Where email authentication is not so great at stopping phishing - random IT phishing scams

On this blog, I've written a lot about email authentication and preached its virtues. If you are a domain owner, you should definitely set up SPF, DKIM, and DMARC records both so that emails to you can be identified between authentic and not, and so that other email receivers (e.g., Gmail, Hotmail/Outlook.com, Comcast, etc.) can identify which ones are legitimate and which are not.

If you're an Office 365 customer, you can find out what you need to do here:

If you don't have them set up, we still protect your domain from Exact-Domain spoofing, as I talk about here: https://aka.ms/AntispoofingInOffice365 (this is sometimes referred to as Business Email Compromise, or BEC, but I find that too broad a term and instead call it Exact-Domain spoofing because that's the technique that is used).

But that's not the only type of phishing that we see.


IT Phish Example 1

Where email authentication struggles is with a phishing scam that looks like the following:


We refer to this as an IT phish, that is, a phishing message that looks like it came from your IT department. In the case above, the phisher is impersonating Microsoft and asking the user to click on a malicious link to avoid service interruptions. It's worded a little weird, but you're probably not reading it too closely before you click on the link.

Let's break down what makes it so difficult to detect:

  1. The Display name is "Microsoft Team". Even though the email address has absolutely nothing to do with Microsoft, it's still the first thing users see in their email client. And, if they're using a smart phone, many email clients don't even show the full email address because they are trying to save on screen real estate.
  2. The email address is a random domain. It either doesn't authenticate and therefore neither SPF, DKIM, DMARC, nor our Exact-Domain antispoofing protect against impersonation, or the domain it does authenticate (the spammer/phisher set up the authentication records) but the domain is not yet on anyone's reputation list.
  3. Speaking of reputation lists, many of these phishing messages come from infrastructure have good reputation, or more often neutral reputation. So, blocking them at the network edge based upon IP reputation doesn't work.
  4. The body of the message is similarly impersonating Microsoft even though it contains none of Microsoft's logos, or even the language that Microsoft normally uses in a notification email. The language is awkward, although we've all gotten notification emails that were oddly phrased.
  5. The URL itself was not on any reputation lists at time of delivery (don't retype it from the image; the full link I modified slightly but the root domain is malicious).


All those features combine to make this message difficult to detect using standard antiphishing techniques, but still troublesome to the end user. These usually aren't spear phishing attacks, but instead the spammer or phisher is trying to either install malware on the end user's system when they click on the link (by executing a drive-by download, or downloading another piece of malware locally and hoping the user executes it), or by tossing up a phishing page and tricking the user into entering their user credentials.


IT Phish Example 2

The next example is just as insidious, yet no less difficult to catch. It, too, looks like an IT phishing message coming from Microsoft.


It is using similarly techniques to the first message:

  1. It has a familiar brand in the Display Name, Microsoft Outlook. Outlook is a known brand associated with Microsoft
  2. Unlike the first example, this one does have a visually similar email domain that is off by one letter - service.outlook.com vs. service.out1ook.com, a '1' instead of an 'L'. This is designed to trick the end user in the event they look at the domain name, but don't look too closely. It doesn't matter whether the domain authenticates or not because this one may be under the full control of the phisher
  3. The instructions contain suspicious keywords, don't otherwise look too out of place
  4. The email link, upon first glance, looks like a legitimate domain belonging to Microsoft, but hovering shows that it actually goes to the lookalike domain. This is not something you would notice if you didn't look too closely. Once again, it contains a URL that is not yet on a reputation list (Again, don't type in that domain because it is malicious, although I did make some modifications to the message for discussion purposes)


These are two real life examples of phishing messages impersonating Microsoft brands. However, phishers will also impersonate your IT department. For example, if you are a university or a corporation, a phisher will impersonate your brand in the Display Name, and in the body of the message, in an attempt to get your students or employees to reset their passwords (but instead they get compromised). Even though the domain name in the From: address doesn't match your organization at all, users will still click. When the domain is off by a little bit, users will be fooled a little more often... and will click.


 Stopping this type of phishing

With all the news this year about Business Email Compromise, the above examples are actually a return to traditional phishing. While spear phishing is all about targeting specific individuals, "traditional" IT phishing is about getting inside the organization for the purpose of spreading more phish or malware. Sometimes this is done to build up a botnet, but other times it's designed to be used as a springboard attack - send malicious content from the inside because it's less likely to be filtered when it originate inside the house. A phisher can also send true Business Email Compromise from a real account, rather than by impersonating one.

In terms of stopping this type of phishing, two years ago I wrote a blog post Why does spam and phishing get through Office 365, and what can be done about it?

The four things I said that you, as a customer, can do are still accurate (see that blog post for more details):

  1. Submit spam and phishing samples back to us
  2. Submit malware to Microsoft
  3. Enable bulk mail filtering
  4. Invest in user education

I then listed a series of features that we were working on, all of which have been completed (and then some).

However, as we've seen these types of attacks increase, over the past 6 months we've gone back and have been working on several new features to combat phishing. We still do everything I've talked about in previous blog posts, but we will be doing more.

I will not be discussing what this "more" is in great detail other than to make vague, hand-wavy motions and say it involves machine-learning, sender reputation, and big data. The reason for being so fuzzy is because phishers are constantly probing our system, trying to reverse engineer how things work. I am not going to make their job easier, and my job is hard enough.

Plus, by using industry buzz words, it makes it look more impressive.

But, as I said in my blog post about Safety Tips, you'll know when we detect phishing because we'll insert a red (Suspicious) Safety Tip:


That way, if any of your users ever start browsing through their junk email folders or spam quarantines, they'll be given an extra visual cue that the message really is malicious.


So, that's one of the types of phishing scams we're seeing (and you are, too). We're aware of it and are hard at work coming up with a solution.

Let me know in the comments what else you're seeing, I do plan on writing a couple more blog posts on what other sorts of phishing is common beyond Exact-Domain spoofing.

Next up: Where email authentication is totally great at stopping phishing – springboard attacks (and filling in the gaps)

Previous: Antispoofing in Office 365