A Trend Micro White Paper | October 2017

Forged Protection

Smart Protection for Office 365

>> An analysis of email forgery techniques and protection methods available in Trend Micro SaaS email security products CONTENTS

Introduction ...... 3 Types of Forged Email Attacks ...... 4 “Envelope From” versus “Message From” ...... 4 Forged “Envelope From” ...... 6 Forged “Message From” ...... 7 Cousin Domain Abuse ...... 8 Free Email Account Abuse ...... 9 Compromised Email Account ...... 10 Trend Micro Solutions ...... 11 Forged “Envelope From” Protection ...... 11 Forged “Message From” Protection ...... 12 Cousin Domain Abuse Protection ...... 12 Free Email Account Abuse Protection ...... 12 Compromised Email Account Abuse Protection ...... 13 References ...... 14 Hosted Email Security ...... 14 Cloud App Security ...... 14

Page 2 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 INTRODUCTION

Email has been a major communication tool for most companies and organization for many years now. From simple conversations, sharing information, to doing major business transactions, email is involved in many daily activities. As the popularity and usage of email grew, so did the abuses and exploits from attackers using this communication channel. The simplicity and ease of email forging makes it one of the favorite tools for bad guys. The lack of sender mechanism in Simple Mail Transfer Protocol (SMTP) allows spoofing to be used to mislead recipients about the true source of the email. Attackers and scammers often use some form of email forgery to trick their victims. attacks, spoofed email attacks, and Business Email Compromise (BEC) attacks use one or more forms of forged . Spoofing attacks became more prevalent around the middle of 2015, growing more prominent in the 2nd half of 2016. This attack vector has been so exploited that, according to a report released by the FBI in May 2017, victims of BEC alone lost over $5 billion based on victim complaints worldwide since 2013. Trend Micro predicts this type of attack will remain prominent and will be used in more global attacks.

Some malware are also capable of creating spoofed emails that appear to come from the assumed sender. Worm KLEZ and many more modern malware can search a target’s email addresses from the infected system and sends spoofed emails to spread infection. Cybercriminals are also getting more and more creative with their attacks, using one or more ways to forge emails and make them look legitimate to the naked eye. Careful analysis of email headers may be needed to spot these spoofing techniques. Common and non-technical email users are unaware and unfamiliar with such analysis of email headers. Traditional antispam filters need to combine existing technologies with new advancements in to battle this type of attack. This white paper will show how Trend Micro Smart Protection for Office 365, which includes Hosted Email Security and Cloud App Security, utilizes these technologies to protect Office 365 users from forged or spoofed emails.

Page 3 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 TYPES OF FORGED EMAIL ATTACKS

Email forging is the building block of spoofed emails. Phishing and BEC attacks both use forged sender address with the goal of tricking the recipients into thinking that the email came from a legitimate source. As a result, the unknowing victim may disclose sensitive information, send funds to unknown accounts, or even get infected with malware. Email forging techniques include: • Forged “Envelope From” • Forged “Message From” • Cousin Domain Abuse • Free Email Account Abuse • Compromised Email Account

“ENVELOPE FROM” VERSUS “MESSAGE FROM”

Before diving into the different email forging techniques, let us first describe the different sender information that can be found in an email. An email typically contains two types of sender information: the “Envelope From”, and the “Message From” address. The “Envelope From” is also called by other names such as “MAIL From” and “SMTP From” address. This is the sender address specified in the MAIL FROM: command during the SMTP session. “Envelope From” address is where bounced messages and errors are returned in case of email delivery problems. This address may or may not be visible to the recipient. The “Message From” on the other hand is the address displayed in the From: field of the different mail applications, such as Outlook, that the receiver sees. To see the “Envelope From” address, it may be necessary to open the message headers. The procedure on how to do it depends on the mail client application or web mail application being used. In most normal emails, the “Envelope From” and the “Message From” are the same. This is quite true for personal and individual email addresses within organizations.

Page 4 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 However, there are legitimate uses where these two are not the same. For some auto-mailers, bounced messages are directed to one central repository mailbox, while the user replies go to a different address in the email’s “Message From.”

This usage of a special error handling mailbox in “Envelope From” is defined in RFC 5321. “It is possible for the mailbox in the return path to be different from the actual sender’s mailbox, for example, if error responses are to be delivered to a special error handling mailbox rather than to the message sender. When mailing lists are involved, this arrangement is common and useful as a means of directing errors to the list maintainer rather than the message originator.” Although the Return-Path is a good indicator of the “Envelope From” address, it is not always the case. As with other mail headers, it can also be modified just like the sample above. Another important thing to note is that the basic SMTP or email protocols do not require these sender addresses to be authenticated in any way. In its primitive form, an email sender can put any address in either the “Envelope From” or the “Message From” fields without getting rejected so long as the email server or program allows it. These leniencies in the core of email system are what spammers and scammers overly abuse.

