Once you’ve crafted the perfect bait, the next step is to deliver it to your target. However, some obstacles lie in your way - many big companies employ pesky spam filters and email scanning tools to catch and block suspicious mails. In part 2 of the series, we’ll explore the techniques and strategies we can use to evade detection and deliver phishing emails to our targets.
Understanding Email Security Measures
Modern email systems use a combination of standards, signatures, and heuristics to detect and block phishing attempts. These include:
- Spam Filters: Systems like Google’s Gmail and Microsoft’s Outlook use advanced spam filters that analyze email content and sender reputation to detect phishing emails.
- Antivirus Solutions: These solutions scan attachments, links, and email headers to detect malicious content.
- Email Authentication Protocols: Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) are all used to verify the legitimacy of an email’s origin.
We’ll go through each of these measures and discuss ways to bypass them.
Techniques for Bypassing Spam Filters/Antivirus
1. Domain Reputation Management
Spam filters place a significant emphasis on the reputation of the sending domain. Emails sent from domains with a history of sending spam are more likely to be flagged, while domains with a clean reputation are often trusted. To avoid immediate detection:
- New Domain Registration: If you try to spoof another domain, you’ll be hit with the triple threat: SPF, DKIM, and DMARC. They are not impossible to defeat (we’ll cover that later), but it may be easier to just set up your own domain for this. Tools like WHOIS Privacy help mask your identity when registering.
- Domain Ageing: To increase success rate, register your domain in advance and let it sit idle for a few weeks or months before using it in a phishing campaign. This allows it to build a clean reputation over time.
- High-Volume, Low-Impact Campaigns: Another trick is to send out benign emails from the domain over time to build trust. Once the domain is seen as legitimate, attackers can start sending phishing emails.
2. Using Trusted Domains or Compromised Accounts
A highly effective method for bypassing spam filters is to use a trusted or compromised account with an established “clean” reputation.
- Compromised Business Emails: Gain access to a trusted business email address by compromising it through malware or previous phishing campaigns. Emails sent from this address are less likely to be flagged as suspicious.
- Third-Party Services: Use email-sending services like Mailgun, SendGrid, or AWS SES, which have high deliverability rates and are trusted by spam filters.
3. Obfuscating Malicious Links and Attachments
Email scanners are trained to detect malicious URLs and attachments, but we can try to hide them:
- Link Obfuscation: Instead of using a direct malicious link, you can use URL shorteners like Bit.ly to hide the true destination or host phishing pages on trusted cloud services like Google Drive, Dropbox, or OneDrive, which are less likely to be flagged.
- Leave out the attachment: A malicious attachment may get picked up by email attachment scans. If you need to deliver a file to the target, consider hosting it elsewhere, and insert the link to where it’s hosted in the email instead of the full file.
4. Tailoring Email content
Of course, the actual email content matters as well. Here are some tips on how to avoid raising red flags with your phishing email.
- Avoid Trigger Words: Spam filters look for certain ‘trigger words’ that are common in phishing emails, such as ‘urgent,’ ‘free,’ or ‘password reset.’ Avoid these words or use them sparingly.
- Keep HTML Simple: Complex HTML or overly formatted emails can raise red flags. Stick to simple HTML structures to avoid looking suspicious.
- Proper Grammar and Spelling: Poorly written emails are an immediate red flag. Use proper grammar, spelling, and formatting to blend in with legitimate business emails.
Techniques for Bypassing Email Authentication Protocols
SPF, DKIM, DMARC - the backbone of email authentication, and essentially what prevents people from sending emails as anybody they want.
Properly configured SPF/DKIM/DMARC is highly difficult to bypass, but mistakes happen - this is where you strike. We’ll talk about how these work, how they can go wrong, and how we can take advantage of that.
1. SPF (Sender Policy Framework)
SPF is an email-validation system designed to prevent spoofing by verifying the sender’s IP address. SPF allows domain owners to define which IP addresses are authorized to send emails on their behalf by creating a DNS record containing this information.
How SPF Works:
- The domain owner publishes an SPF record in the DNS, specifying which mail servers (IP addresses or subnets) are allowed to send emails on behalf of that domain.
