Evil in the inbox

Published 10:55 pm Thursday, March 28, 2019

By Greg Price

Email continues to dominate our lives. Whether we’re discussing everyday life or business environments, email reigns supreme on the communication and collaboration fronts.

Yet, after decades of email use and billions of active accounts, why do we continue to struggle with email security?

Sign up for our daily email newsletter

Get the latest news sent to your inbox

I wish I could offer that email security is improving or that the assault on email is weakening. However, email is being attacked more than ever.

One of the core issues with email security is the wide-spread use of the tool: it’s been around for a long time and it’s very popular. Therefore, if you’re going to attack a person or organization, pursue commonly-used tools and exploit their weaknesses. The documentation associated with email software, whether the client tools, the servers, the traffic itself, is easily-located. Use your favorite search engine and within a few moments you will locate a primer on the basics of email architecture.

As I’ve mentioned before, one of the chief objectives of the would-be bad guy is to gain access to the “inside” of a network or computing environment. By doing so, access to the desirable systems and information are often eased by lack of internal security mechanisms: most security folks are always worried about the perimeter. Email, by definition, allows for flow of information between the outside world and inside users. Attacking email makes lots of sense when we consider its vulnerabilities from the perspective of the attacker: email is a well-documented tool, popular, and information flows somewhat easily from outside to the inside (and out).

In particular, among the many issues with email, lack of built-in authentication has presented a tremendous opportunity for evil-doers to impersonate anyone. Sophistication among cybercriminals is growing – email is a rich target.

One of the confusing issues about email threats is the oversimplification of all attacks into whichever buzzword happens to be trendy at the time. Nowadays, we hear about Phishing – the practice of sending fraudulent messages with bad intentions. But not all the evil in your inbox is Phishing. Other problems lurk.

At the top of the heap, we have two type of senders: imposters and authentic. All of your email arrives from the actual sender or someone who isn’t who they appear to be.

If we examine the authentic senders and evil-doers, we are presented with two divisions.

One division is a real, legitimate account whose credentials have been compromised. In other words, you receive a fraudulent email from the person or company in the manner that you expect. This particular type of attack is the holy grail for bad guys: the trust relationship exists and most attempts to unmask the impersonator fail. When a cybercriminal sends targeted email messages from an account that is compromised, they assume the identity and email account of the impersonated company or person – this threat is the most feared among security practitioners.


We are nearly defenseless against these types of attacks. Our training materials instruct users to watch our for bad, to anticipate forgery. Our tools seek anomalies in the email construction.  Nearly all of those defenses fail if a legitimate account is used. In order to combat these types of attacks, we must rely on the end-user. Be critical, be observant. If the email message exhibits urgency for a response, seeks information that is inconsistent with the person or firm, discount the message and do not reply.

The second component of the real account threat is the authentic account owner. Often, we refer to this as an insider attack. A friend, employee, driven by whatever motive, decides to take advantage of an assigned authentic email account and do bad. There is no defense to this action. Unfortunately, the most common appearance of credential or account abuse, the insider threat, is rogue IT employees. My suggestion for battling these types of encounters is challenge. Confront the requester and ask why they seek certain types of information or action.  If the answer isn’t suitable, inquire with others.

The imposter attacks complete the sender classifications.

Among the imposter division, we witness many of the annoyances that we encounter on a near daily basis. Spoofing, look-alike display and deception attacks highlight the tactics in this division. All are equally effective, seeking to use email volume and slight changes to fool the recipient.

Spoofing and look-alike attacks are a clever way of impersonating an email account. The bad guys register a domain name that is very similar to the legitimate domain they are trying to impersonate. As an example, if a real company’s domain name is company.com, perhaps the would-be bad guys register companyy.com and send email from the slightly different domain name. They can send email messages with copies of company logos and duplicate the real company’s content, all from a domain that looks very similar. Similarly, with email spoofing, the bad guys forge the email header so that the message appears to originate from someone or somewhere other than the true source.

Spoofing and look-alike attacks trick the recipients into opening and responding due to the perceived legitimacy of the sender or source.

Lastly, display deception occurs when the evil-doer inserts the name of the impersonated person or company into the “From” field within a free email platform. These types of attacks occur less frequently nowadays, but when employed, they can fool the recipient.

So, what is there to do?

As an end-user, you are the best line of defense. Pay attention to the From name, the Reply-to name; if the names are misspelled or only part of the address appears to be correct, treat it as suspicious. Additionally, if an urgent response is requested and the request is associated with sensitive information, double-check the source with a phone call, or if the person is nearby, a nice walk could be the difference between disaster and a slight delay.

Be safe.