Page 5 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 FORGED “ENVELOPE FROM”

When forging the “Envelope From” of an email, the attacker, in most cases, fakes the sender address to be the same as the recipient’s domain. In other cases, it can bear a well-known and trusted domain or organization, such as web-based email service providers like Yahoo or , or banking institutions. The use of a forged internal domain or faked trusted domain urges the recipient to trust that the email came from a legitimate source. This is how the scammers are able to trick the recipient into doing things that they usually wouldn’t do had they known that the email was fraudulent.

In this example, the “Envelope From” or “MAIL FROM” claimed to be from a Gmail.com . However, the source IP and FQDN of the email clearly doesn’t belong to the Gmail.com domain.

Page 6 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 FORGED “MESSAGE FROM”

In this case, the “Envelope From” uses a legitimate domain for the sender but the “Message From” header is forged. Similar to a forged “Envelope From” attack, the “Message From” address can be faked to make it appear that the email came from an internal source domain or a well-known and trusted institution. Since the “Envelope From” address is not visible to most common and non-technical users, the tendency is for them to believe what they see in “From: address” of the mail application. Combined with carefully crafted email content, it can fool unsuspecting recipients into following the scammer’s directions that often lead to undesirable consequences. Even if the source domain in “Envelope From” is different compared to the “Message From” domain, mail servers will still accept it since there is no specific rule or guideline in email protocol that says it is not allowed.

In the sample above, the “Message From” was forged to appear to be coming from an internal user named Michael Doyle. But the actual sender is someone from @xplornet.com. Clearly, there is an intent to deceive the recipient.

Page 7 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 COUSIN DOMAIN ABUSE

Cousin Domain is a specifically created to look very similar to a valid target domain. It usually involves replacing one or more characters in the domain name with a similar looking character, for example, replacing the letter “l” with number “1” or “m” with “rn”. Another way is by adding or removing an extra character in the domain name. Without careful inspection of the address, a recipient may simply not notice the trick and think that the email is indeed from the legitimate domain being forged. In the example below, the attacker tried to trick the recipient Jessie by using a domain that looks very similar to Jessie’s own domain interface.com. The attacker inserted an extra letter “i” between “e” and “r”.

It is also possible for a scammer to combine Cousin Domain abuse with other forged email techniques such as “Envelope From” and “Message From” forging. By combining with a forged “Message From” address, the fake address will look a lot more like the legitimate one, raising its chance to dupe the target. In such cases, the cousin domain is specified in the Reply-To header, so when the recipient replied to the spoofed mail, the attacker will get the response. For example: From: Mandy To: [email protected] Reply-To: Mandy

Page 8 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 FREE EMAIL ACCOUNT ABUSE

This trick involves using a valid free email account, such as Yahoo, Gmail, AOL, and others. The email account’s display name is specifically set to show a legitimate internal user’s display name, usually an executive, but with a free email domain name. Because the email uses a legitimate email domain, it can pass (SPF), Domain-Keys Identified Mail (DKIM), and even Domain-Based Message Authentication, Reporting, and Conformance (DMARC) checking.

In the example above, the sender is pretending to be “Harry Potter” which can be any name within the organization, but the email address is clearly from Gmail. If the unsuspecting user, who knows a person or executive named Harry Potter, works in the company, relies entirely on the display name, and completely ignores the actual email address, the forged email attack will succeed.

Page 9 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 COMPROMISED EMAIL ACCOUNT

This may be the most difficult to detect even with header inspection. Luckily, it is also difficult for the attacker to execute. It involves compromising and taking control of a user’s account or mailbox. The attack may start with a phishing email that aims to gain user credentials. In the example below, the phishing email pretended to come from Outlook Notifications asking the user to cancel her account’s deactivation. The link however points to a malicious URL that uses plain HTTP and is clearly not from Outlook. This URL actually directs to the attacker’s site where the user’s credentials will be collected.

Once the phishing attack is successful, the attacker can then use the compromised account to send internal phishing or BEC emails. Below is an actual example.

Because the emails are coming from a legitimate user’s mailbox, there will not be anything suspicious on the mail header or sender address. The emails will also be routed through the internal mail system, allowing it to slip through traditional anti-spam filters undetected.

