But the CEO told me to wire $60K to the Caymans!

We’ve seen a recent rash of e-mail exploits that blend “social engineering” with e-mail technology. These exploits use e-mail to impersonate respected leaders and authorities of an enterprise giving direction to subordinates or delivering malware payloads and links in what looks like a trusted and familiar communication.

From: Lucius Fox, CEO Wayne Enterprises <lfox@wayneco.com>

To: Charles Edwards cedwards@wayneco.com

Subject: URGENT WIRE

Charles – please send $60,000.00 to this Cayman account 20043645-11190 and advise as soon as complete.  This is URGENT

The exploits rely on the trusted reputation and authority of the impersonated sender and the valid appearance of the e-mail itself.  Some are very clumsy and poorly written while others are very sophisticated in their composition and deception.  We’ve seen two primary methods and have implemented solutions to trap and quarantine these exploits so they are not delivered to the intended recipients.

The first method is a carefully crafted SMTP header that makes the message appear to originate from the impersonated user’s mailbox – lfox@waynco.com – but the actual originating mailbox and return path are different – BadActor@nowehere.net.

To trap these we use a combination of internet standards – SPF and DMARC – and Exchange Transport Rules in Office 365. Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) are Internet standards for ensuring e-mail authenticity.  They are activated by creating specific DNS records for your e-mail domain – they have lost of options and features!  We used just the basic elements to activate the examination of the inbound email and add results entries to the SMTP headers of these inbound messages. In this case, an exploit like this sample would cause the string “DMARC=FAIL” to be added to the SMTP headers.

That’s the first part of the trap – next is the Exchange Transport Rule.  The rules can examine all mail traversing yours O365 Exchange tenant and allows for a rich set of test, actions, and alerts to be applied whenever a given rule ‘fires’.  For this trap, we capture all messages originating from “Outside the Organization” (not actually sent from one of your O365 mailboxes) that have the “DMARC=FAIL” string in the SMTP headers.  Qualifying messages are NOT delivered to intended recipient, but are sent to the Quarantine, and an alert message is sent to a set of Administrators for review.

In most cases, such trapped messages are indeed exploits and we leave them in the Quarantine to be deleted automatically after 1 week.  Sometimes the message is legitimate – like a scanned document from a multi-function device that uses and external SMTP relay service to send the scanned image to the user.  In such cases, an Administrator can “Release” the message from the Quarantine and it delivers as intended.

The second method observed is far less sophisticated and uses simple Display fields to attempt to deceive the recipient.  It is simple, but also clever in that it does not violate any of the SMTP envelope standards and so does not trigger the SPF or DMARC alerts!

From: Lucius Fox, CEO Wayne Enterprises lfox@wayneco.com <BadActor@nowhere.net>

To: Charles Edwards cedwards@wayneco.com

Subject: URGENT WIRE

Charles – please send $60,000.00 to this Cayman account 20043645-11190 and advise as soon as complete.  This is URGENT

Here the sender simply uses the From: display field – a free text item that can contain any content – to impersonate the executive.  In this sample the sender also includes the legitimate e-mail address of the executive in the Display field (lfox@wayneco.com). From an SMTP envelope perspective, the message is legitimate passing all the sender, source, and path consistency checks.

To thwart this exploit we used only the Exchange Transport Rule – but we needed one for each Executive being impersonated.  The rule looks for messages that originate “Outside the Organization” and have “Lucius Fox” or lfox@wayneco.com in the From text field.  The handling for these trapped messages is the same as for the first method.

Of note, both of these exploits have been used to attempt delivery of malicious attachments and web links – always cleverly disguised with tempting decorations for the recipient!  So, the payload can be much more dangerous and potent than just a “Social Engineering” direction.

These are only two examples.  The unfortunate reality today is that the “Bad Actors” are very industrious and clever, continuously crafting new exploits and attempting to steal assets or just disrupt business.

At CTI we observe that with the digitization of every business process,  IT leaders are one of the most critical custodians of business risk management along with financial and compliance risk management.  IT organizations must deploy numerous security techniques that triangulate and close security compromises — this means a comprehensive security architecture that readily adapts to accommodate changing threat types is essential.

This is why security architecture is now one of the most important areas of IT consulting.    CTI has a no cost threat assessment service available to help customers identify a 12 point set of controls that can significantly improve their risk profile.

Register here for our threat assessment service.