Stopping Spoofing with DKIM and Exchange Online Protection

Stopping Spoofing

Stopping spoofing before it gets to your users becomes more important every day. Phishing is still the most common source of attacks, including malware, BEC scams, and ransomware. Providing defenses to stop spoofed and phishing emails from reaching your users is the best first line of defense. Thankfully, tools are available to help stop spoofing emails and handle phishing attempts. In this Tech Talk, Microsoft Security Architect Matt Soseman walks us through DKIM and demonstrates a number of email protection tools available in Microsoft Security Center.

The Threat of Spoofing and Phishing

• $4.0 million dollars is the average cost of a data breach.
• 81% of breaches involve weak or stolen passwords
• More than 300,000 new malware samples are created and spread every day.
• 87% of senior managers have admitted to accidentally leaking business data.

How does Microsoft protect its users against phishing?

When an email comes into your system, there are a series of 8 protections in place.

• Sender authentication checks
• Implicit intra-organization domain spoof detection
• Anti-virus engine scan
• URL reputation scan
• Phish content analysis (Heuristic and rule based)
• ATP (Advanced Threat Protection) machine learning models
• ATP heuristic clustering and detonation
• ATP Link content detonation

Once the email is delivered, four additional protections are in play

• ATP Safe links time-of-click protection
• Zero-hour auto purge
• Safe links for office clients
• Multi-factor authentication for Office 365

After running through delivery, there are 4 additional functions protecting user mailboxes

• Client tips for suspicious emails
• Tenant block URL for safe links
• Monitor for risky user or app behavior
• Search / remediate mails in threat explorer

What is DKIM (DomanKeys Identified Mail)

DomainKeys Identified Mail (DKIM) uses a public / private key pair to digitally “sign” elements of an email.

1. When a new email is sent, the element (title, body, etc) is hashed to a unique text string.
2. That hash is then encrypted using a private key
3. The encrypted hash is added to the email as a digital signature.
4. When the email arrives at the receiving server it sees this signature and run a DNS query to get the public key needed to decrypt the signature.
5. The receiving server hashes the element and compares it to the decrypted hash in the signature
6. If the two hashes match, then the receiving server knows the email:
   1. is really from the sending domain
   2. has not been tampered with during transit

The problematic part about DKIM is that it is not universally adopted, so the lack of a DKIM signature does not mean that an email is malicious or fraudulent. DKIM lets you know that that individual email is legitimate. Since the DKIM signature is not easily seen by the end user, it does not stop spoofing of the “header from:” domain, however it is a useful tool to stop spoofing emails that impersonate other employees at the same organization.

How to Enable DKIM in Microsoft Admin Center

DKIM is enabled by default in Office 365 with a single key. To get to your DKIM settings:

• Go to “protection.microsoft.com
• Click “Threat management” in the left hand menu
• Click “Policy” in the drop down
• Click DKIM in the main screen

Office 365 also automatically “rotates” your DKIM keys. DKIM key rotation is important, for the same reasons as changing passwords. The longer it remains the same, the more likely it is to be compromised. If, for some reason you require additional configuration for DKIM, microsoft has good guidance here.

Advanced Threat Protection Safe Attachments

Safe Attachments allows you to scan every attachment that comes into your environment, through Exchange, SharePoint, OneDrive and Teams. Instead of using obsolete hash/signature based detection methods that miss most self-mutating malware it actually opens or executes the attachment in a virtual sandbox and looks at the behavior of the file to determine if it is malicious. This detonation process easily defeats most methods of attack.

Configuring ATP Safe Attachments Policies

• From protection.microsoft.com
• Click “Threat management” in the left hand menu
• Click “Policy” in the drop down
• Click “ATP Safe Attachments” in the main screen menu
• Click the ”+” icon on top of the policy list
• Give the new policy a name and description
• Select your desired response to detected malware:
  • Off - No Scanning
  • Monitor - Deliver after detection and track scan results
  • Block - Block the current malware and future emails and attachments with the same signature
  • Replace - Remove the malicious attachment, and continue to deliver the message
  • Dynamic Delivery - Deliver the message without attachments immediately, and reattach once scan is complete.
• Configure redirect.
  • This is simply the ability to send all detected malware to a monitoring address
• Select users, groups or domains that you want the policy to apply to.

We have done many deep dives into the various tools available to defend your users from Phishing and malware. For more guidance, check out the following Tech Talks and Blogs.

Anti-Phishing and Phishing Attack Simulator in Office 365

Stopping data loss with Azure Information Protection

Stopping, Blocking and Fixing Ransomware with Microsoft 365

AgileSecurity

If you are looking for professional guidance in securing your office 365 environment, we can help. Agile IT is a four-time Microsoft cloud partner of the year and has securely managed cloud transformation for over 1,000,000 accounts across nearly 2000 organizations. Our fixed priced services for security and managed services make budgeting easy and remove doubt. To find out more, contact us today.