Preventing Phishing the Company From Your Domain

If a phish or spam comes into your company with a From address of your company’s domain, recipients may be more likely to take action.   That quick decision can lead to compromised computers.  Coca-Cola found itself the victim of a hack when an email masqueraded as Coca-Cola’s chief executive, sending an email to Paul Etchells, Coca-Cola’s deputy president for the Pacific region.   One click and the machine was flooded with malware designed to establish a beachhead and search for specific information to be stolen.

The problem is if you take a hard approach and block all inbound email with your company domain in the from, you may block business traffic.   Looking at our logs some are from a SaaS employee evaluation product, some might be SalesForce.  You’d have to go through all those emails and either whitelist or convince people to change their ways.

While reading Eric Cole’s APT book, he had an interesting suggestion.   Rather than deleting it and having to deal with the consequences, you could prepend a tag to the subject line.  So instead of getting an email that said, Subject: Preformance Review Workflow, it would say Subject:  [EXTERNAL] Performance Review Workflow.   If you have the capability at your gateway, you can make this change to just those forged emails, calling them out as suspicious but not blocking them.   Other email remains unaffected.

The main problem with this second option is it leaves the security in the users hands.   How much effort would be needed to get users to treat those emails more suspiciously.   Perhaps with the right mail equipment you could remove all active content and break links.

I suppose the third option is perfect email security (and perfect web security) so the malware never gets to the end user and is always detected.   Good luck with that.

The problem is that even after implementing solution A or B, the bad guys could send and email forged from a domain similar to yours.   They could even purchase it so they can get replies.   Blocking forged mail from your domain to your company, is but one step.