2021-09-14 Microsoft Outlook as a Cybersecurity Risk
The 2021-09-09 Wall Street Journal contains a special section on cybersecurity. The lead article "The Brain as a Cybersecurity Risk" by Ms. Heidi Mitchell should be required reading for anyone that handles money. The main (I think correct) assumption of the article is that it all starts with an email message.
"In a typical scam, criminals send an email message that looks like it comes from a known authority figure who is making a recognizable request."
In the corporate email world, Microsoft Office 365 has a market share of over 80% and some surveys put it close to 90%. The Microsoft email client is Outlook, which I claim is itself a cybersecurity risk. Outlook by default fails to display information that would make it obvious to the recipient that a message is a scam.
Any email client needs to present a list of messages in your inbox, by showing some selected fields from each message. Typically these include the sender, subject, and date sent. The sender displayed by the email client is derived from the RFC5322.From header. See this for the details. Consider a message with the following headers:
From: Robert Thomson <robertthomson9937@gmail.com> Subject: New Acquisition To: Susan Panuccio
The scammer has created (or forged) an email address that sort of looks like it might be a personal gmail address for the CEO. It should be a very red flag for the CFO to receive company email from such personal email addresses. But the scammer is depending on the fact that Outlook won't display that email address. When Ms. Panuccio sees her inbox in Outlook, that message will appear to be from "Robert Thomson" with no indication that it is not from an @newscorp.com address.
Every other email client that I have used will display the full From: header, giving the recipient at least a fighting chance of detecting the scam immediately. So, how do we make Outlook show that full header? One of my clients called MS tech support, and was told that it is not possible. However, I suspect that MS tech support just does not understand their own product. A google search finds this.
But you ask, since the scammer can control all of those headers, why don't they just use something like the following?
From: Robert Thomson <rthomson@newscorp.com> Subject: New Acquisition To: Susan Panuccio
It would make the scam more effective if the recipient saw the actual email address of the CEO. DMARC (see this for details) essentially forces the scammer to use an address in some email domain other than the targeted domain. newscorp.com publishes a DMARC record as follows.
"v=DMARC1; p=reject; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com"
Note the "p=reject" tag. That is a policy statement by newscorp.com that any email containing an RFC5322.From header address in the newscorp.com domain should be rejected unless that message is DKIM signed or comes from an IP address listed in the newscorp.com SPF TXT record. The scammer clearly should not have access to the newscorp.com private DKIM signing keys, so they cannot DKIM sign their scam. The scammer might be able to use some system listed in the SPF TXT record but we can hope that none of those systems would allow an unauthenticated sender to send arbitrary outbound mail with an RFC5322.From header address in the newscorp.com domain.
The end result is:
- the scammer needs to use some domain other than the targeted newscorp.com domain in the RFC5322.From header.
- if the recipient saw such a foreign domain, they would be much less likely to fall for the scam.
- the default configuration of MS Outlook fails to display that foreign domain.