What is email security?

What is email security?

Email security is the process of preventing email-based cyber attacks and unwanted communications. It spans protecting inboxes from takeover, protecting domains from spoofing, stopping phishing attacks, preventing fraud, blocking malware delivery, filtering spam, and using encryption to protect the contents of emails from unauthorized persons.

Security and privacy were not built into email when it was first invented, and despite email's importance as a communication method, these are still not built into email by default. As a result, email is a major attack vector for organizations large and small, and for individual people as well.

What kinds of attacks occur via email?

Some of the common types of email attacks include:

• Fraud: Email-based fraud attacks can take a variety of forms, from the classic advance-fee scams directed at everyday people to business email compromise (BEC) messages that aim to trick large enterprise accounting departments into transferring money to illegitimate accounts. Often the attacker will use domain spoofing to make the request for funds look like it comes from a legitimate source.
• Phishing: A phishing attack tries to get the victim to give the attacker sensitive information. Email phishing attacks may direct users to a fake webpage that collects credentials, or simply pressure the user to send the information to an email address secretly controlled by the attacker. Domain spoofing is also common in attacks like these.
• Malware: Types of malware delivered over email include spyware, scareware, adware, and ransomware, among others. Attackers can deliver malware via email in several different ways. One of the most common is including an email attachment that contains malicious code.
• Account takeover: Attackers take over email inboxes from legitimate users for a variety of purposes, such as monitoring their messages, stealing information, or using legitimate email addresses to forward malware attacks and spam to their contacts.
• Email interception: Attackers can intercept emails in order to steal the information they contain, or to carry out on-path attacks in which they impersonate both sides of a conversation to each other. The most common method for doing this is monitoring network data packets on wireless local area networks (LANs), as intercepting an email as it transits the Internet is extremely difficult.

Email domain spoofing

Email domain spoofing is important in several types of email-based attacks, as it allows attackers to send messages from legitimate-seeming addresses. This technique allows attackers to send an email with a forged "from" address. For example, if Chuck wants to trick Bob with an email, Chuck might send Bob an email from the domain "@trustworthy-bank.com," even though Chuck does not really own the domain "trustworthy-bank.com" or represent that organization.

What is a phishing attack?

Phishing is an attempt to steal sensitive data, typically in the form of usernames, passwords, or other important account information. The phisher either uses the stolen information themselves, for instance to take over the user's accounts with their password, or sells the stolen information.

Phishing attackers disguise themselves as a reputable source. With an enticing or seemingly urgent request, an attacker lures the victim into providing information, just as a person uses bait while fishing.

Phishing often takes place over email. Phishers either try to trick people into emailing information directly, or link to a webpage they control that is designed to look legitimate (for instance, a fake login page where the user enters their password).

There are several types of phishing:

• Spear phishing is highly targeted and often personalized to be more convincing.
• Whaling targets important or influential persons within an organization, such as executives. This is a major threat vector in enterprise email security.
• Non-email phishing attacks include vishing (phishing via phone call), smishing (phishing via text message), and social media phishing.

An email security strategy can include several approaches for blocking phishing attacks. Email security solutions can filter out emails from known bad IP addresses. They can block or remove links embedded within emails to stop users from navigating to phishing webpages. Or, they can use DNS filtering to block these webpages. Data loss prevention (DLP) solutions can also block or redact outgoing messages containing sensitive information.

Finally, an organization's employees should receive training on how to recognize a phishing email.

How are email attachments used in attacks?

Email attachments are a valuable feature, but attackers use this email capability to send malicious content to their targets, including malware.

One way they can do this is by simply attaching the malicious software as an .exe file, then tricking the recipient into opening the attachment. A far more common approach is to conceal malicious code within an innocent-seeming document, like a PDF or a Word file. Both these file types support the inclusion of code — such as macros — that attackers can use to perform some malicious action on the recipient's computer, like downloading and opening malware.

Many ransomware infections in recent years have started with an email attachment. For example:

• Ryuk ransomware often enters a network through a TrickBot or Emotet infection, both of which spread via email attachments
• Maze ransomware uses email attachments to gain a foothold within the victim's network
• Petya ransomware attacks also usually started out with an email attachment

Part of email security involves blocking or neutralizing these malicious email attachments; this can involve scanning all emails with anti-malware to identify malicious code. In addition, users should be trained to ignore unexpected or unexplained email attachments. For web-based email clients, browser isolation can also help nullify these attacks, as the malicious attachment is downloaded in a sandbox separate from the user's device.