Page 10 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 TREND MICRO SOLUTIONS

With over 29 years of presence in the security industry and over 100 patents related to email security, Trend Micro has emerged as a leader in protecting customers against unknown threats. By scanning more than 16 billion websites, email sources, and files every day across traditional and hosted environments, Trend Micro continues to improve its capabilities of protecting customers against spam and various email threats. For Office 365 or Exchange Online users, Trend Micro offers Smart Protection for Office 365 which contains two email security products; Hosted Email Security and Cloud App Security. Hosted Email Security serves as an email gateway protecting you from threats and attacks originating from the internet. Cloud App Security works at the mailbox layer through API integration to enhance Office 365 with advanced threat protection and data loss prevention for Exchange Online, SharePoint Online, and OneDrive for Business. Hosted Email Security and Cloud App Security sandbox technology analyze suspicious files and email attachments with in-depth behavior analysis and simulation techniques. Together, two products provide a layered defense that maximize the protection from incoming and internal email threats. Let’s first look at the overall anti-BEC technology and then take a closer look at how to set up Hosted Email Security and Cloud App Security to protect against the specific forgery techniques outlined in this paper.

ARTIFICIAL INTELLIGENCE-BASED ANTI-BEC TECHNOLOGY

In the August 2017 release, both Hosted Email Security and Cloud App Security were refreshed with updated BEC protection by integrating industry standard sender authentication protocols and enhanced Trend Micro BEC detection techniques. The new anti-BEC technology uses two forms of Artificial Intelligence, an expert rule system and machine learning, to more precisely identify fake email. The expert rule system mimics the knowledge of a security researcher by extracting characteristics which could indicate a forgery attempt. It looks at both attack characteristics like sender information, routing, and others as well characteristics of the email intention like a request for action, financial implication, or sense of urgency. The “high-profile user” function applies additional scrutiny and correlation with spoofed senders (often executives) and their real email addresses at the target organization. Next, a machine learning model decides the weighting of each characteristic and compares it to millions of other good and bad emails to precisely identify BEC scams. The machine learning model is constantly learning to further improve its results over time. The improved anti-BEC technology is a component of the Trend Micro Anti-Spam Engine. Now, let’s look deeper at protecting against the forgery techniques discussed earlier in the paper.

FORGED “ENVELOPE FROM” PROTECTION

A forged “Envelope From” attack fakes the SMTP Mail From address to pretend to be coming from an internal sender (same domain as the recipient), a well-known service provider or internet domain, or just about anything that cannot be confirmed. SMTP authentication or email validation techniques such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) were developed over the years to combat this attack. Both these technologies are being adopted more frequently by organizations worldwide. SPF enables an organization to specify what IP addresses are allowed to send emails to the internet on their behalf. This prevents their domain from being used in forged and spoofed emails. DKIM, on the other hand, stamps an outgoing email with a digital signature that the receiving mail server can use to verify if the email actually came from the specified source email address. This also prevents forged email addresses in the “Envelope From.” Hosted Email Security has both SPF checking, DKIM checking and signing, and DMARC features to help customers battle forged envelope from attacks. Hosted Email Security also rejects emails coming from unknown or unresolvable domains. If the domain is not publicly registered and has no MX record, it will not be accepted.

Page 11 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 FORGED “MESSAGE FROM” PROTECTION

With the Forged “Message From” attack, only the “From” address that is visible to the recipient is being spoofed and made to look the same as an internal or trusted sender. This is always the case in the now widely popular BEC attack. For this type of abuse, Hosted Email Security offers its own BEC scanning criteria. In addition to machine learning and expert rule-based spoof and phishing email detection offered by the anti-BEC technology, this new feature lets the administrator identify high-profile users, such as executives at the target organization, for Hosted Email Security to apply an additional -checking criteria to identify forged messages. By doing so, it provides tighter security protection against this attack. Cloud App Security, for its part, uses Advanced Spam Protection, which includes the anti-BEC technology, to provide similar protection to prevent this attack.

COUSIN DOMAIN ABUSE PROTECTION

Cousin Domain Abuse’s chance of success is smaller if it’s not combined with a Forged “Message From” attack. And when it does combine, BEC detection in Hosted Email Security will likely catch it. Also, at the front end is Trend Micro Anti-Spam Engine that Hosted Email Security uses to filter more than 99% of spam emails in the wild. Combined with the frequently updated anti-spam heuristic rules, most Cousin Domain Attack emails will not pass through the Anti-Spam Engine undetected. The IP Reputation checking in Hosted Email Security may also help detect and block possible Cousin Domain attacks. Trend Micro Email Reputation Services has a standard IP reputation database and an advanced, dynamic IP reputation database (updated in real time). When it’s used, Hosted Email Security can quickly respond to new spam and emerging threat sources and block them at the connection level. If the attacker tries to use a non-existing domain that looks very similar to the target domain, Hosted Email Security will also block it. Hosted Email Security rejects any email that comes from domains that have no public DNS records. Cloud App Security’s Advanced Spam Protection works hand in hand with “High-Profile Users” settings to stop Cousin Domain Attack.

