Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2437
Views
15
Helpful
8
Replies

How To Protect Against Domain Look Alike Attacks In An Email ?

mitewarrior
Level 1
Level 1

‎09-22-2020 11:58 PM

Can somebody please help me understand if DMARC would assist in thwarting against domain look alike attacks through an email ? If not, how it can be protected ?
For example; if any of the employees in an organization receive mail from a domain "Ciscoo.com" instead of "Cisco.com" with the display name of an original Cisco employee also being spoofed. In that case, will applying DMARC security policy on my mail infrastructure help protect from such attacks.

 

Note:- Am still trying to understand how DMARC works but alternatively thought of putting the question on forum and seek suggestions as well.     

Labels:
0 Helpful
8 Replies 8

Ken Stieers
VIP
VIP

‎09-23-2020 07:57 AM

Keep in mind that DMARC is mostly voluntary, and everyone has to agree to actually use it.



If you turn on DMARC checking (along with SPF and DKIM) and ciscoo.com sets up DMARC for their domain, the ESA will verify it as OK, because ciscoo.com's stuff all verifies... the ESA doesn't know that ciscoo.com isn't CISCO.COM.... but if ciscoo.com doesn't stand up any DMARC/SPF/DKIM records, most of us set up the ESA to take the mail, because SO MANY legit companies either don't set it up or don't set it up correctly.



Now if YOU are Cisco.com, you can do things like run dnstwist, or KnowBe4's Domain Doppleganger tool (its free to use) and take the output of that and put it in a content filter or message filter to just quarantine or dump mail that obviously isn't legit...



For you, sending mail, setting up DMARC/SPF/DKIM correctly is great up to the point that everyone else has to check it... if they don't check it, they can't be assured mail "from" your domain is legit... but you can't do it for them...



Hope that helps.




marc.luescherFRE
Spotlight
Spotlight

‎09-23-2020 09:01 AM

Doppelganger detection can be done with ESA but this is not -YET- an out of the box solution.

 

Let me find my notes of our scripts so I can share it with the community.

But in short we run a docker typosquad script against all our email domains

We check the results for recent registrations.

We block those domains in an ESA block list.

 

Give me 1-2 days to document it.

mitewarrior
Level 1
Level 1

‎09-23-2020 12:07 PM

First of all, i would like to thank you both for quick revert on the query. Have got 2 follow up questions :-

 

1. As you said, that certain scripts and tool can be used to identify similar domain names and block it on the ESA but i guess it would be a periodic activity and would such scripts and tool capture punycode domain names as well. Can it be automated and alerted if any such domains are detected through ESA.

2. Also just as a suggestion, does it make sense to add a cautionary message to all the mail coming from external domains and would it serve the purpose, I know it wouldn't totally but to a certain extent it might alert the users that the mail is from an external domain and need to dealt cautiously. Have attached a sample warning message just to quote as an example.


Am just trying to understand the scenarios and options available to improvise my organization's security posture.

Preview file
24 KB
0 Helpful

Ken Stieers
VIP
VIP
In response to mitewarrior

‎09-23-2020 12:25 PM

1. It can be automated, but its awkward, but will be getting better as the next-gen gui is all API based (which is why it seems to be taking forever)...

2. Adding an "external" disclaimer is one of those things that's hard to measure if it does any good... it definitely does at the beginning, but I wonder how much good it does as people get used to seeing it... I guess its worth it for the one time it saves you? (we do have this turned on, I just didn't feel there was a good case either way)




marc.luescherFRE
Spotlight
Spotlight
In response to mitewarrior

‎09-24-2020 10:43 AM

re (external disclaimer), just check by blog to get some ideas : www.emailsecurityblog.info

re (cousin domains), just working on an external script using API to make this happen, keep posted.

0 Helpful

nullifi
Level 1
Level 1
In response to marc.luescherFRE

‎06-14-2023 01:19 PM

It's been a few years, did you ever get this finished?

0 Helpful

Ken Stieers
VIP
VIP
In response to nullifi

‎06-15-2023 06:33 AM

Marc left his old job... so he may not get that email note if his account was tied to his old job's email.

Check his blog/contact him there.

0 Helpful

mitewarrior
Level 1
Level 1

‎09-24-2020 10:25 PM

Thanks Ken & Marc for your valuable inputs. 

0 Helpful
Customers Also Viewed These Support Documents