| Both sides previous revision Previous revision Next revision | Previous revision |
| public:emai:malware [2022-01-17 10:28] – vesely | public:emai:malware [2023-03-09 12:13] (current) – vesely |
|---|
| **The generously opened and heterogeneous nature of the academic and research institution is extremely vulnerable to such kind of threat.** Regular enterprises and other profit-making businesses are usually much more homogenous with much simpler rules and measures against the third parties (no IMAP, no access to emails from non-business devices, strict mobile device management, blocked or limited traffic etc.). | **The generously opened and heterogeneous nature of the academic and research institution is extremely vulnerable to such kind of threat.** Regular enterprises and other profit-making businesses are usually much more homogenous with much simpler rules and measures against the third parties (no IMAP, no access to emails from non-business devices, strict mobile device management, blocked or limited traffic etc.). |
| |
| Both areas of malicious or potentially problematic emails and regular emails are overlapping; it is not easy to distinguish between them sometimes. | |
| | <font inherit/inherit;;#f39c12;;inherit>**Both areas**</font> of |
| | <font inherit/inherit;;#c0392b;;inherit>**malicious or potentially problematic emails**</font> and |
| | <font inherit/inherit;;#339933;;inherit>**regular emails**</font> ** <font inherit/inherit;;#f39c12;;inherit>are overlapping</font> **; it is not easy to distinguish between them sometimes. |
| |
| **The most dangerous threats are usually those of the "zero day attack" nature**; they usually take advantage of badly protected or misprotected email servers and domains so they can mimic the regular sender.\\ | **The most dangerous threats are usually those of the "zero day attack" nature**; they usually take advantage of badly protected or misprotected email servers and domains so they can mimic the regular sender.\\ |
| |
| * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__ provided by domain's owner and the domain owner asks for message blocking. | * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__ provided by domain's owner and the domain owner asks for message blocking. |
| * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. | * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. |
| * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. | * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. |
| * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. | * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. |
| * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. | * [[:public:emai:malware#arc|Bad ARC]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - bad ARC]</font> - the sender's email has ARC Seal but it's validation did not succed (e.g. invalid calculated email hash). |
| * [[:public:emai:malware#suspicious_newsletter|Suspicious Newsletter]] - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - it may be found that certain newsletters are suspicious because they may actually be spam under the disguise of newsletters. | * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. |
| * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. | * [[:public:emai:malware#suspicious_newsletter|Suspicious Newsletter]] - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - it may be found that certain newsletters are suspicious because they may actually be spam under the disguise of newsletters. |
| * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) | * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. |
| | * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) |
| * [[:public:emai:malware#pdf_macro|PDF macro]] - PDF files include the ability to execute code on your device — and that’s where the danger lies | * [[:public:emai:malware#pdf_macro|PDF macro]] - PDF files include the ability to execute code on your device — and that’s where the danger lies |
| * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes | * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes |
| * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document. | * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document. |
| * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. | * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. |
| |
| ===== Possible Spoof ===== | ===== Possible Spoof ===== |
| **Example of spoof email:** | **Example of spoof email:** |
| |
| MAIL FROM: **johndoe2<font inherit/inherit;;#2980b9;;inherit>@gmail.com</font>** \\ | MAIL FROM: **johndoe2 |
| From: **john.doe<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** \\ | <font inherit/inherit;;#2980b9;;inherit>@gmail.com</font> ** \\ |
| To: **jane.dow<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** | From: **john.doe |
| | <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> ** \\ |
| | To: **jane.dow |
| | <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> ** |
| |
| Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\ | Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\ |
| |
