Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Page 2 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
The Five Heros SPF, DKIM DMARC, Exchange And Exchange Online
Protection
SPF, DKIM and DMARC are public mail standard that was created for the purpose of verifying
sender identity.
Additional options that are available for us:
Using Exchange server rule that will identify an event in which hostile element uses the
organization Identity to attack organization users hosted by the Exchange.
Using the Exchange Online protection option of Phish filter.
How Does The SPF Standard Protect Us From Spoof E-Mail Scenario?
The SPF standard is based on a concept in which we draw a conclusion about the sender, by
verifying information about his mail server.
If we want to be accurate, when using SPF, we relate to the right part of the E-mail address
meaning the domain name.
The mail server that represents the sender should be considered as an authorized mail server
for a specific domain name (the domain name that appears in the E-mail address of the sender).
The sender verification process that is implemented by the destination mail server
(the mail server that represents the destination recipient) is performed by verifying the
integrity of the sender mail server.
The mail server that represents the sender should be considered as an authorized mail server
for the specific domain name.
The information about the authorized mail server that can send E-mail on behalf of the domain
is published in the SPF record (a TXT record), which include a list of IP address or host names of
the mail server that are authorized to send E-mail on behalf of the domain.
Page 3 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 4 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
The SPF sender verification protocol, uses the following mechanism for verifying the identity of
the sender:
When the E-mail message reaches to the destination mail server, the mail server fetch from the
mail envelope (MAIL FROM field) the information on the sender E-mail address.
The destination mail server relates to the domain name of the E-mail address (the right part of
the E-mail address).
In our specific example, the domain name of the sender is o365info.com
The mail server addresses the DNS server who hosts the domain name o365info.com and looks
for information on the SPF record that is hosted under the o365info.com domain name.
The SPF record is implemented as a TXT record that includes relevant information about the mail
server that is authorized to send an E-mail message on behalf of the domain o365info.com .
In our specific example, the mail server verifies if the IP address of the source mail server (the
mail server that represents the sender) appear in the SPF record.
Case 1 in case that the IP address of the source mail server, appear as listed on the SPF
record, the SPF verification test result is Pass meaning; the sender is a legitimate sender
because his mail server is considered as a legitimate mail server.
Case 2 in case that the IP address of the source mail server, doesnt appear as listed on the
SPF record, the SPF verification test result is Fail meaning; the sender is not a legitimate
sender because his mail server is not a legitimate mail server.
Page 5 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 6 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
The SPF verification process fetch the E-mail address that appears in the mail envelope in
the MAIL FROM
The SPF verification process, doesnt relate or check the E-mail address that appears in the
mail header in the FROM
This method can be easily exploited by hostile elements, that can bypass the SPF verification
mechanism by providing two different identities.
1. The identity that in the MAIL FROM field will be a legitimate identity.
2. The identity that in the FROM field will be a spoofed identity.
The SPF standard process is configured to verify the sender information that is stored in
the MAIL FROM field only. In other words, the SPF sender verification process, will not relate to
sender information stored in the FROM field. This is a built-in weakness that can be exploited by
hostile elements. If you want to read more information about this vulnerability, you can read the
articles:
How can hostile element execute Spoof E-mail attack and bypass existing SPF
implementation? | introduction | 1#2
How to simulate Spoof E-mail attack and bypass SPF sender verification? | 2#2
Page 7 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Additional reading
How Does The DKIM Standard Protect Us From The Spoof Mail Scenario?
The DKIM method for verifying the mail sender identity legitimacy is implemented by a method,
in which an authorized entity digitally signs the E-mail message that is sent from the sender.
The Digital signature is based on existing PKI (public-key key infrastructure).
Using the options Digital signature enables the other side (the mail server that represents the
destination recipient in our scenario) to be sure that the information (the E-mail message) was
sent by a trusted authority.
Because the E-mail message was sent by a trusted authority (the mail server, they represent the
sender), the destination mail server can be sure that the sender is a legitimate sender (the
sender is who he claims to be).
The authority the digitally sign the sender E-mail message, is usually the mail server that
delivers the E-mail message on behalf of the sender.
In DKIM infrastructure, the entity that sign the E-mail message described as DKIM selector.
Page 8 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
The information that is signed by the DKIM selector, includes a couple of mail fields, but in the
context of our topic, the main thing that we ought to know is that the mail field
named FROM that contain the sender identity (the sender E-mail address) is digitally signed.
Page 9 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Note if you want to read more detailed information on the DKIM standard and
the implementation of DKIM in Office 365 based environment, you can read the
article series
DKIM Domain Keys Identified Mail | Basic introduction | Part 1#5
The digital signature of the data that includes the E-mail address of the sender.
Information about the name (FQDN) of the mail server that signed the E-mail message
meaning the DKIM selector.
Page 10 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
When the E-mail message reaches to the destination mail server, the mail server fetch from the
mail header (FROM field) the information on the sender E-mail address.
To be able to get information about the authority that digitally signed the E-mail message, the
destination mail server relates to the domain name of the E-mail address
(the right part of the E-mail address).
In our specific example, the domain name of the sender is o365info.com
The mail server fetch from the mail header, the host name of the DKIM selector that signed the
E-mail message.
The destination mail server addresses a DNS server who hosts the specific domain name and
looks for information on the DKIM record that is hosted under the o365info.com domain
name.
The DKIM record is implemented as a TXT record, that includes relevant information about the
host name of the DKIM selector.
In a DKIM scenario, the mail server will look for information about the host name of the DKIM
selector.
In case that the DKIM record includes the host name of the DKIM selector that appears in the
E-mail message, the mail server know that he is authorized authority, and that he can be
trusted.
