Beyond the Inbox: Strategies for Safeguarding Your Organization's

Email Communications
Introduction:
In today’s digital world, email is more than just a means of communication- it’s the lifeblood of modern
business operations. From exchanging critical information to managing client relationships, securely
transmitting, and receiving emails plays a critical role in an organization success. Reflecting on my
consulting experience, I’ve encountered numerous scenarios where small partner vendors become targets
of email server compromise, resulting in threat actors gaining access to and exfiltrating all business
emails. These compromised emails are subsequently utilized for spear phishing attacks against partner
organizations, leading to significant disruptions. In one instance, an entire business was forced to shut
down for three weeks. Thus, it's not merely about protecting data; it's about safeguarding the very essence
of trust and integrity that underpins every business interaction. In this article, we'll explore practical
strategies and best practices to strengthen email security. By putting these measures in place,
organizations can better navigate the digital landscape and strengthen their defenses against constantly
changing cyber threats.

Understanding the threat landscape

Before we dive into the solutions and tools that can help with enhancing the email security, lets
understand the threat landscape and attack vectors that Organizations face.

1. Phishing Attacks: Phishing remains one of the most prevalent and effective tactics used by
cybercriminals to deceive individuals into disclosing personal information, login credentials, or
financial data. Phishing emails often mimic legitimate communications from trusted entities, such
as banks, government agencies, or reputable organizations, and typically contain malicious links
or attachments designed to trick recipients into taking action. During the last quarter of 2023, the
Anti-Phishing Working Group (APWG) reported a considerable number of phishing incidents,
totaling 1,077,501. This surge in activity contributed to 2023 becoming the year with the highest
frequency of phishing attacks on record, with the APWG tallying close to five million instances
over the twelve months.

2. Malware and Ransomware Distribution: Email serves as a primary vector for distributing
malware and ransomware payloads. Malicious attachments or links embedded in emails can
deliver malware capable of infecting systems, stealing sensitive data, or encrypting files for
ransom. Ransomware attacks, in particular, have become increasingly common and disruptive,
causing significant financial losses and operational disruptions for organizations of all sizes.

3. Business Email Compromise (BEC): BEC attacks involve cybercriminals impersonating trusted
individuals or organizations to deceive recipients into taking fraudulent actions. These attacks
often target employees with access to sensitive information or financial resources, such as
executives or finance personnel. BEC attacks can result in wire transfer fraud, unauthorized fund
transfers, or compromised business relationships, leading to substantial financial losses and
reputational damage.

4. Zero-Day Exploits and Vulnerabilities: Zero-day exploits target previously unknown

vulnerabilities in email servers, clients, or protocols, allowing cybercriminals to bypass security
 controls and execute malicious activities. Zero-day vulnerabilities pose significant challenges for
organizations, as they often lack patches or mitigations, leaving systems vulnerable to
exploitation until a security update is release. A significant example of this issue surfaced in
March 2021 when Microsoft detected multiple zero-day exploits targeting on-premises versions
of Microsoft Exchange Server. Over the next few days, over 30,000 organizations in the US were
attacked as hackers used several Exchange vulnerabilities to gain access to email accounts and
install web shell malware, giving the cybercriminals ongoing administrative access to the victims’
servers.

5. Email Spoofing and Domain Impersonation: Email spoofing involves forging the sender's
email address to appear as if it originated from a trusted source. Cybercriminals often use email
spoofing techniques to impersonate legitimate organizations or individuals, increasing the
likelihood of successful phishing or BEC attacks. Domain impersonation, on the other hand,
involves registering domains closely resembling legitimate ones to deceive recipients into
believing the emails are authentic, further facilitating phishing and malware distribution.

Implementing technical Measures:

1. SMTP Proxy

SMTP proxies serve as crucial defenses against unwanted inbound emails. Positioned as the initial layer
in an email system, they handle SMTP connections from clients before forwarding data to additional mail
servers. These proxies often act as the primary defense against inbound spam, employing various
techniques such as spam content filtering, antivirus scans, and connection analysis.

SMTP proxies offer the following security capabilities:

• Rate limiting: Control the influx of incoming emails to prevent overwhelming mail servers.
• Sender authentication and encryption: Ensure the authenticity and security of email senders
through verification processes and encryption protocols.
• Email filtering: Implement comprehensive filtering based on criteria such as sender, recipient,
content, attachments, and keywords to identify and block malicious emails.
• Data Loss Prevention (DLP): Employ measures to prevent the unauthorized transmission of
sensitive information via email.
• Policy enforcement: Enforce organizational email policies and compliance regulations to
maintain security standards.
• Traffic monitoring: Continuously monitor email traffic to detect anomalies and potential security
breaches.
• Bayesian analysis: Utilize statistical methods to analyze email content and patterns, enhancing
detection accuracy and threat intelligence.

