Email Gateway Security
For the safest email settings, just block all emails. Then you can sleep at night knowing no-one can get phished through your email system! Anyone who deals with securing email systems have to take risk-based approaches on a lot of different policies and scenarios. This post will walk through two different scenarios of email flow, and I will ramble my thoughts around things that should be done, could be done, or shouldn’t be done for each one. Hopefully, it will bring you joy and laughter instead of the humdrum of technical mumbo jumbo.
Note:
This post will use some technical jargon around email security protocols which, perfectly planned, my previous post discusses more in depth. Also, any likeness of people is unintended as I used GenAI help come up with the names.
Inbound Scenario
Jaxon Steele, the job seeker, decides he wants to send out his resume to various companies, even though there are no jobs posted that he fits currently. One of those companies is your company, Acme Inc., where, Holden Rivers, is in charge of looking through new applications and emails sent to the HR inbox. Before any emails get to the HR inbox, there should be various security checks that happen on the inbound email from Jaxon.
Let’s imagine that this is Jaxon’s email:
“Dear Holden,
My name is Jaxon, and I am interested in a position at Acme Inc. With a background in anvils and skills in falling down, I am excited about the opportunity to contribute to your team.
At Suspicious Studios, I worked as a stunt double, which has prepared me to drop anvils and fall for a long time and land without being injured. I am impressed by the size and weight of the anvils you create and believe my experience aligns well with your goals.
Attached is my resume for your review. I would love to discuss how my background can benefit Acme Inc. Thank you for considering my application.
Best regards,
Jaxon
https://www.linkedin.com/in/jaxon-steele
+1 248-434-5508”
All inbound emails should be checked for DMARC, SPF, and DKIM to be passing. If DMARC fails, which means SPF or DKIM or both fails, your mail server should honor the DMARC Policy configured by Jaxon’s email server, if it is not set, then it might be best to bounce/reject the email. Let’s assume that the email came from jaxon_steele@gmail.com, which is a personal Gmail account. E-mails that come from Gmail should be passing all three of those checks, so let’s continue down some other checks.
Since Jaxon’s email address is being seen for the first time by your email system, a higher level of scrutiny should be applied. The way these upcoming checks can vary depending upon the email gateway system in use, so I’ll try to keep it as abstract as possible. This is by no means an exhaustive list of checks, but are good starting points.
Scan the attachment:
Check for viruses/malware.
Check to see if it is a bad file type to receive via email.
Things like scripts, executables, and installers usually should not be sent via email
Check links/URLs included in the attachment with the same ideas as below.
URL Scanning:
Does the underlying URL match what is being displayed?
Does the URL go to/redirect to a malicious website?
Does the URL try to download something malicious?
Impersonation:
Does the Sender Name match the SMTP Sender Name?
Checks to ensure it isn’t impersonating someone within your organization by hiding the true email sender.
Example of an impersonation attempt:
Sender Display shows “Holden Rivers”, but the actual sender's name is
totatllylegitemail@example.com.
Spam Scanning:
Checks to ensure the email address, domain, and URLs are not part of any kind of block lists or spam lists.
Whenever a message is reported as spam, if there are enough reports, the email address and domain will be added to these kinds of lists.
Anti-spoofing:
This check falls in line with the SPF checks to ensure that only valid SMTP servers are sending emails as the domain the email claims it is coming from.
Utilizing these kinds of checks can significantly reduce the number phishing emails that arrive to your users’ mailboxes. There are always special cases that can require a bypass of a policy. My recommendation is to temporarily bypass the policy, while you work with your end user and their vendor/client’s email team to help resolve any of the issues.
Outbound Scenario
After a meticulous interview process that leaves Jaxon wondering if he got the job, Holden reaches out with an offer letter and Jaxon accepts the position. Before he starts, Felix Thorne, needs to collect a lot of sensitive information about Jaxon in order to perform a background check and other standard hiring processes. Jaxon fills out the paperwork and sends over the information requested, which includes info like his SSN, name, date of birth, etc.
Felix now needs to send this information via email to a third-party vendor that performs the background checks for Acme Inc. In this scenario, there should be some checks and security in place to prevent the sensitive data being leaked.
For this scenario, we know that DMARC, SPF, and DKIM are all configured properly at Acme Inc. These three things are a great first step to help secure your outbound emails. Additional checks can be found below, and like before, they can vary depending on your email gateway and its not an exhaustive list.
Scan the attachment:
Check for viruses/malware.
Check to see if it is a bad file type to send via email.
Check links/URLs included in the attachment with the same ideas as below.
Check to see for any Personally Identifiable Information (PII) or other sensitive information relevant to your company.
Secure Tunnel (TLS Encryption):
Attempt to setup a secure connection between your mail server and the receiving mail server.
If this fails:
Option 1
Hold the email at your gateway.
Notify receiving user of a secure message waiting in an online portal.
Recipient logs in to web portal to retrieve the email and attachment.
Option 2
Notify the sender that it the email could not be sent securely and contained the PII or sensitive information.
Suggest the sender utilize your company’s secure file sharing service, like Dropbox, OneDrive, or Box.
Running these checks can help prevent data leakage and keep prying eyes from reading the emails.
Conclusion
Securing emails requires a balance approach that involves thorough checks and continuous monitoring. By implementing these security measures and others, it can help significantly reduce the risk of phishing attacks and data breaches due to emails. Remember, email security is not a one-time task, but an on-going process.
As always, comments are welcome, keep them civil and on-topic.