What is spam?

Spam is a term for unwanted or inappropriate email messages, sent without the recipient's permission. Almost all email providers offer some degree of spam filtering. But inevitably, some spam messages still reach user inboxes.

Spammers gain a bad "email sender reputation"* over time, leading to more and more of their messages getting marked as spam. For this reason they are often motivated to take over user inboxes, steal IP address space, or spoof domains in order to send spam that is not detected as spam.

Individuals and organizations can take several approaches to cut down on the spam they receive. They can reduce or eliminate public listings of their email addresses. They can implement a third-party spam filter on top of the filtering provided by their email service. And they can be consistent about marking spam emails as spam, in order to better train the filtering they do have.

*If a large percentage of a sender’s emails are unopened or marked as spam by recipients, or if a sender’s messages bounce too much, ISPs and email services downgrade their email sender reputation.

How do attackers take over email accounts?

Attackers can use a stolen inbox for a wide range of purposes, including sending spam, initiating phishing attacks, distributing malware, harvesting contact lists, or using the email address to steal more of the user's accounts.

They can use a number of methods to break into an email account:

• Purchasing lists of previously stolen credentials: There have been many personal data breaches over the years, and lists of stolen username/password credentials circulate widely on the dark web. An attacker can purchase such a list and use the credentials to break into users' accounts, often via credential stuffing.
• Brute force attacks: In a brute force attack, an attacker loads a login page and uses a bot to rapidly guess a user's credentials. Rate limiting and limits on password entry effectively stop this method.
• Phishing attacks: The attacker may have conducted a previous phishing attack to obtain the user's email account login credentials.
• Web browser infections: Similar to an on-path attack, a malicious party can infect a user's web browser in order to see all the information they enter on webpages, including their email username and password.
• Spyware: The attacker may have already infected the user's device and installed spyware to track everything they type, including their email username and password.

Using multi-factor authentication (MFA) instead of single-factor password authentication is one way to protect inboxes from compromise. Enterprises may also want to require their users to go through a single sign-on (SSO) service instead of logging directly into email.

How does encryption protect email?

Encryption is the process of scrambling data so that only authorized parties can unscramble and read it. Encryption is like putting a sealed envelope around a letter so that only the recipient can read the letter's contents, even though any number of parties will handle the letter as it goes from sender to recipient.

Encryption is not built into email automatically; this means sending an email is like sending a letter with no envelope protecting its contents. Because emails often contain personal and confidential data, this can be a big problem.

Just as a letter does not instantly go from one person to another, emails do not go straight from the sender to the recipient. Instead, they traverse multiple connected networks and are routed from mail server to mail server until they finally reach the recipient. Anyone in the middle of this process could intercept and read the email if it is not encrypted, including the email service provider. However, the most likely place for an email to be intercepted is close to the origin of the email, via a technique called packet sniffing (monitoring data packets on a network).

Encryption is like putting a sealed envelope around an email. Most email encryption works by using public key cryptography (learn more). Some email encryption is end-to-end; this protects email contents from the email service provider, in addition to any external parties.

How do DNS records help prevent email attacks?

The Domain Name System (DNS) stores public records about a domain, including that domain's IP address. The DNS is essential for enabling users to connect to websites and send emails without memorizing long alphanumeric IP addresses.

There are specialized types of DNS records that help ensure emails are from a legitimate source, not an impersonator: SPF records, DKIM records, and DMARC records. Email service providers check emails against all three of these records to see if they are from the place they claim to be from and have not been altered in transit.

The Cloudflare Email DNS Security Wizard helps domain owners quickly and correctly configure these crucial DNS records. To learn more, see our blog post.

How can phishing attacks be stopped?

Many email providers have some built-in phishing protection (and the DNS records listed above are usually one of the signals they look at for blocking phishing attempts). However, phishing emails still regularly get through to user inboxes. Many organizations employ additional phishing protection to better defend their users and networks.

Cloudflare Area 1 Email Security offers cloud-based phishing protection. Cloudflare Area 1 discovers phishing infrastructure in advance and analyzes traffic patterns to correlate attacks and identify phishing campaigns. Read in more detail about how this anti-phishing service works.