How To Stop Email Spoofing Outlook

Defending Against Email Spoofing

How We Can Stop Email Spoofing – 23May2017

3 min

Email spoofing is a technique for forging an email header to trick recipients into believing a sender is a familiar brand or acquaintance. Its a critical element of both phishing and spear phishing attacks that can be extremely difficult for users and even sophisticated email filters to detect.

Why is email spoofing so difficult to spot? Consider the following example: You get an email from support@appIe.com asking you to confirm your password for your iTunes account. Its a reasonable request, so you click on the link and fork over your Apple ID and password to a hacker.

What happened? To understand the attack, you need to know the difference between apple.com and appIe.com. They look the same, but theyre not. The first example is Apples legitimate domain but the second is a phishing domain that replaces the lowercase l in apple with a capital i. Its nearly impossible to see with the naked eye and even email filters struggle to detect this type of spoofing.

How To Stop Email Spoofing In Office 365

While most administrators would expect their users to be a bit savvier in terms of how to avoid email impersonation in the year 2019, it turns out that more sophisticated attacks are leaving your everyday business user in the dust. None are more insidious than phishing and email impersonation. Therefore it is critical for administrators using Microsoft products to know how to minimize the risk email spoofing creates in Office 365.

The primary issue is that email protocols are inherently insecure by default. Thats not surprising, as they were developed in the earliest days of the networked communication . What is surprising is that email phishing can still cost so much in time and money. A whitepaper from PhishMe Human Phishing Defense states that phishing attacks were up 65% in 2017, and those numbers seem to be growing.

Network administrators need to implement critical security features to help them protect their email domain from spoofing. Here Ill cover those features, including the use of SPF, DKIM, and DMARC records, built-in Office 365 tools that comply with email and DNS protection systems. Next, Ill discuss the importance of educating your users, and providing them with the warnings they need to recognize bad emails. Finally, Ill discuss the importance of third-party support to help you catch spoofed email that makes it through your own lines of defense.

Consequences Of Email Phishing Attacks

Email spoofing/phishing is relatively easy and doesn’t require much technical know-how. Anyone familiar with basic email server admin skills can do this and it comes with a high ROI.

Nowadays many companies still rely on spam filtering techniques to stop these attacks – but if a carefully crafted phishing email doesn’t trigger the spam filters and can pass without being detected. Spam filtering measures aren’t exactly designed to stop spoofing after all. You need another defense mechanism specifically designed to prevent phishing emails from ever reaching the recipients.

When a company falls victim to an email phishing attack, a lot of things are suddenly at risk: blemished brand reputation, intellectual property stolen, direct financial loss, suspension of business activity due to the company being held up, etc. The list goes on.

Email is one of the most important assets of modern organizations. Critical corporate functions including marketing, sales, customer support, internal communication depend on email heavily, and any security breach can cause severe losses. Failing to secure your corporate email is like keeping a safe unlocked or a corporate bank account unprotected by a password, thus vulnerable to all sorts of attacks.

Read Also: How To Get Your Old Email Account Back

Dmarc Record In Office 365

To use DMARC, you need to institute records for both incoming and outgoing mail.

Luckily, DMARC is already configured for inbound mail in Office 365.

Outbound mail gets a little trickier if you are using custom domains. If you arent using custom domains, then DMARC is already configured for your server.

If you are using custom domains, then setting up DMARC is relatively simple :

  • Setup and enable SPF.
  • Setup and enable DKIM.
  • Enter the following line into the DMARC TXT record into your DNS:
  • Where

    • _dmarc.domain is the domain your setting up DMARC for.
    • 3600 is the time to live, i.e. the length of time DNS registrars will re-check the record and update their servers. A normal time here is 3600, which is 3600 seconds .
    • pct=100 means that this rule should apply to 100% of outgoing emails.
    • fo=1 is the code signaling what kind of reporting DMARC should provide. A 1 in this case is simply for emails that do not pass DMARC authentication.
    • p=quarantine defines the action the DMARC rule should take when an email fails authentication:
    • none= take no action

    Once SPF, DKIM, and DMARC are enabled, you have a system in place that:

  • Verifies incoming emails against IP addresses in DNS records.
  • Uses encryption to sign and authenticate participating messages so that your system knows that they came from where they say they did.
  • Validates both reverse-path addresses and from addresses visible to the user.
  • Automates spam controls or bounce backs based on authentication.
  • How To Spot A Phishing Email

    Technical Deep Dive: Block spoofed email

    Here are some of the most common types of phishing scams:

    • Emails that promise a reward. Click on this link to get your tax refund!

