Outbound Email Filtering
What is Outbound Email Filtering?
Most everyone is familiar with Inbound Email Filtering, which is the scanning of emails for spam, malware, phishing and more before the email is delivered to the recipient.
In the case of Outbound Email Filtering, emails are scanned for the same exact items as they leave your organization’s email server (or email service) before being sent out for final delivery to the recipient.
Outbound Email Filtering is not a new concept in the world of filtering, but it is growing in prominence due to the advent of Supply Chain Attacks and Business Email Compromise. When a user at your organization email account gets compromised, it’s only a matter of time before it starts being used as an attack vector to steal data internally, compromise other internal users and perhaps worst of all, attack your clients and vendors by banking on your organization’s reputation as a trusted contact of theirs.
The obvious question here is “how does Outbound Email Filtering help?”
You are most likely not spamming anyone or knowingly sending viruses and your organization is trustworthy; why would your emails need to be scanned before dispatch?
Even if they did need scanning, shouldn’t that be the responsibility of the recipient’s email filter?
These are all very good questions that are received frequently, and the answer to them is Reputation, Trust and Liability; all key elements in the Web of Trust.
To appreciate how we get to these impacts, it’s important to understand the attack vector.
Here’s the thing: phishing attacks are on the rise. They have been for years and they’re becoming more and more sophisticated, with spearphishing being the most artful and successful form of it due to the difficulty in always catching these well-crafted attacks.
When someone gets phished, one of the most common results is Business Email Compromise, wherein the credentials of that user are taken, usually unbeknownst to them, and now an outside malefactor has access to whatever systems, information and contacts that the compromised user has.
Not only will an attack harvest all the data they can to build an ‘understanding’ of the corporate structure for later, more advanced attacks, but they’ll also use the now-breached systems as a launchpad to attack the vendors and clients of that organization (commonly known as supply-chain attacks, such as the extremely high profile SolarWinds breach of December 2020, MoveIT breach of June 2023, Kaseya breach of July 2021; the list goes on), and once they’re done there, they’ll finally either deploy ransomware themselves for the final payday, or resell the access they’ve obtained to other even more vicious attackers.
With phishing breaches happening daily, the amount of compromised companies any given organization does business with, or are customers of, grow exponentially.
With that said: a credential theft or other breach is almost inevitably going to happen to your organization. Even the finest of defenses can’t stop the human element, and training of humans to spot deception or data mining only goes so far.
That’s where Outbound Email Filtering comes in: not all attacks can be stopped and not all attacks come via email. Wireless hot spots with Man-In-The-Middle packet sniffers, keyloggers/screengrabbers installed by some “free” application and even USB flash drives people “drop” in parking lots are well-known attack vectors, and when someone invariably gets compromised, the attacker is nearly guaranteed to start using their contact lists and their established position within the company to start sending out “trusted sender” based spam and malicious emails to coworkers, vendors and clients alike.
No one ever intends to get hijacked and used as a patsy to attack others, but it happens every day. And that’s just the beginning of the problems.
Reputation
When your company’s emails arrive at recipient email filters, they are scanned for spam, malware and phishing attempts. If any are found, not only they dropped, but they’re centrally reported up to what are called Remote BlockLists (RBLs), which are effectively long listed of known IP addresses, hostnames and domain names that are known for sending spam or other undesirable content.
Once your organization is listed there, you’re in for a world of trouble as emails sent from your organization will now be either thrown away by recipients who ‘subscribe’ to these RBLs by default, without them even knowing, or if you’re lucky, they’ll wind up in their Junk Email folders instead of directly in their Inbox, meaning slower responses to your communications, if any.
The unenviable task of then finding the source account or security hole that let this happen then begins so that you can halt additional RBLs from listing your IP addresses, followed by the ‘delisting’ process with the various organizations that maintain these publicly available RBLs.
While delisting is normally a relatively fast process, some organizations can take days to respond and if the original cause wasn’t fixed, expect to find yourself back on that RBL in short order with a longer “ban” time associated with you for a false delisting request. Couple that with the intense pressure such a situation brings and the amount of time spent hunting down and eliminating the threat, that’s all time your emails aren’t being received. It’s a maddening situation that can, and does, halt businesses in their tracks until it’s resolved.