| To check DMARC setup for any domain go to [[https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/|https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/]] | To check DMARC setup for any domain go to [[https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/|https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/]] |
| | |
| | DKIM |
| | |
| | ===== ARC ===== |
| | |
| | Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing. |
| | |
| | Please examine email message headers for further tedails if there is [Suspicious - bad ARC] in message subject includes. |
| | |
| | You may see something like that in email headers: |
| | <code> |
| | |
| | ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; |
| | b=jMJ9kzS3ngfZqq4sLjdzOVKx7B7ETxqwNJAxdqIF7+qlrcD6pM7yu1mXbV35SyfKZU7la+YKB3S46XgZe/l4bgDaJ7o+nv9FuW/E3ccOS9ZzBgVlxQB2D74IXT5dWfG/x7POuQmj6tNLChR8TTL6dAIz3zVI2ogJ83VOwq/mOFtK1sC6qg8dyVBVsI5Vbhxrq5svU2knQyp0S9lF/JNwHPBTU48Ed48TIzGug8uWbc72eY6hU5/hnMo+/2031o9A6xc88PeE0saE520/ha+NcW81euRWknP8k0QCtp8O86n9Hf6COGavEs5TicPVJsjXtH6IR3jzyj3rqjrXWaXuHw== |
| | |
| | ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; |
| | s=arcselector9901; |
| | h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; |
| | bh=qK7o6sWqLXWSt8J0VLOnwQMuYeUgfyS3kDNbxNzpc/0=; |
| | b=SW+mXPUU6eC5V3CcE9v8qUPIfj3uN4lGvca6QWqhnb35RiPKlrEUj80ajHwe6VX5B+LFgMvlqQTtyPtFLTrwiJ747lcuMRPIfOBphz+tyHKYMEYTvPzzj7KfvB2I0zJYHMVtVBjjAc0OcZS72CuYwbVPrRt+6Blh0I2ugfvuQieUniSjQwWCVQIF7aYExk4ruBz31qj2JHN2y7+dEp5YBZFctmpvrYMnbjjZif/2DpVAdzJtdm8bD907GqVYnoGj+RolBdeCaOXpJ3TkUmeedZE3STIy/3iEA6SRkrsT9PjbSt/aeoE5cXBjpiV2F9BqzP/1uxcy3IGxTps2brdv2Q== |
| | |
| | ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass |
| | smtp.mailfrom=csob.cz; dmarc=pass action=none header.from=csob.cz; dkim=pass |
| | header.d=csob.cz; arc=none |
| | ... |
| | X-FEAS-SPF: spf-result=pass, ip=193.245.32.140, helo=mail1a.csob.cz, mailFrom=john.doe@csob.cz |
| | X-FEAS-DKIM: Valid |
| | X-FEAS-ARC: Fail (The ARC-Message-Signature (i=1) contains an invalid body hash) |
| | X-FE-Envelope-From: john.doe@csob.cz |
| | X-FM-Filtering-11: subject.tag:spam-suspicious-arc |
| | |
| | </code> |
| | |
| | [[https://en.wikipedia.org/wiki/Authenticated_Received_Chain|https://en.wikipedia.org/wiki/Authenticated_Received_Chain]] |
| | |
| | [[https://dmarc.org/presentations/ARC-Overview-2016Q3-v01.pdf|https://dmarc.org/presentations/ARC-Overview-2016Q3-v01.pdf]] |
| |
| ===== Reputation databases - Blacklists ===== | ===== Reputation databases - Blacklists ===== |
| Certain sort of newsletter senders wants to track recipients clicks (to monetize and/or monitor recipient behavior) so they conceal the target URL behind their own hash. It is then undecidable whether the redirected URL is OK or not (phishing). | Certain sort of newsletter senders wants to track recipients clicks (to monetize and/or monitor recipient behavior) so they conceal the target URL behind their own hash. It is then undecidable whether the redirected URL is OK or not (phishing). |
| |
| **Example** | **Example** <font inherit/inherit;;#c0392b;;inherit>**Obfuscated/unresolvable link**:</font> If you get the newsletter from **bostonglobe.com** with links in the form [[https://bostonglobe.us11|https://bostonglobe.us11]].**list-manage.com/track/click?u=90f9e490a86&id=0c98f5&e=e8fef** , it cannot be said what is the targeting URL. Hence the ** <font inherit/inherit;;#c0392b;;inherit>warning about uncertain content is added</font> **. |
| |
| <font inherit/inherit;;#c0392b;;inherit>**Obfuscated/unresolvable link**:</font>If you get the newsletter from **bostonglobe.com** with links in the form [[https://bostonglobe.us11|https://bostonglobe.us11]].**list-manage.com/track/click?u=90f9e490a86&id=0c98f5&e=e8fef** , it cannot be said what is the targeting URL. Hence the **<font inherit/inherit;;#c0392b;;inherit>warning about uncertain content is added</font>**. | ** <font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font> **: If the newsletter from **newyorker.com** contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d** , it may be tracked down to the target URL and **is considered safe**. |
| | |
| **<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com** contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d** , it may be tracked down to the target URL and **is considered safe**. | |
| |
| ===== Macro in attachments ===== | ===== Macro in attachments ===== |
| //Added subject tag: [Suspicious - header analysis]// | //Added subject tag: [Suspicious - header analysis]// |
| |
| //Added warning text: "Deepheader analysis examines header for spam characteristics. Don't click any link unless you are certain it's legitimate.////"// | //Added warning text: "Deepheader analysis examines header for spam characteristics. Don't click any link unless you are certain it's legitimate.////"// <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font> [[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]] |
| | |
| <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font>[[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]] | |
| |
| Deepheader analysis examines the entire message header for spam characteristics. | Deepheader analysis examines the entire message header for spam characteristics. |