    • A document that appears to come from a friend, bank, or other reputable organizations. The message is something like Your document is hosted by an online storage provider and you need to enter your email address and password to open it.

    • An invoice from an online retailer or supplier for purchase or order that you did not make. The attachment appears to be a protected or locked document, and you need to enter your email address and password to open it.

    • If you think someone has accessed your Outlook.com account, or you received a confirmation email for a password change you didnt authorize, read My Outlook.com account has been hacked.

    Don’t Miss: Access Archived Emails Outlook

    Tools Used By Attackers

    Attackers use a variety of tools to accomplish their goals. To more effectively cloak the deception, attackers may set their sights on a target and carry out reconnaissance through research. Typically, a combination of personal and publicly available data will form the basis of a focused spoofing campaign.

    Other vital tools attackers use for email spoofing include:

    • SMTP Server: Most SMTP servers are purchased through reputable web hosting companies. Sometimes, attackers may install the server on their own system using port 25.

    • Mailing Software: This is used to send out emails. PHP Mailer is a popular option because it uses an open-source PHP library and is easily accessed.

    These two tools are all an attacker needs to begin a spoofing campaign, which is why 91% of all successful cyberattacks begin with a simple email message. With their target acquired and everything in place, all an attacker has to do is compose an email in PHP Mailer and enter whatever address they want to target in the From field. And because its so easy, an attacker can send out thousands of spoofed emails per day, increasing the chances that at least a few people will respond.

    Setting Up Dkim In Office 356

    To create a DKIM record, you need to do two things:

    First, create two CNAME records for your domain in DNS . For a single domain, the format for CNAME will look like the following :

    • Host name: selector1._domainkeyPoints to address or value: **selector1-bristeeritech-com**._domainkey.bristeeritech.onmicrosoft.comTTL: 3600
    • Points to address or value: **selector2-bristeeritech-com**._domainkey.bristeeritech.onmicrosoft.comTTL: 3600
  • Sign into Office 365 select the App launcher and select Admin.
  • In the lower-left navigation, expand Admin and choose Exchange.
  • Go to Protection > dkim.
  • Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable.
  • You can follow these same steps for each email domain in your Office 365 account to enable DKIM.

    Don’t Miss: How To Get Deleted Emails From Gmail

    What Does It Mean My Email Is Being Spoofed

    Email spoofing is when the sender of an email, typically spam, forges the email header “From” address so the email being sent appears to have been sent from a legitimate email address that is not the spammers own address.

    They do this for a couple of reasons:

  • To trick spam filters into allowing the email through by using a reputable email address. This would be one way your friends and family would see spam emails from you in their Inbox, rather than their spam folder.
  • To prevent the bounce back emails from being received in the spammer’s own inbox. Spammers may send their spam out to thousands of email addresses, and inevitably a lot of those emails are going to bounce. Since spammers don’t want to receive hundreds of bounce back messages, this prevents that from happening.
  • Email spoofing is more common with email accounts that are not actively used. If the account is used on a daily basis, there’s a higher chance that your account might have been compromised by malware or a virus.

    While there is no fool-proof way to prevent either type of abuse to your email address, you could adopt some “best practices” when it comes to your email security:

    Preventing Email Address Spoofing With A Ten Minute Effort

    Rackspace Email – Spoofing: How to Identify & Protect Your Organization

    Did you know that every email has two different senders? One email address is called the ‘envelope sender’, and the other is set in the email header. The latter is known as the ‘From:’ header, which is normally displayed by the email clients, like Microsoft Outlook. Unfortunately, cybercriminals can forge the ‘From:’ header to trick email clients into displaying a name and email address which belong to your business.

    You or your IT staff can make changes to your email service settings to help block deceptive emails coming into your organisation, and put other email services on notice as to what a legitimate email coming from you should look like. This is done by adding what is known as SPF, DKIM and DMARC DNS records to your companys domain name.

