Email-based attacks: Avoiding compromise

Clayton Miller
| 6/15/2020
Email-Based Attacks: Avoiding Compromise

Email-based attacks expose organizations to a multitude of risks, so strengthening email infrastructure should be a top priority.

Email has been and will remain a ubiquitous form of business communication for the foreseeable future. Most organizations process thousands to hundreds of thousands of emails through on-premise servers or cloud-based email solutions daily. The volume of messages makes preventing email-based attacks a challenging task – one that requires an understanding of associated risks, attack methodologies, and a combination of available solutions. Attackers can use email to gain initial access to any network, but organizations can take steps to mitigate risks and strengthen their cybersecurity postures.

Understanding email-based attacks

The current pandemic has made email even more vulnerable. Because of COVID-19-related malicious cyberactivity, the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the U.K.’s National Cyber Security Centre released a joint alert warning of an increased volume of cyberattacks, including those that use email. How frequently do these attacks occur, and how many involve email-based attack vectors? Before diving into email-based attacks, it’s important to understand the context in which those attacks can take place.

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), hacking is any attack using brute-forced or stolen credentials, exploitation of vulnerabilities, or backdoors and command and control functionality. Of these three categories, credential theft accounted for 80% of all hacking incidents in 2019, a common result of social actions. Social actions are defined as any attempt to influence human behavior and can be broken into two categories: phishing and pretexting. Phishing uses human psychology to convince a victim to perform an action or disclose information via emails posing as a legitimate or reputable source. Pretexting is like phishing, but it uses invented scenarios with the intent to build credibility with a victim. Said another way, pretexting sets the scene, while phishing actually performs an attack.

Phishing is the overwhelmingly prominent social action used by threat actors, and according to the DBIR, 96% of all social attacks are email based. This statistic demonstrates just how focused adversaries are in using email as a medium.

Consider two more data points: According to the DBIR, social-phishing actions and hacking-credential actions are included in more than 20% of breaches. This is not a new trend, either. For the past five years, social and hacking actions ranked among the top three actions taken in breaches, and for the past two years, they represented the top two most common breach actions.

Email attack methodology

Understanding the context in which email-based attacks take place is a worthwhile exercise, and it helps organizations develop a risk-based analysis of vulnerabilities in their email infrastructure. In addition, understanding the methods that drive the attacks can help organizations address and mitigate risk.

Attackers use several techniques to perform successful email-based attacks. These methods include determining targets, establishing trust, and delivering a persuasive message.

Enumerating accounts

Before launching a successful email attack, adversaries need a target. Depending on the intent of the attackers, identifying a target might involve conducting thorough research on specific individuals to develop a strategic approach, or the attackers might select several random employees in a haphazard approach. Either way, attackers need a reliable method of building a list of email addresses.

Email accounts can be enumerated in several ways, and some are out of the control of an organization’s IT team. One of the easiest methods is viewing publicly available breach data in which employees might have used their work email accounts.

Another method attackers use is guessing account names based on employee lists gathered from LinkedIn or similar sources and common username patterns (for example, [email protected]). Finding targets this way involves a lot of guesswork and is not a surefire way to build an initial target list.

A third common method is using an insecure configuration of mail servers that allows unauthenticated users (the attackers) to query the server for the account names directly. One way or another, attackers can develop a list of targets to whom they will eventually send malicious emails.

Building credibility

Once targets are defined, attackers must find a way in, and that means they must be believable. A large part of building the credibility of email attacks lies in the ability of attackers to impersonate a trusted source. This impersonation is known as spoofing, and it can be accomplished several ways.

The easiest of spoofing techniques is performed by using an insecure configuration on email servers, which can allow attackers to send messages using a company email address externally from the email domain. These spoofed messages appear to come from the address assigned by the attacker (or even from an internal employee’s address) and therefore can be extremely convincing.