- When an email is received, the recipient’s mail server checks the domain in the email’s “From” header and queries the domain’s DNS for its SPF record.
- The recipient’s server compares the IP address of the sending mail server to the list in the SPF record.
- If the IP address is authorized, the email passes SPF validation; if not, it is flagged as suspicious or rejected, depending on the recipient’s policy.
Bypassing SPF:
- SPF Misconfigurations: Many domains have misconfigured SPF records that allow unauthorized IP addresses to send emails. For example, an overly permissive SPF record (e.g., `+all`) tells mail servers to accept email from any IP address, which is a significant vulnerability attackers can exploit.
- Look for a ‘Neutral’ Policy: If an SPF record ends with a `?all` directive, it means the domain doesn’t enforce a strict policy for SPF failures. This allows phishing emails to slip through without being rejected, as the recipient’s server will mark them as “neutral” rather than flagging them as suspicious.
- Compromised Trusted Domain: Attackers can bypass SPF by sending emails from a compromised email account within a domain that has a valid SPF configuration.
2. DKIM (DomainKeys Identified Mail)
DKIM allows the recipient to verify that an email claiming to be from a specific domain was indeed authorized by the owner of that domain and was not altered in transit. DKIM uses public-key cryptography to sign certain parts of an email, typically the headers.
How DKIM Works:
- When an email is sent, the sending server generates a digital signature based on the email content (headers, body, etc.) and attaches it as a DKIM-Signature header
- The recipient’s mail server retrieves the public key by querying the sender’s DNS record, which contains the public key in a TXT record.
- Using the public key, the recipient’s server verifies the email’s DKIM signature. If the signature is valid and matches the content, the email is considered authentic.
- If the content has been altered in transit or the signature doesn’t match, the email fails the DKIM check.
Bypassing DKIM:
- Domain Misconfiguration: Some domains have poorly configured DKIM keys, allowing phishing emails to pass despite failed DKIM checks.
- Weak Key Length: Some domains use weak DKIM keys (less than 1024 bits), vulnerable to brute-force attacks. Attackers can crack the private key and sign their phishing emails.
- DKIM Replay Attacks: In this technique, attackers intercept valid, DKIM-signed emails and reuse signatures on altered messages.
- Compromised Accounts: Using a compromised account with valid DKIM keys lets attackers send phishing emails that pass DKIM checks.
3. DMARC (Domain-Based Message Authentication, Reporting & Conformance)
DMARC builds on SPF and DKIM, allowing domain owners to enforce policies for how emails that fail SPF or DKIM checks should be handled. It also provides a reporting mechanism, allowing domain owners to receive reports on email authentication activity.
How DMARC Works:
- Domain owners publish a DMARC policy in their DNS records, specifying whether to reject, quarantine, or monitor emails that fail SPF and/or DKIM checks.
- When an email fails both SPF and DKIM, the recipient’s mail server follows the domain’s DMARC policy. For example, a ‘reject’ policy means the email will be discarded.
- DMARC reports can be sent to the domain owner, providing insight into unauthorized email activity.
Bypassing DMARC:
- Weak or Non-Enforced Policies: Many domains set their DMARC policies to ‘none,’ meaning emails that fail SPF or DKIM checks are not rejected. Attackers can exploit this by sending phishing emails from these domains without consequence.
- Misconfigured Domains: Some domains have misconfigured DMARC policies that fail to catch emails violating SPF or DKIM.
- Using Subdomains: If a parent domain enforces DMARC, attackers may target poorly protected subdomains that lack DMARC policies. Emails from these subdomains are less likely to be flagged.
- Compromised Accounts: Similar to SPF and DKIM bypasses, attackers can use compromised accounts within domains that enforce DMARC to send phishing emails that pass authentication checks.
Conclusion
Delivering a phishing email is a complex process that goes beyond crafting convincing content. As with many areas of security, to increase your chance of success, you must understand the defenses employed by your target and exploit their weaknesses.
Now, after we evade the target’s defenses and deliver our carefully crafted email, what’s next? In the next installment, we’ll go beyond the phishing campaign, and talk about what happens after the target clicks on your link and runs your malicious payload.