FREE EMAIL ACCOUNT ABUSE PROTECTION

Free Email Account abuse can be used in spoofing and BEC attacks. The attacker pretends to be a user from the inside, usually an executive, by setting the free email account’s display name to be the same as the spoofed sender. It is very similar to a Forged “Message From” attack but uses free email accounts. Due to this similarity, Hosted Email Security can also detect and block this attack with its machine learning BEC detection feature. By listing the names of high-profile users, Hosted Email Security can do more aggressive scanning against emails claiming to be from those users. In the same manner, Cloud App Security can also use its Advanced Spam Protection with High-Profile Users to prevent this free mail account abuse. For recommended settings, Enable Advanced Spam Protection for All Messages and select a detection level of Medium or High.

Page 12 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 COMPROMISED EMAIL ACCOUNT ABUSE PROTECTION

Compromised email account attacks may come from two different directions. One is from an internal compromised account; the other is from an external compromised account. When an internal account is compromised, it can be used to send spam and phishing emails to huge amounts of targets on the internet. With Hosted Email Security’s Outbound Email Scan, these outbound spams will be detected and logged. The Dashboard Top Spam Chart can then alert the administrator of the possible compromise based on a user’s emailing behavior. Below is an example.

For compromised account spam coming in from the internet, Hosted Email Security’s anti-spam filter uses heuristic detection and integrates with the Trend Micro™ Smart Protection Network™ to help block 99%+ of spam with no more than .0003% false positives. And if the spam or phishing mail comes with a malicious URL, Web Reputation scan with Time-of-Click Protection is there to stop it. Cloud App Security can detect internal BEC attacks coming from an internal compromised account. To prevent Compromised Email Account attacks, it is recommended to enable Advanced Spam Protection, High-Profile Users, and Scan All Messages.

Page 13 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365 REFERENCES

HOSTED EMAIL SECURITY

For optimum forged email attack protection on the gateway level, the following settings are highly recommended to be enabled and properly configured: • Enable the Spam and Phish policy in both Inbound and Outbound policies. Configure it to scan for spam, BEC, Phishing, Web Reputation, and Social Engineering attacks. Separate policies may also be created if desired. • Enable Time-of-Click Protection under Web Reputation and select the option Apply“ to URLs that have not been tested by Trend Micro” (Recommended). • Enable the Virtual Analyzer option for Social Engineering filter. • I d e n ti f y High-Profile Users for the BEC filter and add their names in the High-Profile Users list. • Enable IP Reputation in Hosted Email Security. • Enable Sender Policy Framework and publish the appropriate SPF records in DNS. • Enable DKIM Verification, DKIM Signing,and DMARC Settings in Hosted Email Security. • Use Data Loss Prevention (DLP) feature in Hosted Email Security. By using DLP to detect sensitive data and information, forged email attacks can be stopped from extracting that information out of the organization either through a compromised account or from an unsuspecting victim.

CLOUD APP SECURITY

For best protection at the Exchange Online mailbox level, the following settings must be enabled and properly configured. • Ensure that Advanced Spam Protection is enabled under Advanced Threat Protection settings to further protect Exchange Online users from BEC, ransomware, advanced phishing, and other high-profile attacks. Select to apply it to All Messages. • Define all Internal Domains to distinguish internal vs spoofed incoming email messages. • I d e n ti f y High-Profile Users for a more rigorous Business Email Compromise (BEC) detection. • Enable real-time Web Reputation to track the credibility of URLs in emails. Configure it to apply to All Messages. • Use Data Loss Prevention feature to protect from possible leak of sensitive information caused by forged email attacks.

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded TREND MICRO INC. in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations U.S. toll free: +1 800.228.5651 in more than 30 countries, Trend Micro solutions are sold through corporate and value- added resellers and service providers worldwide. For additional information and evaluation phone: +1 408.257.1500 copies of Trend Micro products and services, visit our Web site at www.trendmicro.com. fax: +1 408.257.2003

©2017 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WP01_SMART PROTECTION FOR O365 - FORGED EMAIL PROTECTION_171031US]

Page 14 of 14 | Trend Micro White Paper Forged Email Protection - Smart Protection for Office 365