Smells phishy: e-mails marked safe

Work e-mails stamped “verified” should set alarm bells ringing.

Phishing tricks: e-mails marked safe

When sending phishing e-mails or malicious attachments, scammers deploy a host of tricks to persuade you to click a link or open a file. One such trick is to add all sorts of stamps indicating that the link or attached file is trustworthy.

As silly as it may sound, this approach does work. Someone well-versed in information security might not fall for it, but many less IT-savvy employees can be taken in. So, we recommend that infosec managers give their colleagues an occasional rundown of even the most basic cybercriminal ploys.

What do “verified” stamps look like?

There is, of course, no one single type — each attacker has their own. We’ve seen many different examples, but they tend to be variations on the following themes:

  • The attached file has been scanned by an antivirus (sometimes a logo follows).
  • The sender is on the trusted list.
  • All links have been scanned by an anti-phishing engine.
  • No threats have been found.

Here’s an example of a phishing e-mail from attackers posing as support staff to trick the recipient into clicking the link and entering their Office 365 credentials. For extra plausibility, it claims that the message’s sender is verified.

Letter with a stamp

But in this case, the stamp “This sender has been verified from the [company name] safe senders list” should be a red flag.

How to react to an e-mail marked safe

Even though phishing or malicious e-mails usually demand a quick response (in the above example, under the threat of losing access to your work e-mail), a quick response is precisely what you should never give. First, ask yourself the following questions:

  • Have you seen this stamp before? If you’ve been at the company for at least a week, this probably isn’t the first e-mail you’ve had.
  • Have any of your coworkers ever seen such a stamp in their work e-mails? If in doubt, it’s better to check with a more experienced colleague or IT employee.
  • Is the stamp appropriate in the context? Sure, sometimes a “File scanned” or “Link scanned” stamp can make sense. But if the sender supposedly works in the same company as you, how can their corporate e-mail address not be on the trusted list?

In fact, modern mail filters work in the opposite way: they mark potentially dangerous e-mails, not ones given a clean bill of health. E-mails are marked to indicate that a dangerous link or attachment has been removed, or that they may be spam or phishing. And in the case of Outlook in Office 365, such stamps are usually placed not in the body of the message, but in special fields. More often, however, such e‑mails are simply deleted before they ever get to the addressee, or end up in the junk folder. Marking safe messages is inefficient.

The practice was employed in free mail services in the past, but the real purpose was always to underline a competitive advantage: a built-in filter or antivirus engine.

How to stay safe and protect your company

Once again, we recommend that you every now and again inform your colleagues of the cybercriminal tricks of the trade (for example, you can send them a link to this post). For added robustness, it’s a good idea to raise their cyberthreat awareness with the help of special services.

And to make it clear without any stamps in the e-mail body that an attachment has been scanned for all possible cyberthreats, we recommend implementing protection at the mail gateway level or using specialized . Workstation-level protection with a reliable anti-phishing engine wouldn’t hurt either.