2. SPF( Sender Policy Framework)

SPF (Sender Policy Framework) is a method used to authenticate emails by specifying authorized mail
servers for a domain. It works by creating a list of permitted IP addresses or domains in a DNS record.
When an email is sent, the recipient's mail server checks the SPF record of the sender's domain to ensure
the sending server is allowed to send emails for that domain. If the sender's IP address matches one on the
list, the email passes authentication. Otherwise, it may be considered suspicious or rejected. SMTP
proxies enforce SPF checks by verifying the sender's SPF record during email transmission, preventing
email spoofing.

Here's an example of how SPF works:

Let's say you own the domain "example.com" and you want to ensure that only your company's email
servers are authorized to send emails on behalf of your domain.

You create an SPF record in your DNS settings for "example.com" that includes the IP addresses of your
company's email servers:

example.com. IN TXT "v=spf1 ip4:192.0.2.1 ip4:192.0.2.2 -all"

In this SPF record:

"v=spf1" specifies the SPF version.

"ip4:192.0.2.1" and "ip4:192.0.2.2" are the IP addresses of your company's email servers.

"-all" indicates a strict SPF policy, stating that only emails sent from the specified IP addresses are
allowed, and all others should be rejected.

Now, when someone receives an email claiming to be from "[email protected]," their mail server
performs an SPF check by querying the SPF record for "example.com." If the sending server's IP address
matches one of the authorized addresses listed in the SPF record, the email passes the SPF check and is
considered legitimate. If not, the email may be flagged as suspicious or rejected.

3. DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails, allowing receiving
servers to verify the sender's authenticity. This authentication method utilizes public-key cryptography:
the sender's private key signs the email as it leaves the server, while the recipient server uses a public key
published in the sender's DKIM domain to verify the message's source. Additionally, DKIM checks if the
signed parts of the email remain unchanged. Once the recipient server verifies the signature with the
public key, the email is deemed authentic, passing DKIM validation.

Here is how DKIM works:

a) Signing the Email:

Let’s say you're a user of the domain "example.com," and you're sending an email to a client. Before
sending the email, your email server adds a DKIM signature to the email using your domain's private key.

b) Adding the DKIM Signature:

The DKIM signature, containing information like the domain name and a cryptographic hash of the email
content, is inserted into the email header.

c) Email Transmission:
The email is transmitted over the internet to the recipient's mail server.
 d) Recipient Server Verification:
Upon arrival, the recipient's mail server retrieves the DKIM public key from the DNS records of
"example.com."

e) DKIM Verification:
The recipient's mail server uses the DKIM public key to decrypt the signature in the email header and
compare it with the hash of the email's content. If the decrypted signature matches the calculated hash, it
confirms that the email is valid and hasn't been altered.

f) Authentication:
Based on the DKIM verification, the recipient's mail server authenticates the email as originating from
"example.com" and considers it trustworthy for delivery to the recipient's inbox.

4. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) acts as an additional

layer of email authentication, complementing SPF and DKIM. It determines whether an incoming email
passes or fails based on whether the "From" header matches the sending domain, as verified by SPF or
DKIM checks.

To prevent spoofing and phishing attacks, DMARC instructs receiving mail servers on how to handle
emails that claim to originate from your organization but fail authentication checks. If a message doesn't
meet the authentication requirements outlined in your DMARC policy record, the receiving server takes
action according to the specified policy.

Here is an example of DMARC works:

a) Publish a DMARC Record in DNS: the domain owner publishes a DMARC policy in the DNS
records for example.com. The DMARC policy is a TXT record that specifies how email receivers
should handle emails that don’t pass SPF and/or DKIM checks. A simple DMARC policy for
example.com might look like this:

v=DMARC1; p=none; rua=mailto:[email protected];

This record tells receiving mail servers to:

• Not apply any specific policy (p=none) to email that fails DMARC checks (other options include
quarantine or reject).
• Send aggregate reports about DMARC failures to [email protected].

b) Email Sent from example.com

When an email is sent from example.com, it should pass SPF and DKIM checks:

• The email's source IP should match one of the IPs allowed by SPF.
• The email should have a valid DKIM signature matching example.com's public DKIM key in
DNS.
 c) Email Received and Checked
The receiving email server looks up the DMARC policy of example.com when it receives an email
claiming to be from example.com. It checks the following:

