Cisco Cisco Email Security Appliance C370 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved.
3
About This Document
This document is for Cisco® engineers and customers who will deploy
Cisco Email Security using AsyncOS 10.0.
This document covers:
•
Identifying a forged email
•
Applying AsyncOS 10.0 Forged Email Detection
•
Forged Email Detection in action
Introduction to Business Email Compromise (BEC)
Email forging (also known as spoofing, CEO fraud, or business email
compromise) is the process of altering the message header to hide the
real identity of the sender and to make it look like a legitimate message
from someone you know.
Briefly described, email forging attacks fall into the following categories:
Briefly described, email forging attacks fall into the following categories:
1. “Envelope From” abuse: This includes making the domain in the
sender’s “Mail From” value (also referred to as “Envelope From”)
the same as the recipient’s domain. This paper uses the terms “Mail
From” and “Envelope From” interchangeably.
2. From header abuse: Using a legitimate domain for the sender’s
Envelope From value but using a fraudulent From header.
3. Cousin domain abuse: Sending email from cousin domains that
pass Sender Policy Framework (SPF), DomainKeys Identified Mail
(DKIM), and Domain-Based Message Authentication, Reporting, and
Conformance (DMARC) checks. The From value will show a similar
sender address that impersonates a real one (for example, using
4. Free email account abuse: Using free email (Yahoo, Gmail, etc.) that
pass SPF, DKIM and DMARC checks. The From header will show a
legitimate sender address with an executive’s
.
The first two categories are abuses of the owner’s domain name in
the Envelope From value in the internet headers or the From value
in the message body. The basic structure of the second category is
shown in Figure 1. Cisco Email Security can remediate these locally by
using sender verification and content filters that track and permit only
legitimate senders to spoof your domain. Or the same results can be
achieved globally by using DMARC, DKIM, and SPF. In this case, your
DNS text records must reflect third-party servers that can legitimately
send to your employees while spoofing your domain. This allows
inbound 401K or health notices while remediating fraudulent ones.
Techniques for addressing categories 1 and 2 are discussed in:
Figure 1. From Header Abuse
mail-from:
---------------------------------------------------------
From: Executive Name <
From: Executive Name <
>
To: Target Name <
The last two categories are not a violation of the domain portion.
Malvestors will also construct messages where the mail-from and
From values agree, and then publish DKIM and SPF records. So the
incoming message is technically legitimate and therefore, cannot be
blocked using DNS text records or sender verification. For example,
the message may be from a free email account: Executive Name
>. When viewed on a mobile device, all
that is seen is “From: Executive Name”.
Similarly, cousin domains that look like our sample domain could also be
registered in DNS with text records as:
Since the last two categories will also spoof the name portion of the
message, Cisco® Forged Email Detection (FED) is ideal to remediate
these types of spoofs. Given that you know the executive names in
your company, you can create a dictionary of these names and then
reference that dictionary with the FED condition in message filters
or content filters. Before implementing the FED feature, you want to
consider a test period for determining who is spoofing your organization,
and which spoofers are legitimate. To do so, read the white paper,
.
Cisco Email Security How-To Guide
How-To Enable Forged Email Detection
Cisco Public