The role of e-mail
E-mail is the weakest point preferred by cyber attackers to penetrate organizations since they rely on a series of tactics to deceive the user. Besides, e-mail is the most commonly tool used both by corporations and individuals for all kinds of communications.
Through e-mail, users can download malicious attachments or click on links that lead to sites that infect their workstations
The two leading vectors of e-mail attack, ransomware and spear-phishing according to a SANS Institute survey, require that the user click on “something” to get infected or to reveal confidential information, make a bank transfer or a wrong payment.
The problem for network administrators
Corporate e-mail administrators have to ask themselves a series of questions to ensure their users’ safety:
– Do I have a comprehensive e-mail security solution (SEG Secure e-mail gateway) that protects users from malware, ransomware, spearphishing, fraudulent identity appropriation, etc.?
– How can I train my users so they are not fooled by e-mails, such as spear-phishing, that manage to pass through perimeter protection?
In both cases, it is not only necessary to have a prevention strategy, but also a contingency plan for when incidents occur, known as IR (Incident Response).
Recently, one of the threats that has most widely spread as a consequence of infected attachments is ransomware or encryptors. These can be Word files with macros that carry malware, which encrypts the contents of the hard drive or any file accessible by the network, and then request a rescue in the form of bitcoins.
It is important to configure Microsoft Office to enable “Protected View” by default in the “Trust Center Settings” to prevent macros from running.
Ransomware usually gain access following a “drive-by” download attack, which happens when the user clicks on a seemingly innocuous link and is taken to a website that hosts an exploit kit, like Angler, that scans the browser for vulnerabilities. The malicious software usually searches for these vulnerabilities in older versions of Adobe Flash, Internet Explorer or Java Runtime.
One of the main entry points is e-mail, as cybercriminals carry out spam campaigns and “malvertising” (malware as part of online advertisements) that entice users to click on a link that redirects them to corrupt sites that infect their computer systems with Angler exploit kit, which carries malware and ransomware.
These websites, or landing pages, that support Angler are usually random subdomains created, redirected and destroyed in just a few hours, so detecting them as infected landing pages is challenging. This strategy is accomplished through hacked system accounts where domains are registered or managed, such as GoDaddy (DNS Shadowing).
Not only Windows PCs
These malicious downloads can infect not only Windows PCs, but also Mac, Android, and even SmarTVs. The user receives a message on the screen with a warning that the user must pay a ransom in order to receive the steps and a private key to recover the user’s files.
Attackers’ favorite targets, however, are PCs or laptops with Windows, given their popularity and extensive use by corporations.
Another threat that has been causing damage is spear-phishing, which is directed at specific individuals in an organization that have access to bank passwords or human resources information.
This attack, which is not done on a large scale and thus generally goes undetected by the SEGs, consists of impersonating the identity of the sender of an e-mail so that it seems to come from within the organization.
Usually, the e-mail involves a request for a bank transfer or for a list with personnel information.
The first protection measure against ransomware is to train users in exhaustive verification of e-mails and websites as to enable them to detect potential malicious content, given that these e-mails or links convince or persuade the user to make a mistake and click on dangerous content.
However, the focus should not only be on informing users about “social engineering” tactics that make users “take the bait”, but also on training them to read and detect bad domains in e-mail addresses and URLs that maliciously display words with changed, added, or removed letters to seem like a known domain.
Users must also get into the habit of regularly backing up their personal workstations, as Network Administrators only backup shared network drives.
These user-made backups of personal data, once performed, must be taken offline, for example on flash drives or external disks, which then must be disconnected from the network.
Uses should not trust automatic generation of shadow volumes through vssadmin.exe in Windows since ransomwares like CryptoLocker use that command precisely to delete all “Shadow Volume Copies” before encrypting files.
Licenses and patches
Corporate network administrators must ensure that end users have antivirus licenses on their workstations as well as the latest security updates for the operating system and applications. The latter should constitute a policy known as “aggressive patching“, which consists of performing the application of security patches as early as possible even though it affects users’ normal work flow, and to “search for it” if “zero-day” vulnerabilities appear.
A good policy is to subscribe to security e-mail lists, and to regularly search Google for terms such as “zero-day code-execution vulnerability in Microsoft Office” to get familiarized with the concept as early as possible.
Malware that infects PCs (e.g. keyloggers) and steals access credentials of programs such as Microsoft Outlook is a dangerous source of spear-phishing as it takes control of calendars and e-mails.
Another common task of Network Administrators consists in refraining from granting read/write permissions on an equal basis to all users of shared disks, and, instead, differentiating files and directories that are read-only or restricted-access, which ensures that such content is out of reach of malware in general.
