Layer up protection to go beyond the basics
Defense starts with knowing where to look and what to lock down. To protect yourself and your business against these kind of attacks, you’ll need a combination of controls, including:
Email authentication protocols
The first layer of defense begins with SPF, DKIM and DMARC. These foundational email authentication protocols should be mandatory for every business. These controls not only protect your employees against attacks, but they also protect your customers and suppliers from malicious actors pretending to be you.
Exact domain match detection
SPF, DKIM and DMARC are essential controls, but they do not cover all use cases. For added protection, consider adding extra detections to identify the use of your own domain name in email headers. This may be available directly through your mail hygiene provider, or you can create a data protection rule.
Keep in mind, there are many legitimate uses for your domain name in an email, so you may want to introduce these rules slowly by monitoring traffic instead of blocking emails from reaching their destination.
Fuzzy domain match detection
Fuzzy domain matching helps you detect typosquats of your domain name—meaning you can finally identify any altered addresses designed to trick your recipients. Because there are many ways to create a typosquat and mimic credentials, you may want to create your own custom regular expression (regex).
Here’s what it could look like for some common variations on Broadcom.com:
b[\W_]*r[\W_]*o[\W_]*a[\W_]*d[\W_]*c[\W_]*[o0][\W_]*m[\W_]*(?:\.|dot|\[.\]|\(.\))[\W_]*c[\W_]*o[\W_]*m
- broadcom.com
- brodacom.com (typo)
- broadc0m.com (0 instead of o)
- broad-com.com (extra punctuation)
- broadcom[.]com, broadcom(dot)com (obfuscation)
Display name controls
Some email hygiene solutions now allow inspection of the display name in the “body from” header—an area often exploited in impersonation attacks. This can be compared against a curated list of high-risk individuals within your business like executives, finance leads or other VIPs.
But don’t add everybody in your company—names like “John Smith” are common and can trigger false positives. More advanced email security solutions will have a regex sitting behind the list of names to ensure that common variations are also detected. If you don’t have display name controls built into your email hygiene product then you may be able to build data protection rules to achieve the same aim. An example regex would be:
^(?:From:(?:\n?.*?){1,2}?)((?:(?
Anti-backscatter controls
While not specifically designed to stop impersonation attacks, anti-backscatter controls help protect your users when their email addresses are spoofed as senders in spam or phishing campaigns. These attacks can generate large volumes of non-delivery reports (NDRs), creating confusion and consuming resources.
There are a number of ways of doing anti-backscatter. Some email gateways add a unique number to each email header and check for its existence on NDRs. Other vendors may allow you to create a regex to distinguish between legitimate NDRs (from emails which were sent through your gateway) and backscatter attacks. The exact implementation will usually depend on your email gateway and service provider.
Mixed character detection in headers
To detect the use of alternate characters sets in the header of an email, use a regex like:
=\?([^?]+)\?[BQbq]\?[^?]*\?=(?:\s*=\?(?!\1)[^?]+\?[BQbq]\?[^?]*\?=)+
Geolocation-based email detection
In BEC and account takeover scenarios, attackers often operate from a different country from those of the compromised account. Knowing where an email is coming from can be very useful in identifying BEC scams and other impersonation-based attacks.
This can be achieved by examining the IP addresses in the header of the email and mapping them to lists of IP address space owned by different countries. As with other controls, this may be offered as an option by your email service provider or you may be able to achieve it using regex and a list of IP addresses grouped by owner.