Trust
This is arguably the biggest penalty, as once your clients (especially public citizens, parents of students, current and new potential customers) and vendors (business partners, manufacturers, contractors) start receiving dangerous content from your organization, the trust is damaged and they’re going to expect both a proper understanding of what happened to your organization, followed by an action plan that sufficiently assuages their concerns that it won’t happen again…and that’s if they don’t have a choice of dealing with your organization. If they do, this is something that can easily cause you to lose business outright.
As with any organization, we’re expected to maintain our own security as part of the Web-of-Trust that keeps us all secure from the bad actors out there. But when we’re the ones who get compromised and become the bad actor, it’s a really bad look and can easily lead to those ever-so-common public relations disasters of having to announce or otherwise notify everyone who was affected, which brings even more undesired attention to the situation.
How does Outbound Email Filtering work?
In short, there are two major steps involved with configuring and using Outbound Email filtering:
First, add the UpStream service cluster’s IP addresses to your Sender Policy Framework (SPF) DNS record. This allows recipient mail servers of the messages to know that UpStream is a validated sender of your emails and allows them to be safely received and authenticated.
Second, once the SPF records are in play, reconfigure your email server (or email service) to relay messages to UpStream instead of direct delivery to the recipients. This change will force all messages to route to UpStream first, receiving their consequent scans and checks in the same fashion that inbound messages receive.
If the message is safe, it is sent off to the recipient as per normal. Just one extra hop in the transit route.
If the message fails the check, such as if suspicious links or dangerous content is found, the message is instead dropped into a quarantine and not sent for final delivery. This helps to prevent compromised accounts from being used to hurt anyone else and protects the organization’s reputation, both for legitimate email dispatches from non-compromised users and to its vendors and clients.
“Oh, but we’ve got MultiFactor Authentication here. That can’t happen to us.”
MultiFactor Authentication (MFA/2FA) is not a bulletproof mechanism to protect against all attacks. The unfortunate reality is that many people don’t fully understand the implications of MFA and will simply click any prompt they get or enter whatever code they must, just wanting to get into their application faster.
You’ve likely already heard about “MFA Prompt Spamming” attacks where prompt after prompt gets delivered to a user in order for them to get so annoyed they authorize it, just to make it stop. It’s not a fun reality, but it happens enough to make the news and be a common vector.
Great strides have been taken by major MFA providers against these attacks, as well as other common workarounds, but the fact is that they’re usually reactive in nature and tend to lean more towards security than convenience, thus making the average user more resentful and less thoughtful as to why security is needed.
Adding in an automated security layer like Outbound Filtering is another excellent idea to help protect your organization from overly trusting any one technology to be a silver bullet for every situation, and its transparency to the users is another value add that nothing needs to be taught or explained to them: they can just do their jobs.
Liability
This is the one that the Legal and Marketing/Public Relations departments really dislike.
As above with the Trust section, you’re likely already someone affected by a data breach by some big name organization, like the Equifax, Home Depot, Federal Office of Personnel Management or Target breaches that impacted hundreds of millions of Americans.
How do you feel about the way they handled your personal data and has it eroded your trust in them, their data handling, cybersecurity and employee training procedures? Did you feel that some pathetic offering of “credit monitoring” is worth the headache of identity or financial theft? Did they offer anything actually substantial that could ameliorate the losses, both realized and potential, that you’re now subject to?
What about internal breaches that impact other employees, like the Human Resources nightmare that comes from internal organization identity theft of employee records? These are the kinds of cases that can bring very unpleasant lawsuits against the organization itself from its own employees.
Read more about the internal implications of these events here: https://aghlc.com/resources/alerts/2018/phishing-scam-damages-180808.aspx
Our guess is that no one is really happy about the things that happened in these breaches, but being on the ‘despised and untrustworthy organization’ end of that situation and potentially coupled with lawsuits from vendors, clients, employees or the public at-large for attempting to deceive them or leak their data is something that can be avoided.