In my previous post, we looked at some of the core areas an individual should check when identifying a phish. Learning those phishing red flags will help at the individual level, but you can take it even further by making use of various phishing defense techniques designed to operate at the organization level. We will be looking at some common prevention techniques that organizations use to protect their employees.

Quick Links

For quick reference, here are the links covered in this blog post:

Built-in Email Provider Controls

For major email providers such as Google and Microsoft, there are often built in controls that you can take advantage of beyond the default security capabilities (e.g. basic email scanning, spam filtering, etc.). These services are generally available with your base deployments and only require some configuration to get up and running.

Gmail offers a variety of security settings as well as phishing protection you can configure as a mail administrator. Some recommended steps include:

  1. Turning on attachment protection to add additional scrutiny for certain file types and new accounts
  2. Activating suspicious link protection to pre-screen email links
  3. Enabling external image and links protection to scan images, detect untrusted domains, and discover the URLs hidden behind shortened links
  4. Depending on your preferences and your organization’s phishing awareness, suspicious emails can be redirected to administrative quarantines for review, moved to user spam, or placed in the user’s inbox with a warning banner.
  5. Using email/domain blacklisting

Microsoft also has a suite of email protection controls in the form of Exchange Online Protection. EOP is Microsoft’s filtering service designed to screen your emails for phishing, spam, and malware. You can set quarantine policies similar to Gmail and other anti-phishing policies. In addition, there are additional features under Microsoft Defender Plan 1 and 2, which are supplemental subscriptions that offer some of the same features mentioned with Google. Plan 1 focuses on prevention with additional features such as safe attachments and safe links monitoring, while Plan 2 is focused on incident response and other related services. The following is a list of recommended EOP/Defender settings.

SPF, DKIM, and DMARC

Configuring email authentication is another basic step you can take to both protect your organization from spoofing attacks and protect your domain reputation. This will help ensure that you stay out of the junk inbox and attackers have a harder time pretending to originate from your organization. This is done by setting up the following controls:

  • Sender Policy Framework (SPF): Allow for specifying which email servers can send emails for your domain
  • DomainKeys Identified Mail (DKIM): The signing of emails that the receiving server uses to verify:
    • The sender is who they say they are
    • The email was not changed after the email was sent
  • DMARC: Helps to verify that the sender identity shown to the recipient matches the identity shown to the server

You can find Gmail’s authentication instructions here and Microsoft’s authentication setup here.

While all of these controls can help strengthen your defenses and weed out malicious emails, attacks are always improving so some phishing and spam will always make its way through to your users’ inboxes. It ultimately comes back to solid user training and awareness as the most important line of defense. To assist here, email administrators can draw attention to potentially malicious emails through the use of external email tags and setting up a reporting environment.

External Email Tags

An external recipient warning is a banner or modified message that will warn your users that an email has arrived from outside your organization’s domain/contacts. This is aimed to remind users to think twice before clicking on a link, downloading an attachment, or sending sensitive information. Gmail offers a built-in settings, while Microsoft requires a slightly more hands-on approach. External email tags can be added via mail flow rules, or via the Exchange Powershell using the Get-ExternalInOutlook and Set-ExternalInOutlook commands.

Reporting

Lastly, you will want to set up a positive reporting environment for your organization. Phishing defense is a team effort, and sometimes this idea can get lost when someone falls for a phish. From an individual’s perspective, they may be the cause of a security incident and this creates a lot of pressure/anxiety. Here are some common pitfalls and proposed solutions for building a proactive reporting structure:

Potential Pitfalls Quick Tips
Users may not report their incidents due to panic, consequences, etc. – Seek out management buy-in and focus on education and training programs, as opposed to consequences like probation/job termination
– Phishing should be framed as a team-wide effort, rather than individuals making fatal mistakes
– Incidents should be announced internally for awareness, not blame (i.e. no naming names)
Users do not know where to report incidents – Create a reporting/IT email for users to report emails to
– Encourage reporting of potentially suspicious emails, whether they are real phishes or false alarms
Phishing training may not happen often, and awareness is lost – Use each incident/report as an opportunity to create reminders and phishing awareness tips
– Consider implementing an internal/third party phishing program

This ends part two of our phishing awareness blog series. If you have any questions or would like to take your organization’s phishing security further with phishing development programs, please reach out to us at: info [at] carvesystems.com.