The use of Group Policy to prevent the execution of programs in the % APPDATA% and % TEMP% directories should be taken with caution so as not to block the installation of legitimate programs. While these restrictions would block CryptoLocker and other ransomware, the solution is applicable only where users cannot make modifications to their workstation and have all programs preinstalled.
Users who become the target of a ransomware attack and are asked for ransom can visit the “No more ransom” project website at and try to identify a solution in which there is no need to pay ransom.
Given that ransomware can currently be purchased on Darknet by inexperienced attackers in the form of a service (Malware as a Service), there is a probability that the attack is one whose antidotes are published on this website.
Comprehensive strategy for e-mail
Planisys Avascloud as Secure E-mail Gateway offers comprehensive protection against malwares and ransomwares in general, not only by blocking executable attachments and identifying malicious content in attachments and URLs, but also by identifying real-time attacker IPs on the Planisys’ network infrastructure and cloud.
To protect against spear-phishing, which is the most feared form of deception in the financial and human resources departments of corporations, and considering that these messages target specific individuals, a comprehensive E-mail Security Monitoring, such as the one offered by Planisys Avascloud, is needed.
This solution is designed to, among other things, prevent that e-mails from the same domain but originating from malicious external IPs reach the company. To accomplish this, Avascloud is applied to incoming and outgoing traffic, integration with Microsoft ActiveDirectory or Zimbra is carried out, and DNS settings are strictly controlled.
Avascloud’s strategy allows for the identification of dangerous networks in real time as well as the detection of Internet abuse of domain and trademark by third parties who send e-mails using the customer’s domain.
E-mail account protection
For those cases in which access to e-mail accounts is allowed using the Internet on laptops and cell phones without a VPN through IMAP or POP3, protection must be provided to prevent hackers from stealing keys and using the accounts to create spear-phishing or spread malware.
Planisys Avascloud provides perimeter security, which detects attempts to test possible combinations of security keys to crack accounts, identifies malicious IPs associated with the location where the attempt originates and blocks them. The service also allows forcing IMAP and POP3 encrypted with SSL / TLS to prevent that security keys and texts of e-mails are read by third parties e.g. in Wi-Fi networks.
Corporate e-mail administrators must also ensure, through the right tools, that users are not using easy-to-guess passwords. For this, administrators may have to resort to Pentesting tools, such as https://github.com/ins1gn1a/pwdlyser, or conduct Google searches for “password analyzer” or directly hire external Pentesting.
One of the most common sources of spam generation and malware propagation is cyberattackers’ use of MS-Exchange as an amplifier of bounce messages or NDRs (Non-Delivery-Reports) addressed as Reply-To or Errors-To to the recipients of the bounces that contain the malware.
These attacks, in turn, can be DDoS (Distributed Denial of Service) by performing dictionary attacks (username- and password-combination tests) directly on MS-Exchange and forcing it to generate huge amounts of bounces.
Planisys Avascloud’s perimeter security, when integrated with the client’s ActiveDirectory, prevents the generation of backscattering attacks, and facilitates real-time detection and blocking of attacking IPs.
Internal propagation of malwares
In cases in which an internal PC has been infected, e.g. by having accessed a malicious website, and malware begins to attempt to spread via outgoing e-mail, a solution must be in place to limit the number of messages a sender can send, apply anti-virus and outbound anti-spam, and ensure that the sender is valid for those cases where the bot generates random senders.
Planisys Avascloud offers such protection against Outbreaks as part of its comprehensive solution as well as real-time monitoring to alert users and administrators when their senders are being used to spread spam, or to discard e-mails from non-existent users in MS-Exchange or Zimbra.
A common corporate practice that hampers e-mail security strategy is mass mailings of e-mail marketing and even transactional e-mails from MS-Exchange. These can confused with Outbreaks, and thus must have other content such as opening lines, conversions, etc. to differentiate them.
Another problem of merging corporate e-mail with e-mail marketing and transactional e-mail is the deliverability or blacklisting of outgoing IPs, which hurts the domain’s and IP’s reputation in general, and therefore affects the delivery of individual e-mails.
To prevent this, a specialized e-mail marketing and transactional product must be used to allow users to send e-mails from outside MS-Exchange itself, and use APIs for transactional mailings, such as vouchers, notices and invoices.
Planisys has an e-mail marketing and transactional product called DMDS (Data Mining and Delivery Services). For more information, visit http://www.planisys.com/dmds.
Lastly, the DNS
A crucial part of this e-mail security strategy is the configuration and monitoring of domains in the DNS, which is the basis on which the whole operation of e-mail and the Internet in general is based.
Planisys also provides its PDNS product, which includes anycast and unicast authoritative servers, as well as a graphical interface, support for hybrid configurations, and DNSSEC.
For more information, visit https://avas.planisys.net.