When email authentication can and cannot stop phishing

Microsoft’s Terry Zink kicked off his talk with this year’s magic trick; demonstrating his seemingly superb memory of a book on Sherlock Holmes, with the help of CSA’s Alex Zeh. He “phished” the entire audience; a great fun introduction to his talk on where email authentication is great, and not so great, at stopping phishing.

The good news on phishing is that lots of domains now do authenticate with SPF, DKIM, and DMARC. Spam filters have got very good at detecting phishing using traditional methods. However, the bad news is bad. Lots of domains in the enterprise sphere still do not authenticate at all and there has been a large increase in spear phishing. 

Phishing is hard to detect and hard to measure. https://blogs.msdn.microsoft.com/tzink/2016/11/23/where-email-authentication-is-not-so-great-at-stopping-phishing-random-it-phishing-scams/ Phishing emails are often set up so that they actually are authenticated, which makes them harder to detect. Some domains have weak authentication, but are not actually blocked. The lack of strong authentication allows cybercriminals to launch a springboard attack.

Some phishing emails contain no malware or URL, but are just social engineering in preparation for e.g. a spear phishing attack. What can also now be seen increasingly are real contact names used with lookalike domains, e.g. …@tovota-europe.com instead of …@toyota-europe.com. Microsoft has started blending in warning notices to emails they have clearly identified as phishing, in case users try interact with it anyway, believing a mistake has been made when the message was flagged as a threat. It has become a very effective tool to get senders to change their behavior.

Microsoft will soon introduce Branded Indicators for Message Identification (BIMI) (the IETF draft will be published May 2017).The logo of the trusted sender will be displayed in MS email clients. It requires the sender to use strong email authentication, plus it must be on a known sender list; a white list. Banks and insurance companies, in particular, are very interested. The goal is not to get users to change their behavior, but to get marketers to want product placement and therefore push security teams to implement authentication in order to benefit from the free advertising.

BIMI works through DNS, rather than just in the header, as DNS lets this scale beyond email.

At the end, Terry revealed that he had phished the audience once more, by changing shirts – and indeed no one had noticed!