Page 1 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part

5#9

Why our mail system is exposed to Spoof and

Phishing mail attacks |Part 5#9

Lets start with a declaration about a strange phenomenon: Spoof mail attacks and Phishing mail
attacks, are well-known attacks, and consider as a popular attack among the hostile elements.
Most of the existing organizations, do not have effective defense mechanisms against the above
attacks, and there is a high chance, at some point, that your organization will experience the
bitter taste of Spoofing or Phishing attacks!
In other words most of the organizations are exposed to Spoof and Phishing mail attacks, and
its only a matter of when.
Dealing with Spoof and Phishing mail attacks | Article Series -Table of content
So the most obvious questions could be:

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 2 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
1. Is this statement correct?
2. And if this Is this statement is correct is correct, how could it be that no one pays
attention to this problem, and doing something accordance?

In the current article, I would like to give you some food for thought regarding this strange
phenomenon, which we prefer to ignore the danger of Spoof mail attack and Phishing mail
attacks, close our eyes, and continue to declare that we are doing our best for protecting our
mail infrastructure!

The Common Misconception That Causes Us To Ignore The Threat Of Spoof

Mail Attack And Phishing Mail Attacks
1. It will not happen to me.
From time to time, we read some story about a company that was attacked by a Phishing mail
and a sad story such as a story about the CEO who was lured to transfer a large amount of
money to the attackers bank account, but we dont really believe that it will happen to us.
My answer is that its not a matter of if but only a matter of when.
Most of the chances are that your organization will experience Spoof E-mail attacks and
Phishing mail attacks at some point.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 3 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
2. Too much on my mind
Every average IT member or IT manager is experiencing the feeling of too much on my mind.
Every day invites new challenges and new crises.
I know that the subject of Spoof mail attack and Phishing mail attacks is important, but I have
more critical issues that I need to take care of them at the moment
The little secret is that probably; you will never have the required time!
If you do not find the required time, the next Spoof mail attacks and Phishing mail attacks will
find you unprepared, and the result can become very critical!
Only when you are able to acknowledge the importance of this risk, you will make the time.

3. My organization is well protected from Spoof mail and Phishing mail attacks.
All of us, have the strong need to believe that someone watches us and will protect us when its
needed.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 4 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

This is a very basic human need.

When relating to the risk of Spoof E-mail attacks and Phishing mail attacks, most of the time,
we prefer not to be realistic.
Instead, we prefer to cling to the general thought that they (my IT, my mail provider and so
on), are doing what they know to do, and that they, are doing whatever it takes for protecting
our organization from Spoof E-mail attacks and Phishing mail attacks.
The reality is much more complicated!
Most of the time, the IT doesnt include a professional authority who is specialized in the
subject of mail security or doesnt know what are the unique threats that relate to a modern
mail infrastructure, what are the specific characters of Spoof mail attack and Phishing mail
attacks, what is the available solution? and so on.
Hosted mail infrastructure such as Office 365 (Exchange Online) | My mail infrastructure is
automatically protected!
In a scenario in which your mail infrastructure is hosted at external mail provider such as Office
365 and Exchange Online, this Incorrect assumption is manifested most strongly.
Most of the mail provider such as Office 365, have all the required tools and infrastructures for
dealing and preventing Spoof E-mail attacks and Phishing mail attacks.
The little thing that we are not aware of the simple fact that these defense mechanisms, are
not activated by default. Instead, they are just sitting there waiting for us to use them!

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 5 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
The main reason that this defense mechanism is not activated automatically is because this
defense mechanism can intercept accidentally legitimate E-mail.
The important thing that most of us are not aware of being that the responsibility to use the
existing defense mechanism is our responsibility!
For example, when relating to the subject of Spoof mail attack, Exchange Online support three
mail standards, that implements sender verification + support the option of creating an
Exchange rule that will identify events of the Spoof mail attack.
The responsibility of knowing the specific characters of each of the sender verification mail
standards, the required configuration settings for each of this standard, how to configure the
required adjustment that will suit our specific organization needs is our responsibility!

