- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
As we all know and face constantly, spam and phishing are dominating email communication in the modern world. Some of the emails are obviously to the human eye and can be easily categorized by at least one human. But what can we do if we have the urge to categorize those emails automatically? How can we determine something is spam over all others?
First, do not try to start with challenging cases first, instead, we should first aim towards getting the easy ones out of the way.
Source: Palo Alto Networks XSOAR Marketplace | Marketplace (pan.dev)
Spam might be the easier ones, but as people tend to report a lot of emails, taking the spam out of the equation can reduce the number of cases tremendously. To do that we should take the help of some well-known third party enrichments
All these enrichments can let us know if indicators of an email are already known to the spam hunter community. If these are known we can easily (and automatically) come to the conclusion that the email in question is real spam and most likely nothing else.
In addition we should also filter the emails which do not follow the best practice of modern email communication. To do that we have at least two tools:
Over the duration of your SOC optimization you should find a way to build your list of friendly emails. Friendly emails as an example could be the notification of your vendors. It makes sense to add these sender domains to a list and at least treat them differently. Of course, if all indicators are malicious this is still bad and we should add this check down the line to not give these senders an “access all areas” free pass.
Of course it is up to you what you consider as friendly emails, but all I am saying is that you should keep track and start listing them. As an example:
Also keep in mind that these are meant to be the sender and origin email domains, not links within the email. Especially file sharing platforms might host malware or phishing.
Email headers are a wonderful source of information. The path an email took from one point on the world to your email inbox is maybe the best documented ever. Every single server on the way will add its mark to the paper trail. We should definitely try to dismantle all these information and start looking into these.
XSOAR mapping of fields
After doing all of this you should take your lessons learned and go back to the way you are doing email communication. Especially on DNS (Domain Name System) level we have developed great baseline protection over the past years (Sources: Wikipedia)
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.
Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From:
field presented to end users; how the receiver should deal with failures – and provides a reporting mechanism for actions performed under those policies.
DMARC is defined in the Internet Engineering Task Force‘s published document RFC 7489, dated March 2015, as “Informational”.[1]
(Source Wikipedia).
Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender’s domain.[1][2] This authentication only applies to the email sender listed in the “envelope from” field during the initial SMTP connection. If the email is bounced, a message is sent to this address,[2] and for downstream transmission it typically appears in the “Return-Path” header. To authenticate the email address which is actually visible to recipients on the “From:” line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing,[3] and is often used in phishing and email spam.
The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain. Sender Policy Framework is defined in RFC 7208 dated April 2014 as a “proposed standard”.[4]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
2 Likes | |
2 Likes | |
1 Like | |
1 Like | |
1 Like |