    Also Check: Accessing Archived Emails

    How Do I Report A Suspicious Email

    Unfortunately, many users dont realize theyve been spoofeduntil after the fact. This realization may occur immediately for someone after theyclick on a malicious link, or it may not be until a few weeks downthe road when they realize their information is compromised and theirinformation is being used fraudulently to commit crimes. However, for those ofyou who recognize a spoofed email for what it is, there are a few things youcan do to try to prevent future email spoofing.

    The U.S. Federal Trade Commission asks users to forward phishing emails to its Anti-Phishing Working Group at . What you can also do is report suspicious emails or spam to:

    How To Spot A Spoofed Email

    Some spoofed emails are very well done, but they donât have to be for you to fall victim to them. In fact, 80,000 people fall victim to email phishing every day. Approximately 156 million spoofed emails are sent daily and 16 million make their way through filters and half of those are opened by the targeted recipient.

    Filters are a great way to catch spoofed emails and keep them out of your inbox, but theyâre not fool-proof. How do you spot the ones that make it through? How do you keep from being a victim of email phishing? There are a couple of ways to identify a spoofed email.

    First, look at the header of the email. Most email providers contain some form of verification process to filter emails and determine whether the sending server is authorized to use the sending domain. The header of the email contains the results of this process but how itâs displayed will be different on each platform. In Gmail, you can click on the three little dots in the upper right corner of the email, and select âshow originalâ. If you donât have Gmail, you can use this site to determine how to read headers and identify spam.

    When you do this, youâll see a bunch of to/from information thatâs fairly easy to read, but below that is complex code.containing information that will help you identify whether or not itâs spoofed. You can ignore most of the code, but there are a few sections you need to pay attention to: where it says âReceived:â and âReceived- SPF:â.

    Read Also: How To Find Email In Archive

    How To Protect Yourself From Phishing Scams

    Reputable businesses, banks, websites, and other entities won’t ask you to submit personal information online. If you receive such a request, and you aren’t sure if it is legitimate, contact the sender by phone to see if the company sent the email.

    Some phishing attempts are amateurish and filled with broken grammar and misspellings, so they are easy to spot. However, some contain identical copies of familiar websites such as your bank’s to lull you into complying with the request for information.

    Common sense safety steps include:

    • Don’t reply to an email that asks for personal information.
    • Don’t open or download files attached to suspicious emails.
    • Don’t click any links that appear in the email.
    • Search the web for the email subject line. If it is a hoax, other people may have reported it.

    Be particularly suspicious of emails with subject lines and content that include:

    • A request to verify your account immediately or the sender will close it
    • An offer of a large sum of money in exchange for your account information
    • An announcement that you’re the big winner in a lottery you don’t remember entering
    • A request for emergency financial help from a friend who is supposedly on vacation
    • A threat of bad luck if you don’t reply
    • A notification that your credit card has been hacked
    • A request to forward the email to receive $500

    How Does Spoofing Differ From Phishing And Spam

    How to disable spoofing warnings in Office 365

    Since all spoofed email messages are unsolicited, they can also be classified as spam. The difference between regular spam and spoofed email messages is that regular spammers dont edit mail headers to make it appear as if their messages were coming from someone else.

    Sure, they do sometimes purposefully use addresses that are almost indistinguishable from mail addresses of legitimate organizations, but they dont edit them. That said, spammers and spoofers readily share mail accounts with one another, which is why one of the most effective ways to stop email spoofing is to stay away from shady websites that ask visitors to enter their address.

    Okay, but what about phishing? Well, phishing and spoofing are both fraudulent attempts to trick someone into believing that the message theyve received is from a reputable sender, but phishing takes things a step further.

    The ultimate goal of phishers is to induce individuals to reveal personal information, such as passwords and credit card numbers, so they can use this personal information for their own personal gain. To achieve this goal, they sometimes spoof an email by editing its headers using specialized software that makes it possible to create spoof emails without much effort, but spoofing is really just one of several techniques they can use.

    The good news is that learning how to spot and stop spoof emails also equips you with the skills and knowledge you need to stop phishing and spam emails.

    Don’t Miss: Why Am I Not Getting My Email

    Popular Articles

    Related Stories

    Stay on top - Get the daily news in your inbox