What Is The Weakness That The Hostile Element Exploits When Using Spoof
Mail Attack And Phishing Mail Attacks?
The base for Spoof mail attack and Phishing mail attacks, relies on two major weaknesses:
1. The SMTP protocol weakness
2. The Human factor weakness

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 6 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Spoof E-mail attack and SMTP as Innocent protocol
When we hear or experience a Spoof E-mail attack, the first question that can appear in our
mind could be:
Q1: Why mail servers dont know how to protect themselves from Spoof E-mail attacks and
Phishing mail attacks?
A1: The simple answer is that the creator of the SMTP protocol, didnt relate to the issue of
mail security and instead, concentrated on creating mail protocol, that will deliver an email
message from point A to point B effectively and reliably.
The issue of mail security was neglected because at that time, the popularity of the SMTP
protocol was not so great, and the use of the SMTP protocol was not so common.
In a standard mail communication that involves two parties, the SMTP protocol is based on the
concept in which the destination mail servers (side B) believe in the identity
(E-mail address) that the sender (side A) provides.
The sender (side A), doesnt need to prove his identity!

Phishing mail attack and we as a human being

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 7 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Regarding Phishing mail attack, the base for this attack is the ability to exploit the thing that
makes us human.
Q1: Why is it so hard to deal with Phishing mail attacks? Or, why there are so many people that
fall prey to Phishing mail attack?
A1:
The standard Phishing mail attack is based on two parts that exploit the human character:
The Phishing mail attack starts with the trust part, in which the hostile element uses an E-mail
address of someone we trust or E-mail address that looks like an E-mail message that was sent
from respectable and trusted source.
The sender trusts part, relies on the innocence of the SMTP protocol, that doesnt include a
built-in mechanism for verifying the identity of the other side.
The second part of the Phishing mail attack is based on the content that appears in the E-mail
message.
As the famous song of Michael Jackson the human nature the hostile element that
executes the Phishing mail attack, is aware of different human button that can be pushed and
manipulated.
The Phishing mail content is designed to address a common human character such as pity, fear,
greed, curiosity and so on.
The attacker address one of this human failing for manipulating the victim to do something
such as open a specific file (malware) or click on a specific link in the Phishing mail that will
lead the victim to a Phishing website.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 8 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

The Awakening Of Our Awareness Of The Problem Of Spoof Mail Attack

And Phishing Mail Attacks | Additional Obstacles
Lets assume that you decide that you agree that Spoof mail attack and Phishing mail attacks
constitute a great risk to your organization and that you are willing to make the effort and take
this threat seriously.
In this section, I would like to review additional obstacles that may appear on the way.
To be able to start handling the Spoof mail attack and Phishing mail attack threat, you will need
to overcome these obstacles.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 9 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

1. The fair from doing something that will harm the organization mail flow.
Lets talk about the most prominent obstacle: the fear of a scenario, in which the solution that
will be implemented will damage the normal mail flow.
A scenario of false positive, in which a legitimate E-mail that sent to our users will be mistakenly
identified as Spoof E-mail or Phishing mail and for this reason, will be blocked or deleted by
the specific Spoof E-mail protection mechanism that we use.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 10 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

When implementing a security mechanism that deals with Spoof E-mail, we are facing two
problematic scenarios:
Incoming mail
In a standard mail flow, we welcome every E-mail message that sent to one of our users, as long
as the destination recipient exists. In other words, we dont care about the element that
originates the E-mail message (the sender) but instead, the mail server that represents our
organization is only responsible for verifying the information about the destination recipient
(that he hosts the mailbox of the destination recipient).
When we implement a defense mechanism that is should protect us from Spoof mail attack, we
can compare it to a scenario in which we place a guard at the entrance to our base (our mail
infrastructure).
Versus a scenario in which every guest is welcomed to enter our perimeter when we force the
use of sender verification, we implemented a process in which we try to verify the identity of
each entity that wants to enter our base.
When we use this additional layer of security, there is a reasonable chance that we will
experience a scenario of false positive.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 11 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
In this scenario, some of our legitimate guests, will not be allowed to enter our base and will
be rejected because they do not have the required proof of their identity or from any technical
problem that relates to the proof of their identity (their E-mail message will be rejected).

Outgoing mail
The other aspect of implementing sender verification mechanism is the ability to stamp
a legitimate E-mail message that sent by our legitimate users, so, the other side will be able to
verify our identity, and will be able to differentiate our legitimate sender from E-mail messages
that send by hostile elements that spoof our organizational identity.
The problem of false positive can be realized also when relating to the scenario of outgoing
mail flow, meaning, an E-mail message that is sent by our user to external destination recipients.
In a complex mail infrastructure, the ability to stamp all of the E-mail messages that is sent
from our mail infrastructure fully and in a proper, way is a quite a challenging task!

