Evil Jay & the Missing Step in Office365 Government Email Security
With a deadline now set for March 2019 for all of UK Government to move off .gsi.gov.uk, .gcsx.gov.uk and .gsx.gov.uk addresses, it is vital that these organisations all individually implement good email security to ensure email can remain a trusted form of communication. Through Technology provides a service to do this, see our website for details.
In setting this up, we have identified a potential gap in between how Office365 works and the intent of the Government email security standards, which leaves organisations open to Phishing attacks.
Email Spoofing and Phishing
Email spoofing is where a malicious party sends an email so that it appears to come from another organisation's addresses. For example, someone spoofing our email address would send a message which appears to come from email@example.com.
Spoofing emails is a common and simple technique used for "phishing", contacting staff to trick them into revealing sensitive information.
Here's an example spoofed email sent from to a test system by our email security expert Jay Dean.
Apart from the fact Jay has chosen to use the name "Evil Jay" for fun, the email appears to come from a completely legitimate Through Technology address.
If your users receive an email from the CEO or a government minister's valid address. Would they question it, or do what the VIP requested? These spoofed emails could be sent to IT, requesting new accounts or permissions, to finance requesting payments or to other departments requesting the release of confidential information.
With everybody's job titles, relationships and contact details on LinkedIN, this kind of phishing has become very easy and needs to be effectively prevented.
So how should you defend against email spoofing?
To protect your organisation's email from spoofing, you can configure DMARC, a standard which allows recipient organisations' email systems to confirm that a message is genuinely from your organisation. This is one of the measures in the Government Email Security guidance. Following the guidance will set a policy which should cause other organisation's email systems to reject (ie delete) spoofed email.
So what is the problem?
If you fully configure Office365 according to the current email security guidance, it will still deliver spoofed email to your users' junk email folders. This is because Office365 treats spoofed email as Spam rather than rejecting it, a decision their team's made in order to stop redirected emails from getting rejected. In technical terms, Office365 treats a DMARC "reject" policy in the same way as a "Quarantine" policy..... assigning both a Spam Confidence Level of "5" and delivering the messages to the user's Junk Email folder.
So, even though you've implemented the guidance correctly, the email - that looks like it came from a CEO or Minister - is now in the user's Junk Email folder and looks like this......
The only clue that this isn't from a genuine VIP is that little bit of text that says "This message was marked as spam using a junk filter other than the Outlook Junk Email filter". This is hardly sufficient warning for users receiving targetted, deliberately fraudulent messages. Seeing that in Junk email, your users are likely to see the VIP address and just mark it "not junk" so they can action it, at which point it moves to the inbox and the warning disappears.
So how do we fix this?
The fix for this is actually quite simple for your Office365 administrators. Create a new Mail Flow rule in Office365 which will intercept the spoofed messages identified by DMARC, warn your users and notify your administrators.
Here is one I prepared earlier.........
So by adding this missing step to your Office365 security configuration, now your users won't be fooled, your administrators will be notified and evil Jay has been thwarted from attacking your business.
PS. We have made Microsoft and the Government Digital Service aware of this issue.
Jay has worked already with a major government department implementing email security configuration for multiple domains on their Office365 tenant and with the Government Digital Service to improve their email security assessment tool.
If you have any questions about this post, or would like help from not-evil Jay or other members of the Through Technology team to ensure your systems to comply with government secure email guidance and don't leave you open to attack, please contact us: firstname.lastname@example.org www.throughtechnology.uk/contact