I recently had a client get an interesting phishing message. They had received a fake message from their CEO to their Controller - a "start the conversation" email to end up with a wire transfer. This sort of email is not common, but is frequent enough in Sr Management circles, especially if you are in the middle of merger or acquisition discussions with another company. Some technical warning signs in that note were:
So the discussion quickly moved from "I'm glad our execs came to us, we really dodged a bullet there" to "just how did this get in the door past our spam filter anyway?" This is where things got interesting. Their SPAM filter does use the SPF (Sender Policy Framework) DNS TXT record, and a quick check on the SPF indicated that things looked in order there. From the RFC (RFC7208), the ~ means "softfail", "A "softfail" result is a weak statement by the publishing ADMD that the host is probably not authorized". More detail appears later in the RFC: You'd think that a lot has changed since 2006 (the date of the original SPF spec, RFC4408), that in 2017 a spam filter should fail on that result, but apparently not (sad panda). Kinda makes you wonder what the actual use case is for that tilde character in the definition - I can't think of a good reason to list permitted mail senders, then allow any and every other server too. That being said, their filter *should* still have caught the mismatch between the "from" and "reply-to" fields, especially since it involved an external source and internal domains. Or at least paired that up with the domain mismatch to weight this email towards a SPAM decision. But that's another rant altogether. Long story short - this type of attack was pretty popular (and widely reported) about a year ago, but successful methods never (never ever) go away. A little bit of research can make for a really well-formed phish, right down to using the right people in the conversation, good grammar, and phrasing appropriate to the people involved. So a bit of homework can get an attacker a really nice payday, especially if their campaign targets a few hundred companies at a time (and they put more work into their email than the example above) So in this case, a typo in a DNS record could have cost millions of dollars. Good security training for the end users and vigilant people made all the difference - a phone call to confirm is a "must-do" step before doing something irrevocable like a wire transfer. =============== |
Rob VandenBrink 579 Posts ISC Handler Mar 2nd 2017 |
Thread locked Subscribe |
Mar 2nd 2017 5 years ago |
Was it really a typo? Seems to be a common practice, decreasing effectiveness of SPF.
~all was almost 60% in 2015 https://emailcopilot.com/blog/how-should-i-end-my-spf-record-all/ G Apps says use ~all https://support.google.com/a/answer/178723?hl=en Office 365 says use -all https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx |
murph 1 Posts |
Quote |
Mar 2nd 2017 5 years ago |
In this case it was a typo - the client did intend (in their SPF) to say "these are my mail servers, all others are imposters and should be blocked".
That being said, at the time, their understanding was that the grammar that they constructed their SPF record with said that. It looks like there's some less than stellar advice out there from what I'd consider reputable sources, and there are a large number of folks who think their SPF record says one thing, when it really says something else. Thanks much for the additional info and links! |
Rob VandenBrink 579 Posts ISC Handler |
Quote |
Mar 2nd 2017 5 years ago |
Prevention is good but cleaning up after the incident is the skill that is really relevant here. CEOs will want immediate answers to:
Q: Was it an inside job? A: Look at the scope of related fake domains. Q: The fake email's headers don't lead anywhere; how can we learn more A: tag some reply emails. Q: Money is gone; what can be done A: Call law enforcement, get a case started, ask the bank to claw the money back. Lots of answers are really easy to implement. Our blog has info from cases of this sort. https://esleuth.com/2017/02/12/spoofed-email-send-direct-deposit/ |
GordonM 17 Posts |
Quote |
Mar 2nd 2017 5 years ago |
I just worked a phish against our HR dept where our SPF with the - did no good at all. I've redacted the headers with mygooddomain.com, and changed the name/address of the HR boss to HRBoss. This was sent to an HR employee, although the To: field was blank--RCPT TO must have been good.
Not sure what they did, but smtp.mailfrom listed both the bogus and real domains. MS appeared to only check the bogus domain in SPF, which was first... HEADER SNIPPET... Received: from SN1NAM02FT014.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e44::208) by BN6PR02CA0069.outlook.office365.com (2603:10b6:404:f9::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12 via Frontend Transport; Thu, 23 Feb 2017 20:51:25 +0000 Authentication-Results: spf=none (sender IP is 173.201.192.181) smtp.mailfrom=northstatemarketing.com; mygooddomain.com; dkim=none (message not signed) header.d=none;mygooddomain.com; dmarc=none action=none header.from=mygooddomain.com;mygooddomain.com; dkim=none (message not signed) header.d=none; Received-SPF: None (protection.outlook.com: northstatemarketing.com does not designate permitted sender hosts) Received: from p3plwbeout14-01.prod.phx3.secureserver.net (173.201.192.181) by SN1NAM02FT014.mail.protection.outlook.com (10.152.72.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10 via Frontend Transport; Thu, 23 Feb 2017 20:51:25 +0000 Received: from localhost ([173.201.192.156]) by :WBEOUT: with SMTP id h0LmcdbHokIo0h0LmcbBkd; Thu, 23 Feb 2017 13:50:54 -0700 X-SID: h0LmcdbHokIo0 Received: (qmail 24825 invoked by uid 99); 23 Feb 2017 20:50:54 -0000 Content-Type: multipart/mixed; boundary="=_e098c0bb5dcd7931046c4bb3a575cda6" X-Originating-IP: 173.243.112.86 User-Agent: Workspace Webmail 6.6.7 Message-ID: <20170223135052.39f107455067c237417af60daafd8ee8.7dcfbc957b.wbe@email14.godaddy.com> From: HR Boss <HRBoss@mygooddomain.com> X-Sender: speterson@northstatemarketing.com To: Subject: Request Date: Thu, 23 Feb 2017 13:50:52 -0700 MIME-Version: 1.0 X-CMAE-Envelope: MS4wfJHgvRCC1vDgYSiKtjMRr63AmplbZmcL6F8qdqsq+OQ7oaJvAAd3ZtDNyF5RMaZy0JmuAqSY3AlSzzY0iqhQtyh++EBfLUmr6/iBWoc6D3Hd+THin1u7 3T44ETiXOSlaJxPMMassVMOEDW2nefIpH7gqG3unr/yjmJL5vACtIpyGTBKyhfryDS19I1fdyh/9pQ== Return-Path: speterson@northstatemarketing.com |
John 88 Posts |
Quote |
Mar 2nd 2017 5 years ago |
SPF is being made more and more worthless every day by "the cloud". Every Office 365 user has the same SPF record, home user, college student or major corporation. Etc.
Mismatches between Envelope-Sender and From are a great way to catch a lot of this stuff. We have a custom rule that looks for the string "@ourcompany.com" in the From field. If the Envelope-Sender does not match it's off to the quarantine field. It caught a really nice one once, completely unintended. The display name was the CEO's name AND his email address but the From address was not our domain.Looking for the string inadvertently caught another one. Want a good laugh? Pull up the SPF records for the three major credit bureaus. equifax.com - soft-fail but they use IP networks only. transunion.com - not only no modifier so it defaults to a neutral which is worse than a soft-fail, they include all of salesforce.com's customers as well as some mass-mailers. experian.com - a neutral (?all) which is even worse than a soft-fail. The only one I've ever seen that was worse was from an IT services company: +all Yeah, I had to look it up. Effectively it says "We have absolutely no clue who is sending email using our domain so assume it is all authorized." And if you have domains that never send email, consider setting an SPF record of "v=spf1 -all". That means the domain never sends any email so it's all phony. The best thing about SPF is it lets you set up DMARC so you can get feedbacl on who is forging your emails. |
Anonymous |
Quote |
Mar 3rd 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!