We’ve recently improved the accuracy of detecting spear phishing and business email compromise (BEC) attacks by adding a tiny but important check to our email security products. Now, if our mail-protection engine flags an email as suspicious for whatever reason, we match the domain in the From header against that in the Reply To header. And it’s surprisingly effective; this simple check succeeds in weeding out a large portion of rather sophisticated attacks. Here’s how it works.
How to detect sophisticated email attacks?
Spear phishers who carry out targeted email attacks traditionally go to great lengths to make their emails seen legitimate. These aren’t the kind of bad guys who email out attachments with Trojans inside; instead, they tend to hide phishing links under multiple layers of subterfuge. And this is why security solutions capable of detecting targeted emails rarely deliver a verdict based on a single criterion, but rather on a combination of suspicious signs. Matching the From and Reply To fields is one of these criteria.
How does matching the headers help?
Most attackers, even when compromising business correspondence, don’t bother hacking legitimate domains. Instead, they exploit the often-limited “expertise” of mail-server administrators. In fact, on a huge number of domains, mail authentication methods — like Sender Policy Framework (SPF), and especially Domain-based Message Authentication, Reporting, and Conformance (DMARC) — don’t work very effectively (if at all). In the best-case scenario, these mechanisms are technically enabled, but configured so loosely to avoid false positives that they become practically useless.
This laxity allows threat actors (sometimes including those behind full-blown APT attacks) to simply take the domain of the targeted organization and put it in the From, or even the SMTP From header. However, since they don’t want to just deliver an email, but also get a direct reply to it, they have to put their own address in the Reply To field. This tends to be a disposable email address or an address hosted on a free email service. And that’s what gives them away.
Why not match the headers all the time?
From
and Reply To don’t always have to match. There are many legitimate cases when an email may be sent from one mail server, but the reply is expected to another. The simplest example of this is newsletters and marketing emails: a specialized mailing-service provider sends them, but its client is the one who’s interested in the responses. Therefore, if the From and Reply To check were always enabled, it’d generate false positives.
Where’s the technology deployed?
The check is integrated into all our corporate email security products: Kaspersky Security for Microsoft Exchange Server, Kaspersky Security for Office 365, Kaspersky Security for Linux Mail Server, and Kaspersky Secure Mail Gateway.