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 12 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
In case that we didnt manage to correctly stamp each E-mail message that uses our
organizational identity (E-mail message in which the sender uses our domain name), this could
lead to a scenario, and which a legitimate E-mail message that is sent from our users, will be
rejected by the other mail infrastructure.
2. Fear of hurting business activity
Every implementation of any security solution mechanism will probably cause some disruption
to the business activity, at least in the first phase of the adoption and assimilation.
The fear of this anticipated disruption leads us to the attitude of dont rock the boat!
Alternatively, if no one complained, until now, I guess everything is OK!
The false sense that if, until now, everything was fine, in the future everything will be fine will
eventually explode in our face.
In other words If you cant stand the heat, get out of the kitchen.

3. The resources issue

To be able to clearly understand the enemy we will need to ask (and answer) many questions
such as:

How the enemy thinks and functions?

What is the vulnerability of your mail infrastructure?
What are the possible solutions for the existing mail infrastructure vulnerability?
What is the difference between the different solution such as SPF, DKIM, DMARC?

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 13 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
You will need to have a patience and the willingness to devote the time required to read and
internalize information.
4. The vanity syndrome
The fact that you are veteran IT professional doesnt mean that you are a security professional
and doesnt mean that you are familiar with the existing risk that threatens your mail
environment, and the possible solution to this risk.
5. The fear of the unknown syndrome
Like any un-know territory, the mail security standard territory, is an un-know territory for
most of us.
In the process of implementing a specific solution to the problem of Spoof E-mail attacks and
Phishing mail attacks, you will certainly encounter many questions and problems.
Its OK; this is expected as part of the process.

6. The need for simplicity syndrome

Most of the time, we are looking for a simple solution and try to avoid the need to understand
and implement complex solutions.
The simple answer is there is no simple solution for the task of dealing with Spoof E-mail
attacks and Phishing mail attacks.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 14 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
7. The military approach syndrome
This is one of the noticeable features of many managers.
The subtext of this approach is I dont care how, just make it work!
Well, we can make it work but, only of the management is obligated to the process, and is
willing to allocate the require resource for the implementation of the possible solutions.

Why Is There No Simple Solution For The Problem Of Spoof E-Mail Attacks
And Phishing Mail Attacks?
The simple answer is that Phishing mail attack is not simple!
The phishing mail attack is a sophisticated attack that combines a couple of attacks, which we
will have to deal with each of them separately.
In addition, the ability to deal with the infrastructure for the Phishing mail attack spoof mail
attack is not so simple!

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 15 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

The common confusion between Spoof mail attack versus Phishing mail attacks
A very important observation that I like to mention regarding the task of dealing with a
scenario of Spoof E-mail attacks and Phishing mail attacks is that we should distinguish Spoof
mail attack from Phishing mail attacks.
Each type of attack has different characters, and for this reason, need a different type of
solutions.
Most of the Phishing mail attacks, use the Spoof mail attack in the initial phase of the attack.
For this reason, its reasonable to assume that in case that we identify and block
Spoof E-mail; the derivative will be blocking the Phishing mail attack.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 16 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
However, the important thing is, that we cannot build our defense infrastructure based on this
assumption for a couple of reasons:

Not all the Phishing mail attack uses the option of spoofing the sender identity.
There is a reasonable option, in which the Phishing mail attacks will use just a standard E-mail
address from well-known mail providers such as Gmail, Hotmail or Yahoo.
Its very reasonable to assume that even when we use some protection mechanism that will
use to identify Spoof mail attack, we will not be able to identify and block 100% of the Spoof
mail attacks.
Note another aspect of Phishing attacks is that not all the Phishing attacks are Phishing mail
attacks. Its true that most of the Phishing attacks are executed via the mail channel but some
of the Phishing attacks can be executed by using a phone call or a phone SMS, via a message
that sent to instant messaging users, via a message that sent to social-network users and so on.

