Our friend and veteran cybersecurity journalist Sean Michael Kerner recently authored an article for Infosecurity Magazine recapping a Black Hat USA session on email security. The session, “How to detect that your domains are being abused for phishing attacks using DNS,” was led by Karl Lovink, the technical lead for the Dutch Tax and Customs Administration (DTCA) and Arnold Holzel, one of its InfoSec consultants.

According to Kerner, the main objective of the session was to showcase how the administration uses “standards and techniques” to combat an onslaught of email phishing attacks as quickly as possible and without “impacting business operations.” A very timely and relevant topic when considering 90% of all cyberattacks continue to begin with email phishing.

Specifically, Lovnik and Holzel talked about a variety of both well-known and under-the-radar authentication and encryption protocols that the DTCA complies with in order to thwart email spoofing attacks, a specific type of phishing attack absent of a malicious payload.

Examples of the anti-phishing protocols and standards discussed included:

  • STARTTLS Protocol Command - A cryptographic protocol issued by the email client to upgrade insecure connections.
  • DNS-Based Authentication of Name Entities (DANE) - A security protocol that allows digital certificates to be bound to domain names.
  • Mail Transfer Agent Strict Transport Security (MTA-STS) - An SMTP security standard that lets domains join a transport layer security mode that requires authorization.
  • Sender Policy Framework (SPF) - An anti-spam email authentication protocol.
  • DomainKeys Identified Mail (DKIM) - An email authentication protocol designed to detected malicious and fake email addressee

Also referenced was Domain-based Authentication, Reporting and Conformance (DMARC), an email authentication, policy, and reporting protocol, which we have written about and debunked as an email security solution extensively.

To their credit, Lovnik and Holzel did note that, “overall there are some configuration complexities in some cases with each of the standards, but it's important for organizations to implement them to improve email security.” But what they failed to mention is that the limitations of email security authentication and encryption protocols and standards make it merely one piece to a much larger email protection puzzle.

Revisiting the limitations of email security protocols & standards

The biggest deficiency in Lovnik and Holzel’s presentation is their failure to mention that protocols and standards do not prevent against phishing attacks when attackers purchase a domain. While protocols can be effective at reducing risk from exact domain spoofing, they are not built to stop exact sender name and similar sender name impersonations; and look alike (aka cousin domain spoofing) attacks, which impersonate not just an email but the actual domain itself.

As a reminder, the most common types of email spoofing attacks are:

  • Exact sender name impersonations (73.5%) - When an email is sent masquerading as coming from a trusted source, such as a colleague.
    1. Example: SteveJobs@techcompanyxyz.com
  • Similar sender name impersonations (24%) - When an email is sent masquerading as coming from a trusted source, such as a colleague, with minor obfuscations.
    1. Example: SteveJabs@techcompanyxyz.com
  • Look alike/cousin domain spoofing (2%) - When an email is sent from a similar domain, in which attackers register the domain to set the right authentication records in the DNS.
    1. Example: SteveJobs@aapple.com
  • Exact domain spoofs (.5%) - When an email is sent from a fraudulent domain that matches exactly to the spoofed brand’s domain.
    1. Example: SteveJobs@apple.com

According to proprietary IRONCALES research from earlier this year, exact domain spoofs and cousin domain spoofs only account for 2-3% of all email phishing attacks. But such attacks are often the ones initiated by more sophisticated and well-funded adversaries. Such attack techniques are also not only immune to protocols and standards, but their lack of a malicious payload makes them all but invisible to secure email gateways.

For example, if an attacker purchased the domain www.paypaI.io (using a capital I instead of an L), and built out various email addresses to launch a series of attacks from, no signatures, standards or protocols would immediately identify messages coming from this domain as malicious - as it is yet to be associated with a negative reputation. And without suspicious DNS activity or malicious signatures, such as links and attachments, the phishing attack would easily bypass most traditional email security solutions and all protocols to lure clicks.

Holistic email security requires fingerprinting technology to see and act

While adherence to email security standards and protocols is not without benefits, it is important for businesses and government agencies to understand that adoption is just one risk mitigation factor within the complex email protection puzzle. Email security protocols such as DMARC serves to protect companies and brands domains from being used in phishing attacks, DMARC is traditionally an outbound protection protocol and does not serve as comprehensive inbound protection against other impersonation and spoofing tactics as mentioned in our proprietary research.

IRONSCALES hybrid human intelligence (HI) and machine learning (AI) solution works in real-time to answer a simple, yet very complicated question: Who is sending what? Our fingerprinting technology determines the sender’s true identity and the content/context of the communication to authenticate messages, automatically flagging suspicious emails to help end-users make smarter and quicker decisions regarding suspicious emails within the mailbox.

For comprehensive email protection, IRONSCALES inside-out approach to anti-phishing technology starts from the individual mailbox (or thousands of them) and works in the other direction, covering the full spectrum of phishing challenges, both technical and non-technical, from bot-driven malware to social engineering (BEC, impersonation) to gamified awareness training. The technology is comprehensive in focus, but complementary to other tools. It assumes that a purely “prevention” strategy is not possible in today’s email threat landscape, and that organizations should assume that they will be compromised and focus on additional capabilities to detect and respond to breaches.

Learn more about IRONSCALES advanced phishing threat protection platform.

Eyal Benishti
Post by Eyal Benishti
August 16, 2019