In a fast-paced corporate environment where every user has to respond to cyber threats in real-time, and where every user owns several accounts from several systems, receiving dozens of emails, any unnoticed fraudulent emails can lead to severe consequences.
A variety of anti-fraud technologies and controls must be employed to prevent spoofing and phishing attacks. These include: spam filters, anti-virus, blacklists, SPF check, email fingerprinting, and email reputation. Furthermore, email service providers in charge of email security must maintain and enhance their systems to reduce the risk of spoofing and phishing.
The Header-Related Fraud
Constant monitoring of the Email ecosystem through AnubisNetworks MPS has revealed an interesting - and dangerous - increase in Fraud related to impersonating a certain sender account. Whether by Spoofing or by Phishing, AnubisNetworks researchers frequently observed “tricks” around the sender address. For example, a send address of Migrosoft.com is used instead of Microsoft.com containing a normal message in the body to deceive recipients. In 2016 alone, AnubisNetworks research observed an increase of nearly 100% in email fraud with the tampering of originating sender (FROM) and sender (TO) domains.
AnubisNetworks has recently released its newest MPS version, 6.1.3 to focus on a new functionality block called Anti-Fraud. By analysing sender-recipient relationships, domain reputation, email headers and envelope attributes, and email content, is possible to determine malicious activity related to:
AnubisNetworks research observed an increase of nearly 100% in email fraud with the tampering of originating sender (FROM) and sender (TO) domains
this is done by determining usage of someone else's email address, acting upon Spoofed domains (emails from own domain, but which fail SPF or DKIM) and identifying a mismatch between the envelope From header and the internal From header.
this is done by determining and acting upon Look-a-like domains, and by having the ability to find and compare look alike domains between domain part of env from and env to with env from and header from.