Now, to the destination mail server, move on to the next phase, in which he needs to verify the
Digital signature that appears in the E-mail message.
The Digital signature verification process is implemented by a quite complicated process, in
which the destination mail server calculates by himself, the HASH value of the mail field
(including the mail field FROM that contain the sender E-mail address), and compare the HASH
value that he got to the HASH value that appears in the E-mail message.
Case 1 in case that the HASH value is identical, the meaning is that the data was not
altered in any way, and then we can be sure the sender is a legitimate sender.
Case 2 in case that the HASH value is not identical, the meaning is that the data was
altered, and for this reason, we cannot be sure the sender is a legitimate sender.
Page 11 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 12 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Using an Exchange rule, we can define a logical condition, which will enable us to identify a
scenario of a spoof sender (spoof mail).
When we use the term Spoof mail the meaning is a very specific scenario a scenario in which
hostile element is using our user identity, and try to attack one of our organization users.
The Exchange rule condition that we define is based on the following logicEach entity that uses our organizational identity (the E-mail address that includes our domain
name), is supposed to be a legitimate entity, that is hosted by our Exchange server.
Page 13 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Each legitimate entity that addresses the Exchange server should provide user credentials, so the
Exchange server will be able to know that this is a legitimate and trusted entity.
For example, when we open our Outlook, and access the data that are stored in our mailbox, our
user credentials transferred in the background on the Exchange server.
The information about the fact that entities provide or didnt provide user credentials, is
registered as part of the mail header.
In case that the entity provides user credentials, the entity authentication status is
internal.
In case that the entity didnt provide user credentials, the entity authentication status is
Anonymous.
The trick that we can use, is based upon a procedure in which we fetch the information on
the authentication status of senders, that their E-mail message includes our domain name.
For example in our specific example, the hostile element presents himself uses the E-mail
address John@o365info.com (a false identity).
John is a real Exchange recipient, that has an Exchange mailbox, etc.
The Exchange mail server that considers as authoritative for the domain name o365info.com is
expecting that the sender will provide user credentials because this is the right way that
legitimate recipient use for accessing their private data that is stored in the Exchange mailbox.
In our scenario, the element is a hostile element that doesnt have Johns credentials (user name
+ password).
For this reason, his authentication status is Anonymous but, at the same time, uses the E-mail
address of John.
This is our sign of that fact, that this is probably spoofed sender (Spoof mail).
Page 14 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
The be able to tell Exchange server that we want to identify events of Spoof mail in which the
sender authentication status is anonymous, and the sender E-mail address includes our
domain name; we can create an Exchange rule that will monitor such events and do something
when he identifies such as event.
Its important to emphasize that this option is available only for organization that uses Exchange
mail infrastructure, and this is not a formal or public standard, but instead, a gimmick that we
can use in our favor as a Spoof mail deduction mechanism or, as an additional layer for
implementation of existing mail sender verification standard such as SPF.
Page 15 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Exchange rule | The scenario in which E -mail message is classified as Spoof E mail
The event of Spoof mail will be described by a combination of two conditions, which should
happen at the same time.
The sender needs to use E-mail address that includes the organization domain name, and
considers as an anonymous sender (sender that didnt provide user credentials).
Page 16 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Note If you want to read more information about this method that is used by
hostile elements, for bypassing existing sender verification mechanism such as SPF
you can read the article
How can hostile element execute Spoof E-mail attack and bypass existing SPF
implementation? | introduction | 1#2
The Phish Filter detects a Spoof mail event based on a very simple verification test:
When a sender addresses the Exchange Online mail server (if we want to be more accurate, the
Exchange Online protection), and use two sets of sender identities, the Exchange online Phish
Filter Policy, will verify if the sender information in the MAIL FROM field is identical to the
sender identity in the FROM mail filed.
In the case that the identities are different, this is a sign that something is wrong with the
specific E-mail message.
Page 17 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Exchange Online Phish Filter Policy | The scenario in which E-mail message is classified as
Spoof E-mail
The event of Spoof mail will be described as a scenario in which the E-mail address that
arrears in the MAIL FROM field is not aligned meaning, different from the E-mail address that
appears in the FROM field.
In this case, the E-mail message will be considered as High-risk E-mail message, and a warning
notification will be added to the original E-mail message.
Page 18 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 19 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
In case that we use one of this sender authentication protocols, the DKIM expands the
verification process that is implemented by each of these protocols.
In other words, the DMARC is implementing more stricter sender verification tests versus the
sender verification standard SPF or DKIM.
The technical term that is used by the DMARC for describing the additional layer of sender
verification described as alignment.
Page 20 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
For example, in case that we use the SPF or DKIM, from the DMARC point of view, its not
enough that the SPF or DKIM verification test is successful, but in addition, the DMARC dictate
additional condition, which needs to successfully implement.
Page 21 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
In case that the SPF status is pass, the DMARC will continue to the next test, in which the
DMARC verifies the required SPF alignment.
The SPF alignment test is implemented by verifying if the E-mail address of the sender that
appears on the MAIL FROM field (the information that appears in the mail envelope) is identical
to the E-mail address that appears in the FROM field (the information that appears in the mail
header).
Page 22 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 23 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 24 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 25 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Page 26 of 26 | How does sender verification work? (How we identify Spoof mail) | The five
heros SPF, DKIM DMARC, Exchange and Exchange Online protection | Part 9#9
Additional reading
How to review and mitigate the impact of phishing attacks in Office 365
The common types of spear phish we see today
How antispoofing protection works in Office 365
Email authentication should work out of the box and we should not rely upon domain owners
to do it themselves