Email attacks are a serious issue in the IT security world. Hackers are looking for the fastest way to breach the IT security barriers. Breaking into a company’s computer network can take months and sometimes even years to pull off. Consequently, hackers are skipping this strategy and just tricking users into letting them in. An often overlooked way to control these email breaches are mail flow rules. In the coming Email Security Series, we will be covering time intensive processes that are best implemented by professional IT service providers.
What are Mail Flow Rules?
Mail flow rules are a set of conditions that allow us to determine how our email will be processed. There are two parts to this. First, we can adjust rules on the email server itself. This includes such things as automatically appending text to emails that come from certain senders, or auto forwarding mail that comes to a specific email address. As an example, you might want all email that comes into the firstname.lastname@example.org email to automatically get sent to the sales department. Mail flow rules are obviously very helpful for running your business and can greatly streamline certain workflows. However, there is a problem.
Remember how I said that mail flow rules have two parts? There are also mail flow rules that can be applied to individual mailboxes by the users themselves. This is good, as it allows us to automatically sort email by client domain, or attach a flag to certain emails, or to even send an automatic response without having to be in the office. If this is such a good thing, then why would it cause an issue with security?
The following story is true and unfortunately there are many more similar stories that occur with alarming frequency.
A mid-sized construction company was prepping for a large construction project. Everything was going as planned. They were in communication with their customer via email, and all the terms had been worked out. They were now ready to begin the project just as soon as the initial payment came through. They sent the payment information, but suddenly the communication stopped. Naturally, they contacted the customer to follow-up. Had the deal fallen through? Did changes need to be made to the contract?
Unfortunately, neither of these were the case. The customer verified that the money, an amount somewhere between $1m – $5m US, had been transferred using the new account information that had been sent to them in the follow-up email. An investigation was done, and the results were less than encouraging. The client’s email had been compromised for several months. The email was being forwarded to an outside party. Once the payment information had been sent to their customer, the attacker used the client’s email to send a follow-up with new account information. The customer wired the money to the new account and it was gone.
This demonstrates how, once an attacker gets into your email, the mail flow rules can be used to do some serious damage. So, what do we do to guard ourselves against this type of abuse?
There are some methods that we can use to help mitigate these email risks. If you are using Office 365 for mail, alerts can be configured for the server-side mail flow rules to alert you to any changes. The same cannot be said for the user side mail flow rules. To protect these, takes a bit of time and effort. First, a baseline must be established. With proper scripting, the mail flow rules can be pulled from all users in Office 365. At this point those rules must be parsed through and verified with the client to be non-malicious. Remember that these are the rules for every mailbox in the company. So, the size of your organization will have a direct impact on the time and resources required for this process.
Once everything is verified, we can begin to pull monthly reports and compare them to the previous months, communicating to the client any changes or anomalies. Using these methods, we can quickly find and mitigate any signs of email compromise.
What Should My Company Do?
Sounds like it could get expensive, doesn’t it? In fact, that is a concern that will have to be addressed before tackling the more advanced security measures, and to be fair not all businesses need this level of security. So, what are the odds that this is a service you really need? To answer that, we must ask some further questions:
- Does your company make heavy use of email?
- Does your company send or receive money transfers?
- How much money could be at risk, and is it more than the cost of security?
In the case study discussed previously, the cost of security would have been on the order of $7k-$10k per year for monitoring the user mail flow rules. This of course includes several other services, but it gives us a good estimate to work with. The cost of the loss was stated as between 1 million and 5 million US dollars. Let’s do the math. If we take the lowest amount of loss ($1m) and divide it by the highest amount that the service would have cost ($10k), we find that it would have taken, at the lowest, 100 years for the cost to outweigh the loss.
Talk to Your IT Service Provider
Of course, each business is unique. Before making any decisions on security, you should always consult your IT service provider. They will be the people most suited to discuss costs and needs, and to find a solution that works for you.
For additional security information, contact Truewater at 713-869-0001 Ext 5.
By: Joshua Lackey, Truewater Project Manager