• SPF check: Does the email come from an IP address allowed by the SPF record of example.com?
• DKIM check: Does the email have a valid DKIM signature that matches the public key published
by example.com?

d) Applying DMARC Policy

Based on the DMARC checks:

• If the email passes either the SPF or DKIM check and the domain alignment, the email is
considered to be authentic, and the DMARC policy specified in the DNS is applied.
• If the email fails both checks, the DMARC policy of example.com (e.g., none, quarantine, or
reject) instructs the receiving server on what to do with the email.

e) Reporting
Regardless of the email being accepted or rejected, the receiving server can send a report back to
example.com (to the email address specified in the DMARC record) detailing the results of the DMARC
checks. This reporting mechanism helps the domain owner monitor and protect their email domain's
reputation.

5. Dnstwist

DNSTwist is a valuable tool used to identify domains closely resembling legitimate ones, known as
cousin domains. These domains often mimic authentic ones, such as "ex4mple.com" imitating
"example.com," and are frequently exploited for malicious activities like phishing. By leveraging
DNSTwist, organizations can pinpoint these deceptive domains associated with their brand. They can then
configure an SMTP proxy to automatically detect and isolate emails originating from these suspicious
sources. This proactive approach empowers businesses to strengthen their cybersecurity defenses against
phishing attacks and similar threats.

6. Next-generation firewalls (NGFWs) and Endpoint Protection Solutions:

Next-generation firewalls (NGFWs) can significantly enhance security through sophisticated features like
URL filtering and decrypting and inspecting SSL/TLS-encrypted emails. URL filtering enables NGFWs
to scrutinize web traffic, blocking access to malicious sites and preventing potential threats from
infiltrating the network. Furthermore, NGFWs can decrypt SSL/TLS-encrypted emails, allowing for in-
depth content inspection to identify and neutralize hidden threats.

On the other hand, Endpoint security tools act as the last line of defense for email threats. They provide
supplemental protection if someone clicks on a malicious link in an email or downloads malware. Let's
take a closer look at some of these endpoint security technologies.

a) Endpoint Detection and Response (EDR): Provides continuous monitoring of endpoints for
suspicious activities, quickly identifying and neutralizing threats such as malware or ransomware.
EDR systems can also isolate affected devices to stop the spread of infection.
 b) Secure Web Gateways (SWG): Act as intermediaries between users and the internet, blocking
access to malicious links found in emails. SWGs prevent the download of malicious payloads by
filtering out harmful content before it reaches the user.

c) Data Loss Prevention (DLP): Monitors and controls the flow of sensitive information,
preventing unauthorized data exfiltration via email. DLP solutions ensure that sensitive data does
not leave the organizational network, mitigating the risk of data breaches.

d) Antivirus/Anti-malware Tools: Scan incoming emails and attachments for known threats,
providing a fundamental layer of defense. These tools block malicious files from being opened or
executed, protecting against viruses, malware, and other cyber threats.

Together, these endpoint security measures create a comprehensive defense mechanism against email-
based attacks, employing a combination of detection, prevention, and response strategies to secure
organizations in the digital environment.

7. Prioritizing Vulnerability Fixes and Patch Management

Addressing vulnerabilities in Exchange servers through prompt patching is crucial for an organization to
mitigate risks and enhance security. Essential considerations include the established process for tackling
critical vulnerabilities, the turnaround time for such actions, and the efficiency in applying these patches
in the past. Developing metrics around these practices may enable with setting clear expectations with
stakeholders and senior management, promoting a more transparent and proactive approach to
cybersecurity within the organization.

8. Encryption

Implementing email encryption is a critical step towards securing communications and safeguarding
sensitive information from cyber threats. Options like Pretty Good Privacy (PGP), Secure/Multipurpose
Internet Mail Extensions (S/MIME), and Transport Layer Security (TLS) offer robust frameworks for
different encryption needs.
PGP and S/MIME excel in providing end-to-end encryption, ensuring that emails remain confidential
between the sender and recipient, while TLS encrypts the connection between email servers during the
transmission of the email, ensuring that the contents are secure while in transit.

To adopt email encryption effectively, organizations should first conduct a comprehensive risk assessment
to identify the security requirements based on the type of information exchanged. Selecting an encryption
solution that matches the organization's specific security posture and regulatory compliance needs is
essential. Moreover, educating users on the operational aspects of encryption technologies is crucial to
leverage their full potential in fortifying email security.

