an example of Spoof E-mail or Phishing mail and so on.
The outcome of the acknowledgment of the big importance to educate our user regarding the
subject of Spoof E-mail attacks and Phishing mail attacks is the user awareness program.

Additional reading
Security user awareness program.

Information Supplement: Best Practices for Implementing a Security Awareness Program

The 7 elements of a successful security awareness program
Building an Information Technology Security Awareness and Training Program
Creating an IT Security Awareness Program for Senior Management

Video lectures

How To Avoid Falling Prey To Phishing Scams

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 20 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
D- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Policy,
standards and regulations
1. Define a policy and regulation that will restrict the level of damage that could be caused by a
Phishing mail attack
One of the most neglected areas regarding the subject of dealing with a scenario of Spoof Email attacks and Phishing mail attacks is an area which I describe as Policy, standards and
regulations.
And again, most of the time, the first association that comes to mind regarding these terms is
boring or, not relay a useful solution that I can use.
I would like to give you an example of a regulation \ policy that seemingly doesnt relate directly
to the subject of Phishing mail attack.
A policy which restricts the specific amount if the money, that specific employee is authorized to
transfer to another bank account by himself.
The main purpose of such regulation \ policy is to reduce the level of damage in a scenario in
which a company employee, maliciously execute a criminal activity in which he will steal money
by transferring money from the company bank account to his bank account.
A specific type of Phishing mail attack, and especially Spear phishing attack, is directed to a very
specific organizations role such as the company CEO, CFO, etc.
In this Phishing attack, the hostile element used a false identity and lures his victim to transfer
a specific amount of money to a specific bank account (the hostile element bank account).
In this case, one of the most effective operations that can be implemented is define a very
clear and simple company policy that deals with subject such as:

What is the maximum amount of the money that can be transferred?

Who is the element that needs to authorize this money transfer?
The possibility of implementing a mechanism in which two entities need to authorize
the money transfer.
What are the allowed destination bank account in which the company money can be
transferred?

2. Appointing a dedicated authority that will be responsible for managing the defense
infrastructure.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 21 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
Another subject that I would like to emphasize is they need to decide about a person or
persons, that will be responsible for managing the enforcement and the ongoing day to day
tasks, that are related to the protection mechanism that deals with Spoof E-mail attacks and
Phishing mail attacks.
For example, lets assume that we configure a protection mechanism which monitors our
incoming mail flow, and identifies an event, in which there is high chance that the sender spoofs
his identity.
In our specific scenario, we dont block such as E-mail message, but instead, generate an
incident report, that is sent to a dedicated mailbox which stores this incident reports that include
a copy of the E-mail message that was identified as Spoof E-mail.
The major questions that I would like to ask are:
Q1: Who is the person\s that will have access to the mailbox that stores the information about
the Spoof E-mail events?
Q2: How often this person needs to access the mailbox that stores the information about the
Spoof E-mail events?
Q3: What is the procedure that needs to be implemented in a scenario in which we identify
a scenario of Spoof mail?
What is my point?
My point is that the fact that we recognize and send a suspicious E-mail message (Spoof mail)
to a dedicated mailbox that will store the information about this E-mail doesnt solve the
problem.
We need to define a very clear and precise procedure, which will define what is the scope of the
responsibility of this person, what he needs to need, who should he report about a Spoof E-mail
event, what are the actions that will be implemented in a scenario of Spoof E-mail events and
so on.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 22 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

E- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Client
side security
In this section, I would like to review the client side of the formula.
In an event of Spoof E-mail attacks or Phishing mail attacks, we can use a client side
mechanism, that will help us to deal with this problem.
1. Using antivirus
Most of the common antivirus clients, was not created for identifying an event of Spoof E-mail.
The main benefit of using antivirus client is in a scenario in which the Phishing mail seduces the
user to download an open a malware file, and the malware manage to slip that server side
defense systems.
For example a scenario in which the Antivirus client can be useful is a scenario in which the
user downloads a malware from a specific URL address that appears in the E-mail message
(Phishing website).
In this scenario, the Antivirus client provides an additional layer of protection because, the mail
security gateway is useful when the malware appears as part of the E-mail message, and not a
scenario in which the user uses his browser for downloading the malware to his desktop.
2. Using additional desktop smart defense mechanism
As mentioned, the antivirus software is good for detection of well know malware. The problem
is with zero-day malware that their signature is not listed.
The solution for this blind spot is using a smart client, that have the capabilities to identify
programs that behave strangely and not in a proper way or a scenario of anomaly in which a
specific process or service behaves strangely.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 23 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
There is no specific name for this feature because each of the providers of desktop security
product uses other names or terms.
An example of such a solution is a desktop security product that includes IDS\IPS (intrusiondetection detection system \ intrusion prevention system) that can identify and detect software
component that doesnt beehives on a legitimate way.
3. Harding the policy that related to Microsoft office documents such as disabling macro

Some of the malware will appear as E-mail attachment and some wont.
Some of the malware will appear as E-mail attachment using an executable file and some
wont.

What is my point?
My point is that in a perfect scenario, the malware will be implemented as an executable file
that will be recognized by the malware filter as a malware and will be blocked.
Most of the time, the attacker who uses a Phishing mail attack is a professional, that will make
the required effort to make our life difficult, by using attachments that appear as a legitimate file
such as Microsoft office file.
The malware will be hidden in the office document as a macro, and will be executed when the
user opens the file.
Besides of implementing a mechanism that can perform Sandbox verification test, one of the
simplest solutions that, can we implement is by configuring and enforcing the policy that will
prevent from our user to use Microsoft office document that includes macro.
In case that now your mind says something like I cannot do it, some of my users must use the
document with macros!
My answer is its your decision; you will need to weigh the business need versus the security
need and make the right decision.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 24 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Additional reading
Manage macro setting of office documents

Enable or disable macros in Office documents

Enable or disable macros in Office files
Macro malware
Plan security settings for VBA macros for Office 2013
Plan security settings for VBA macros in Office 2016

Manage Protected View setting of office documents

What is Protected View?

Plan Protected View settings for Office 2013

In the following diagram, we can see a summary of the client side elements that we can use for
dealing with Spoof E-mail attacks and Phishing mail attacks.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 25 of 25 | Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

The next article in the current article series is

The questions that we will need to answer before we start the project of building a
defense system that will protect us from Spoof mail attacks | Part 7#9

Written by Eyal Doron | o365info.com | Copyright 2012-2016