Among all the tasks of Exchange administrators, one of the most important and challenging ones is ensuring email security. Since Exchange Server handles thousands of emails every day, it is not easy to manage and monitor such a large chunk of messages on a regular basis. This is why hackers often exploit email vulnerabilities to steal confidential information such as trade secrets or launch a cyberattack. One of the tricks they use is email spoofing, wherein they impersonate someone else to trick the user into sharing sensitive information. In this article, we take a closer look at email spoofing and discuss ways to prevent internal email spoofing in an Exchange environment.
What is Email Spoofing and Internal Email Spoofing?
Email spoofing is one of the common forms of email attacks, in which the sender manipulates email headers to deceive the email recipient regarding the identity of the sender. Sender of the spoofing email generally impersonates the employee, client, or vendor of an organization to extract sensitive information such as employees’ personal data, company’s internal reports, etc.
Internal email spoofing is when the employee of an organization poses as someone else in an email to acquire sensitive documents, accounting records, etc. For instance, an employee can send an email to another employee impersonating as a senior executive and convince them to provide access to classified files and documents.
Email Spoofing Attacks are Easy to Launch
Internal email spoofing attacks can be easier to launch that most people may tend to think. In this section, we outline a common email spoofing approach to make you aware of the imminence and plausibility of internal email spoofing incident in your organization.
A spoofed email can be sent using the Telnet Client program which, by default, is inactive in Windows. However, the user can turn it ‘On’ by going to Control Panel > Programs > Turn Windows Features On or Off and selecting Telnet Client.
Here, we take an example to illustrate how an internal email spoofing attack can be carried out through Windows Server. Let’s assume that the email recipient is John and the sender is impersonating the System Administrator in the company.
Once Telnet Client is activated, the sender can run cmd.exe and connect to the company server on port 25 (the default SMTP port for outgoing servers) by running the following code:
Telnet 192.168.24.3 25
Once the sender connects to the server, he can send a spoofed email by using the SMTP commands as follows:
He can also send a spoofed message by using a PowerShell cmdlet:
MAIL FROM: firstname.lastname@example.org
RCPT TO: email@example.com
354 Start mail input; end with <CRLF>.<CRLF>
Subject: Require credentials for back up
Dear John. This is regarding an important server update that we have to perform urgently. All employees are required to share the login credentials of their email accounts so that their data can be backed up on our server. Please share your credentials as soon as you receive this.
Here, HELLO command makes a connection to domain stellar.com. MAIL FROM command sets the email address of the employee the sender wants to impersonate, and RCPT TO sets the email address of the receiver.
He can also send a spoofed message by using a PowerShell cmdlet:
Send-MailMessage -SmtpServer 192.168.24.3 -To firstname.lastname@example.org -From email@example.com -Subject “Require credentials for backup” -Body” Dear John. This is regarding an important server update that we have to perform urgently. All employees are required to share the login credentials of their email accounts so that their data can be backed up on our server. Please share your credentials as soon as you receive this.”
Whether the impersonator uses Telnet or PowerShell, the email output is same. See Image 1 to view how the email appears to John – convincing and legitimate, as if it’s sent by the genuine sender i.e. IT admin.
How to Prevent Internal Email Spoofing?
You don’t need advanced security tools and techniques to prevent internal email spoofing, as these attacks can be mitigated with native Exchange mechanisms alone. Two methods that you can implement are:
Method 1: Use SPF Record
Sender Policy Framework (SPF) is an email authentication method which is highly effective against spoofing. An SPF record is a DNS record (database record used to map a human-friendly URL to an IP address) which is added to the DNS zone file of your domain. In this record, you can mention all the IP addresses and/or hostnames that are authorized to send emails on your behalf.
SPF is generally used against external spoofing attacks where senders impersonate trusted entities. However, it can be used to prevent internal email spoofing too. There is one challenge in using SPF record though – to achieve complete protection, you have to include all IP addresses that are allowed to send emails on your network. These may include your company’s servers, printers, custom web applications and third-party applications, etc. So, this can be a cumbersome task if your company’s network is large and complex.
Steps to Set up SPF Record
To use SPF in your organization, you need to set up three things – SPF record in local DNS, antispam function in Exchange Server, and a Sender ID agent. Follow these steps:
Step 1: Create SPF Record
Create the txt record on your DNS server in the local domain. It may look something like this:
v=spf1 ip4: 192.168.25.3 ip4: 192.168.133.55 -all
Here v is the version of SPF used (it’s always set to spf1). The first ip4 address is of the Exchange Server, and the second one is of a web-based printer that communicates with Exchange.
Step 2: Install Exchange Antispam Agent, Apply Changes
Install the Exchange Antispam Agent by using the PowerShell cmdlet given below:
If the script runs without errors and asks you to restart your MSExchangeTransport service, it means the step is successful. You can apply the changes by restarting the services by using the following PowerShell command:
Step 4: Provide IP Address of Exchange Server
Provide the IP address of your Exchange Server by running the following PowerShell command:
Set-TransportConfig -InternalSMTPServers 192.168.25.3
Step 5: Establish Email Rejection Rule
Create a rule that rejects all emails from addresses that don’t exist in your SPF record by executing the following command:
Set -SenderIdConfig -SpoofedDomainAction Reject
The SPF protection is set now. You can test it by sending a spoofed email.
Method 2: Use a Dedicated Receive Connector
Exchange servers use Receive connectors to control incoming SMTP communication from external messaging servers (those out of organization’s purview), services in the local or remove exchange servers, or email clients that use SMTP. These connectors are automatically created when Exchange Mailbox server is set up.
In default configuration, an Exchange server is set to receive emails from anonymous users. This is a vulnerability that allows a malicious employee to exploit the system. Unfortunately, you can’t block emails from anonymous users completely as then you won’t be able to receive important emails from external email addresses. So, what you can do is create another receive connector that uses domain credentials (login ID and password of users and applications) rather than IP addresses to authorize email senders. Although, this means you have to create a domain account for every device and application (web-based printer, for instance) that has to send emails to Exchange. But this problem can be solved by creating one common account for all.
An Exchange server has a Receive connector on TCP port 25 which accepts external connections, i.e. anonymous emails from SMTP servers. However, you can create another connector for internal SMTP connections on the same port. The server has the ability to select the appropriate connector for each connection on its own.
How to Create a New Receive Connector?
To create a new Receive connector, run the following PowerShell command:
New-ReceiveConnector –Name ”Internal Client SMTP” –TransportRole FrontendTransport –Usage Custom –Bindings 0.0.0.0:25 –RemoteIPRanges 192.168.25.0/24 –AuthMechanism TLS,Integrated –PermissionGroups ExchangeUsers
Here, Dedicated Connector SMTP is the name of the new connector and the IP addresses are the range of devices in the IT infrastructure. You can change the IP addresses as per your infrastructure.
Once the new Receive connector is created, you can try sending a spoofed email. Since now you have a security mechanism in place, you will receive an error code and the email won’t be delivered.
As an Exchange administrator, it’s your responsibility to maintain email security and prevent email spoofing at all costs. The techniques mentioned in this post, combined with measures like frequent training sessions on IT security, can help you to prevent internal email spoofing to a great extent.