When attackers cannot directly spoof an internal email address, they can build infrastructure to send the email from a domain similar to that of the target company. Look-alike domains are fairly easy to come by. For example, if the primary domain is, attackers might try using an available top-level domain (.org, .net, .co) to send emails using [email protected] Alternatively, they might use a similar spelling, an acronym, or a different name for the organization to send emails using [email protected] or [email protected]

In yet another approach similar to look-alike domain schemes, attackers turn to brand phishing, in which they create messages that appear to come from separate, trusted companies, banks, insurance firms, or contractors. The only limitation here is the creativity of the attackers, the availability of domain look-alikes, and the craftiness of the message.

Crafting the message

After identifying targets and establishing trust, the next step of an email-based attack is drafting the email itself. As they craft their message, attackers determine what they want to accomplish and establish the proper pretexts to get the target to fall for the ploy.

One targeted approach is known as business email compromise (BEC). BEC is a phishing attack that uses emails that claim to be from a person of authority or with access to company finances (typically a company executive) requesting a wire transfer or data. BEC ploys can take various forms, but in most of them, attackers craft a narrative to convince employees with access to financial systems to make wire transfers to attackers’ accounts.

BEC ploys are usually executed via spoofing techniques, but skilled attackers can also attempt to compromise credentials to an account and gain access to an email inbox. Typically, attackers craft a message that directs users to visit a malicious website and enter their credentials. This is, of course, assuming the attackers didn’t already obtain those credentials from publicly available breach data or by guessing a weak password.

With credentialed access, attackers can lie dormant within a user’s inbox for weeks if not months. Often, attackers will introduce automatic forwarding rules to their own inbox so they can read their victims’ emails without having to login again and can still analyze a company and plan an attack long after the stolen password expires. Patient and experienced attackers will lie in wait, collecting information and waiting for the perfect storm of circumstances before they kick off their scheme and attempt to defraud a company and hijack vast sums of money.

In an alternative and less patient type of attack, attackers rely more heavily on technical skill than on wiliness. Their crafted phishing message directs users to visit a malicious website to enter their credentials and download and run a well-disguised payload that is intended to establish a connection to an attacker system. If the attackers have successfully obtained employee credentials, they will attempt to access any external resources available to the employee.

In many cases, attackers can use access to the email account to move laterally through an organization or even gain internal network access. In a worst-case scenario, attackers can use the compromised credentials to log into a company's virtual private network (VPN) gateway that is not secured with multifactor authentication or pre-shared authentication keys. If payload execution is successful or VPN access is gained, attackers can use the internal network access to creep toward privileged access, data exfiltration, network disruptions, or other targets. In this way, the initial risk of an email-based attack turns into a much more damaging prospect as the incident evolves into a full-blown breach.

Establishing email best practices

As is demonstrated through the anatomy of email-based attacks, attackers can take advantage of a collection of lower-risk issues to eventually gain a foothold in a network. What measures can organizations take to mitigate these issues?

The primary problem of any social attack is that it takes advantage of the weakest link in an organization’s cybersecurity framework: people. However, through implementing a mature security awareness training program, the largest risk in a social engineering attack can be effectively mitigated. Such a training program includes frequent security awareness communications, yearly education, and periodic testing to train employees to detect and properly respond to fraudulent emails.

Another measure to mitigate risks associated with email attacks is validating email architecture configuration. Email servers are traditionally included as part of external penetration tests and are assessed for the user enumeration, spoofing, and other risks resulting from insecure configurations.

As a part of external email security, the best measure for any external login portal is multifactor authentication. Assuming users will eventually have their credentials compromised or use bad passwords, increasing the controls around authentication can help mitigate the risks of account compromise by requiring a second, external factor to validate logins.

After conducting user training and improving email server security, organizations should consider different email filtering solutions that scan incoming mail for potential phishing and similar threats. Many options for these solutions exist and can be effective in quarantining malicious emails based on different metrics such as sender domain information, dynamic content analysis and link traversal, and attachment file sandboxing and heuristic analysis. For organizations that currently use cloud-based email providers, configurations might already be available for security teams to improve email security.

Keeping inboxes safe

The past and present threat landscapes indicate that email-based attacks are here to stay. Attackers will continue to gather information and gain initial access to organizations’ environments, and employees are a critical piece of the puzzle. Making sure that all personnel are aware of risks and have the training and resources to address those risks and balance them with technical controls is a crucial step in improving the organization’s overall cybersecurity posture.