Sender Policy Framework: Protect your email domain reputation
For the month of September, we'll be running a blog series devoted to our brokers; taking a deeper look into the hearts and minds of our cybersecurity analysts and underwriting team as we explore ways to solve cyber risk.
One of the most unexpected issues that can arise in the underwriting process is for the Coalition security and underwriting team to flag a quote for a secondary review, or, even more unexpectedly, for that to result in a contingency or a declination.
That's why we are dedicating this month to contingencies and common security risks. We'll explore key considerations about common exposures and how that translates into risk. Today we are going to break down SPF.
What is Sender Policy Framework (SPF)?
Email is a huge part of our daily lives, and COVID-19 has made it even more prevalent as office communication has moved online. The volume and rate at which we open, read, and click on items inside emails is growing. What makes this tricky is that more and more external factors compete for our attention at home — especially families with small children! That’s why we want to talk about a specific security control that helps ease our stress as we try to identify if each email is legitimate or not.
Sender Policy Framework (SPF) is an email authentication method that specifies the mail servers authorized to send email for your domain. If a system is not listed as authorized, it’s likely those emails will end up in the spam or junk folder, or even flagged as suspicious. This is hugely beneficial because it lowers the chance of having a client or business partner open a spoofed email message pretending to be your organization.
Like we hinted at in last week's post on RDP, the presence and validity of your organization's SPF can have a big impact on whether or not a hacker decides to target your business and your partners.
The dangers of an invalid SPF
Let’s consider a practical scenario to help understand how this works. In this case, our potential victim is a company that has no SPF or an SPF that is invalid (SPF’s that are invalid will be ignored completely).
Imagine an attacker scanning a list of domain names with the words ‘title’ or ‘law’ in them to determine which domains have valid SPF records. Each time the attacker sees that an SPF is invalid or missing, this domain gets added to a target list to research.
After scraping a few thousand domains, the attacker looks up each organization on LinkedIn to see a list of employees, their roles, and who is connected to their professional network. After establishing that Bob at the ACME Title Company (with an invalid SPF) knows Alice at Target Real Estate Company, the attacker create an email as bob@acmetitlecompany.com with a return-path to attacker@attackerbadguys.com — the return recipient email of an account and domain controlled by the attacker.
The attacker sends a spoofed email to Alice with a message that reads, “please see the attached list of closings this month" and encourages her to click. The attacker then sends a follow-up email claiming they accidentally sent the previous email stating, “please do not open the attachment because it contains sensitive data.”
As someone who conducted phishing attempts as part of penetration tests, I learned that if you want targets to open your phishing emails, and run the malware attachments without suspicion, politely ask them not to. This also prevents the target from reaching out to the spoofed company to confirm any type of intended or unintended email communication.
Now, our attacker has access to Alice’s email and her computer. They can see legitimate communication with the real Bob at ACME Title Company, as well as all of the other closings and transactions at Alice’s company. All the attacker needs to do is wait for wire instructions to enter the inbox and make changes to the wire transfer instructions to maliciously block or redirect funds.
Continuous monitoring to protect your business
Coalition’s Attack Surface Monitoring platform, powered by BinaryEdge, lets our policyholders monitor their own security as well as the security of their partners. This powerful platform includes attack vectors like SPF and alerts our policyholders when one of their partners becomes (or is currently) vulnerable.