Ransomware is typically delivered by via email. In particular, the healthcare industry is targeted with these types of attacks. A user opens an email attachment and suddenly whatever files they have access to are encrypted; short of restoring the data from backups, the only answer is to pay a ransom in Bitcoins.
High profile incidents include:
Omaha’s Scoular Co. lost $17 million after spearphishing attack
Ubiquiti Networks says it was victim of $47 Million Cyber Scam
Mattel fought elusive cyber-thieves to get $3M out of China
How the emails trick users:
Mismatched Senders
Every email has y two “from” addresses.
The “mail from” field which is also referred to as the “envelope” or “P1” address The “from” field, is referred to as the “P2” address.
Spam filtering solutions will look at the P1 address .
So the phishing email is sent with a P1 that is from a company that publishes a valid SPF record. However the P2 (which is what the user sees in Outlook) will appear to be from your organization.
So the message arrives , and looks legitimate to your spam solution and to the user it appears as internal or normal business mail. The user swamped with spam emails may not notice that it’s actually going to the P1 address.
Similar Domain Names
An effort is made to register a domain similar to your own. So when your domain is “Synergy1.com”, the email might come in with the domain “SynergyL.com”; assuming the username portion of the email matches, it takes a keen eye to spot this -and that someone will bother to check. Combined with the above where the P1 was “ceo@Synergy1.com” and the P2 (which the user sees) is ceo@SynergyL.com”, its expecting a lot of users to spot this.
Three technologies provide different protection options:
three technologies are, how they provide different types of protection and how they can work together.
SPF (Sender Policy Framework)
SPF is pretty well known and commonly implemented. it’s essentially a DNS record (TXT) that contains a list of approved senders by IP address, domain name or some other mechanism.
SPF looks as the “Mail From” field within an email and compares the sending IP address to the published TXT record for that domain. The “Mail From” field can contain a different value than the “From” or “Reply To” fields. This is how some phishing emails can enter your organization. They will have a valid SPF published for the “Mail From” and then present the user with a different email in the “From” field.
With Exchange Online, Microsoft provides the information to properly configure your SPF record. There are some limitations on the number of DNS queries you can have in your SPF record and it’s not uncommon to see syntax errors so you always validate your SPF record with one of the online validation tools.
When a message is received from a source not authorized in the SPF record, the receiving party can do what they choose with that information e.g. to block the message, to rank it higher as prospective spam or to ignore it.
DKIM (DomainKeys Identified Mail)
DKIM also looks at the “Mail From” field and will show a “None”, “Pass” or “Fail” once the message is evaluated. The same potential phishing issue exists with DKIM where the “Mail From” does not necessarily match the “From” field that the user sees.
DKIM uses a public/private key to sign messages as opposed to the published TXT record. One advantage of DKIM over SPF is that there is no limit to the number of partners you can authorize to send on your behalf (assuming they support DKIM). If you use a number of third-party senders, then will run into issues when trying to include those in your SPF.
Another way to address the SPF limitation is to have senders send their messages under a subdomain and to publish a separate SPF for that subdomain.
DMARC?
DMARC looks for a passed SPF or DKIM but also looks for “alignment” of the “Mail From” and “From” fields. Configuration of DMARC allows you to tell recipient mail servers what to do with a message when DMARC fails.
A DNS TXT record is created (_dmarc.company.com) and for mail systems that use DMARC, they will send success/failure reports to the addresses specified in the TXT record. A third-party tool or service can be used to aggregate these reports and analyze them.
