When phishing emails appear to be from inside the building

Unfortunately, impersonating trusted people, especially those occupying a position of seniority, is a common method attackers will use to lull people into a state of fear and prompt swift action.

How can this happen?

One way this can happen is via a common cyber-attack known as “spoofing”, which is when the identity of the sender is altered via the FROM and REPLY-TO fields within an email message header. 

If you think of this using the analogy of postal mail, spoofing is the equivalent of someone writing the name of your friend on the envelope as the sender and then posting it to your address. You’re probably inclined to open the envelope and trust it comes from the person whose name is on the outside as sender, believing therefore that the contents of the letter are the wishes and directions of the person you know. 

What can you do to stop spoofing of your business’ domain name?

Organisations can implement some controls that work together to uplift email integrity.

1) Sender Policy Framework (SPF) – these records stipulate which email servers are allowed to send on behalf of your organisation’s domain name – so if an email is sent using a domain it isn’t authorised to, it can be detected. 

2) DomainKeys Identified Mail (DKIM) – this uses a pair of cryptographic keys to authenticate and validate each email sent using your domain. One of the keys is stored on the email server and another is used to create a DKIM signature that is included in every email sent from your organisation. In this way, the recipient can then check the DKIM signature on the email against the sender’s key in order to validate the email. 

SPF	DKIM
Provides a list of approved servers who are allowed to send from your domain	Signs each email with an encrypted digital signature
Lets receiving servers know the sending source was permitted	Tells receiving servers that incoming messages must have a digital signature that matches the key stored on your server

3) Domain-based Message Authentication, Reporting & Conformance (DMARC) – This is a standard security protocol that builds on SPF and DKIM by verifying that the visible address (what we see as the FROM field) matches the “return-path” used by SPF and the DKIM signature. DMARC also instructs servers on what to do with emails when they pass or fail this authentication check. So in the diagram below, a company can choose to implement the strictest policy of “reject” if authentication fails, or it might choose to implement a “quarantine” policy instead or the most permissive “none” where even if authentication fails, the email still gets delivered to the intended recipient.