9. Multi-factor Authentication

Implementing multifactor authentication (MFA) is imperative for securing email especially external web-
based logins to email systems. By requiring users to provide additional verification factors beyond
passwords, such as codes sent to their mobile devices or biometric authentication, MFA can significantly
enhance the security of email accounts. This added layer of protection can help mitigate the risk of
unauthorized access attempts, particularly from external sources. MFA should be considered a
fundamental security measure for securing external web-based login to email.
Employee awareness training and phishing campaigns

While Technical safeguards like encryption, endpoint security, SMTP Gateways etc. are essential for
protecting organizational communication channels, the human element remains the weakest link in
cybersecurity.
Therefore, effective security awareness training and mock phishing campaigns need to be combined with
technical defenses to improve the overall security posture. Ensuring the active engagement of employees
and partners in security awareness training is crucial. Metrics like the percentage of staff completing
training programs and the frequency of clicks on mock phishing emails can help gauge training
effectiveness and identify areas needing additional focus. Benchmarking these security metrics against
industry averages can further provide context for an organization's security posture. For instance, a high
click rate on test phishing emails compared to industry norms suggests a gap in employee training. On the
other hand, strong training completion rates and low click rates on phishing tests indicate a workforce
that's well-prepared to recognize and fend off email threats.

Ultimately, while robust technical defenses are non-negotiable, they must be complemented by
continuous investment in human awareness. Organizations should integrate regular security training and
simulated phishing exercises into their broader Cybersecurity framework. Analyzing participation and
effectiveness is key to building a resilient and secure email environment, where employees are
empowered to serve as the first line of defense against email-based cyber threats.

Incident Response and Contingency Planning:

Organizations must regularly update and review their incident response playbooks, ensuring they include
protocols for tasks such as conducting broad searches and eliminating phishing emails using criteria like
subject lines, sender details, and particular phrases within the emails. Developing detailed playbooks for
these processes can enable teams to quickly spot and remove harmful emails on a large scale. It's crucial
for organizations to have distinct playbooks for various scenarios and to frequently engage in tabletop
exercises to ensure all members understand their responsibilities. By adopting these proactive steps,
organizations can effectively minimize the effects of email security breaches, protect confidential data,
and preserve their operational stability.

Summary

Protecting an organization's email communications is a complex and requires a comprehensive approach.

By understanding the threats, implementing technical defenses, prioritizing system vulnerabilities,
educating employees, and preparing for incidents, organizations can significantly enhance their email
security. As the digital landscape evolves, our defense strategies must adapt to safeguard organizational
communications, ensuring their security and resilience against emerging threats.

Links
https://en.wikipedia.org/wiki/SMTP_proxy#:~:text=SMTP%20proxies%20often%20implement%20the,b
alance%20SMTP%20connections%20to%20prevent
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
https://postmarkapp.com/guides/dkim#:~:text=DKIM%20authentication%20uses%20public%2Dkey,the
%20DKIM%20signature%20haven't
https://support.google.com/a/answer/2466580?hl=en
https://www.csoonline.com/article/570653/the-microsoft-exchange-server-hack-a-timeline.html
https://apwg.org/trendsreports/
https://github.com/elceef/dnstwist
https://learn.microsoft.com/en-us/purview/email-encryption

Author’s Biography

Nitin is an accomplished and proactive Cybersecurity expert, with over 15 years of specialized
experience in the field. Renowned for his exceptional leadership qualities and collaborative approach,
Nitin has a proven track record of effectively working alongside executive teams and key
stakeholders. His expertise lies in synchronizing cybersecurity strategies with overarching business
objectives while remaining abreast of the latest threats and innovative technologies within the
dynamic realm of Cybersecurity.
Currently serving as the Director, Global Cybersecurity at Estee Lauder, Nitin spearheads the Security
Architecture and Engineering team. His responsibilities encompass the critical tasks of evaluating,
designing, and deploying cybersecurity solutions. Before this role, Nitin held various pivotal
leadership positions, including managing Cybersecurity Incident Response at LA County, and
overseeing Information Security at Zocdoc.
Nitin’s professional expertise is underscored by an extensive array of cybersecurity certifications,
which includes CISSP, CISM, CISA, and GDSA. He is also a recognized thought leader in the
cybersecurity community, having delivered presentations at numerous prestigious Security
conferences such as CA World and ISC2 Congress. His presentations cover a wide range of vital
security topics, including phishing, social engineering, multi-factor authentication, privileged access,
identity management, and blockchain.
LinkedIn profile: https://www.linkedin.com/in/nitin-uttreja-8aaba3a/