Types of Email Attacks & Active Countermeasures


There were days in childhood that after creating an email account and we will be waiting to receive an email in our inbox. Sadly days changed now. In the current scenario when our names are called by the postman, our eyebrows are lifted for second thinking who might take some time to write a letter and post it to my address. Yes, today our inbox is flooded with 1000’s of unread mail. But, it is time to take some precautionary in today’s cyber world. Everything is digitalized. We don’t need to go out for anything. Everything comes to our doorstep. There is an evolution in services. The same way we as a consumer has to evolve to latest security awareness in this digital network.
Hope reading the above context might take us to old memories. Let’s jump into the topic straightaway. Yes, I’m coming there. There are lots of fraudulent happens in digital networks. One of the famous and successful attacks carried by the attackers is phishing attacks.
Most of us are familiar with phishing attacks after our organizations given us enough training and awareness about them. There are some more attacks that are moving or revolving around the emails. Let’s look at someone by one. This is more of a theory-based article than a technical one.

Fraudulent emails/Phishing emails
Most of the email systems are not configured enough to distinguish between legitimate and illegitimate emails. So, attackers use different types of tools to create phishing emails. Also, attackers can spoof legitimate email addresses in many ways. SMTP services can be also used by the attackers here. Like spoofing the DNS of the server and sending mail through SMTP services to internal employees. It looks valid. Serious damage as follows after it.
This attack’s most successful scenario comes when a user clicks an attachment sent along with the email. Attachments that might have macros in it, which will give a shell to the attacker. Or with some links to make some transactions without head to our accounts. Or taking out our personal information. Whatever it might be. It will bring big trouble to the user.

SMTP Attacks (Email Services)
SMTP is the protocol that is used as a protocol to send and receive emails. Servers which has SMTP services running will use authentication(AUTH) to verify the sender identity. Along with AUTH, STARTTLS, S/MIME, and DMARC also available as a protective function for SMTP services. Additional custom methods can also be implemented by an organization to protect its email services. Email Encryption Alliance(EEA) is implemented as part of email architecture. If the EEA is publicly accessible then the attacker can use the split-tunnel attack. A successful split-tunnel attack bypasses security gateways by reaching EEA first. Because EEA first decrypts and routes the messages servers without inspecting malware in it.

Mailbox Storage Attacks
Data at risk is the simple term we can give for this attack. Because even after the file systems are encrypted various vulnerabilities are available to exploit it. One such attack is the Direct Memory Attack(DMA). This is targeted to use the hardware to read/write directly to the main memory with the help of OS intervention. Also, Ghost is another buffer overflow attack that can be carried out without the use of hardware.

Email Retrieval Attacks
POP3(Post Office Protocol 3) and IMAP(Internet Message Access Protocol) are two protocols that are used to retrieve emails from servers over TCP/IP connection. POP3 is simple to implement. Allows 1 user to connect at a time and never store messages after they are been processed. Whereas IMAP provides message storage benefits and retrieves email from different client boxes. But, both send user credentials over a network without encrypting resulting in cleartext. So, if a user is using the public wifi network. Attackers after establishing a successful connection and gaining control over the network. Can harvest the credentials.

Email Transport Layer Attacks
Email is transferred over the internet. So, there will be lots of routes between source and destination for the email over network. Some control was some are not controlled or trusted. Those untrusted/uncontrolled routers can be monitored by an external party and modify the content.
TLS is implemented as an encryption channel for the email. However, MITM attacks can be carried here in between the source and destination from the above-stated uncontrolled router. Giving higher encryption available to the destination or source which they don’t support will pay for this attack in transferring clear text content.

⦁ Phishing email awareness programs to be conducted more to the employees.
⦁ Applying security patches regularly.
⦁ Strong enforcement of TLS to transmit data.
⦁ Use of secure protocols and disabling weak protocols like SSLv2.
⦁ Mail encryption before transmission. The use of security keys for sensitive documents and keys has to be transmitted only between sender and receiver.
⦁ Having policies and procedures/guidelines to use sensitive information.
⦁ Use of DMARC, Sender Policy Framework, Domain Keys Identified Mail.
⦁ Not storing unencrypted data on RAM.

At last, the security lies within every individual in this digital network to be on the safer side. One simple method, if you are not sure about the email you receive with attachment or asking you to click any link. Ask for an expert solution in your circle or google about it.

apt Bazarcall bazarcall loader Bazarcall malware Bazar Call Malware Bazarcall malware ioc cyberchef malware analysis cyber threat intelligence event id 4625 event id 4648 event id 4672 event id 4688 event id 4697 event id 5145 event ids to monitor Hancitor hancitor 2021 hancitor malware hancitor malware analysis hancitor malware ioc hancitor ransomware hancitor threat actor incident response tools iocs latest iocs latest threat intel malware malware analysis malware analysis tool malware analyst MITRE phishing detection techniques siem soc soc analyst Threat Hunting threat hunting examples threat hunting tools threat hunting windows event logs threat intelligence windows event ids to monitor windows event id threat hunting Windows event log analysis windows event logs windows security

Previous articleKaseya VSA Ransomware IOC
Next articleThreat Hunting using Sysmon – Advanced Log Analysis for Windows


Please enter your comment!
Please enter your name here