What are the challenges that we need to face when we want to fight Spoof E -mail
attacks?
Regarding our ability to protect our mail infrastructure from Spoof mail attack, there are a
couple of well-known mail standards, that was created by completing the SMTP protocol
missing part meaning, the ability to verify sender identity.
Along the current article series, we will review in details the different sender verification mail
standard such as SPF, DKIM and DMARC, and other optional solutions such as solutions that
we can implement in Exchange based environment.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 17 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

If you think, you can sit back, relax and drink a refreshing cocktail because you found the perfect
solution to all the Spoof E-mail problems, you are wrong!
Its true that there are standards and solutions that were created for dealing with the
phenomena of Spoof E-mail but this solution is very far from providing a perfect solution.
1. The implementation of the sender identification mechanism is not so simple.
Each of the different standards has advantages, disadvantages and blind spots. spots.
The implementation of this standard is not so simple and required preliminary assessment,
planning and constant accompaniment.
For example at the current time, we can mention three mail standard that was created for
dealing with the need to verify the sender identity.
Each one of this standard uses a different method for verifying the sender identity and each one
of this standard, required to implement different preparations and configuration settings.
The implementation of this standard (sender verification standard) becomes quite complicated
and challenging, in a complex mail environment that includes many mail servers many sites, etc.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 18 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
A standard such as SPF, considered as an easy to adapt standard, but have built-in blind spot,
spot, that can be exploited by a hostile element that will bypass the existing SPF wall.
The DKIM standard can provide a good protection, but because the solution is based on PublicKey infrastructure (certificate, digital signature and so on), its not so easy to implement this
standard in a compound mail environment that includes many different entities that send mail
on behalf of the organization.

2. Not all the organizations use sender identification mechanism.

Another major issue is that we should not forget is that the implementation of a complete
solution for the problem of Spoof E-mail, is depended on a logical circuit that will include
two sides: the sending mail infrastructure and the receiving (the destination) mail infrastructure.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 19 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

In case that our side is implementing all the required solutions for dealing with Spoof E-mail
phenomenon, but the other side doesnt implement any Spoof E-mail protection solution, the
outcome is that every hostile element can use our identity and attack the other side using our
organizational identity.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 20 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

What Are The Challenges That We Need To Face When We Want To Fight
Phishing E-Mail Attacks?
Regarding the subject of existing solutions for the problem of Phishing mail attacks, the
situation is much poorer compared to the status of Spoof E-mail solutions.
The Phishing mail attack considers as sophisticated attacks. The ability to identify and block
Phishing mail attacks is much more complicated than dealing with the Spoof mail attack.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 21 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

The interesting news is that at the current time, there is no formal standard or a well know
protection mechanism, that can directly deal and prevent all the types of Phishing mail attacks.
If you perform a simple search using a question such as solution for Phishing email
attacks, most of the results that appear are dealing with tips and tricks, guideline and best
practices that instruct users how to avoid or to recognize a scenario of Phishing mail.
The missing part is that the answers and the solution are related to the end point meaning,
the users and not to the server side meaning our mail infrastructure.
The information is not related to a specific technology or a standard, that can be implemented
on the server side.
Some links, will lead you to a company that provides services for testing your mail infrastructure
(by simulating a Phishing mail attack), and the reaction of your users to Phishing mail attack, but

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 22 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
the painful truth is that there is no tangible standard, that promises to protect your mail
infrastructure from all the Phishing mail attacks.
My answer to the question of Why is there no formal solution to the threat of Phishing mail
attack? is, that the Phishing mail attack made of different parts.
We cannot relate to Phishing mail attack as one problem but instead, as a collection of
problems.
For example

One of the building blocks of Phishing mail attack is a Spoof mail attack.
To be able to successfully deal with a Phishing mail attack, we will need to find a good
solution for the problem of Spoof mail attack such as implementation of sender
verification standard SPF, DKIM, DMARC and so on.
One of the building blocks of Phishing mail attack is infecting the user desktop with a
malware (most of the time, smart malware that are injected into legitimate files).
To be able to successfully deal with a Phishing mail attack, we will need to find a good
solution for the problem of malware such as send box solutions.
One of the building blocks of Phishing mail attack is social engineering.
To be able to successfully deal with a Phishing mail attack, we will need to find a good
solution for the problem of social engineering such as guide and instruct our users
about the characters of Phishing mail attack.

Q1: Should I feel despaired from the fact that there is no formal solution to the threat of
Phishing mail attack?
A1: No! although there is no magic button, that we can use for dealing with a Phishing mail
attack, there are a couple of solutions that we can use, and the combination of these solutions
can provide good and effective protection for most of the Phishing mail attack scenarios.
In the article Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC,
Exchange and Exchange Online |Part 8#9 , we will review the list of the solutions that we can use.

Written by Eyal Doron | o365info.com | Copyright 2012-2016

Page 23 of 23 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9

The next article in the current article series is

Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9

Written by Eyal Doron | o365info.com | Copyright 2012-2016