How to Prevent Internal Email Spoofing in an Exchange Organization?
Summary: In this blog, we have discussed email spoofing, internal email spoofing, and the difference between these two cyberattacks. We have also highlighted specific mechanisms to prevent internal email spoofing, such as using SPF records and a dedicated receive connector.
Among all the tasks of Exchange administrators, one of the most important and challenging ones is ensuring email security. Since Exchange Server handles thousands of emails daily, it is not easy to manage and monitor such a large chunk of messages regularly. Hackers often exploit email vulnerabilities to steal confidential information, such as trade secrets, or launch a cyberattack. One of the tricks they use is email spoofing, wherein they impersonate someone else to trick the user into sharing sensitive information. This article looks closely at email spoofing and discusses ways to prevent internal email spoofing in an Exchange environment.
What are Email Spoofing and Internal Email Spoofing?
Email spoofing is one of the common forms of email attacks, in which the sender manipulates email headers to deceive the email recipient regarding the sender’s identity. The spoofing email sender generally impersonates an organization’s employee, client, or vendor to extract sensitive information, such as employees’ data, the company’s internal reports, etc.
Internal email spoofing is when the employee of an organization poses as someone else in an email to acquire sensitive documents, accounting records, etc. For instance, an employee can send an email to another employee impersonating a senior executive and convince them to provide access to classified files and documents.
How to Prevent Internal Email Spoofing?
Here are the methods that you can implement to prevent internal email spoofing.
Method 1: Use SPF Record
Sender Policy Framework (SPF) is an email authentication method that is highly effective against spoofing. An SPF record is a DNS record (database record used to map a human-friendly URL to an IP address), which is added to the DNS zone file of your domain. In this record, you can mention all the IP addresses and hostnames authorized to send emails on your behalf.
SPF is generally used against external spoofing attacks where senders impersonate trusted entities. However, it can be used to prevent internal email spoofing too. There is one challenge in using SPF records, though – to achieve complete protection, you must include all IP addresses allowed to send emails on your network. These may include your company’s servers, printers, custom web applications, third-party applications, etc. So, this can be a cumbersome task if your company’s network is large and complex.
Steps to Set up SPF Record
To use SPF in your organization, you need to set up three things – SPF record in local DNS, antispam function in Exchange Server, and a Sender ID agent. Follow these steps:
Step 1: Create SPF Record
Create the txt record on your DNS server in the local domain. It may look something like this:
v=spf1 ip4: 192.168.25.3 ip4: 192.168.133.55 -all
Step 2: Install Exchange Antispam Agent
Install the Exchange Antispam Agent by using the PowerShell cmdlet given below:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpanAgents.ps1
If the script runs without errors and asks you to restart your MSExchangeTransport service, it means the step is successful. You can apply the changes by restarting the services by using the following PowerShell command:
Restart-Service MSExchangeTransport
Step 3: Provide IP Address of Exchange Server
Provide the IP address of your Exchange Server by running the following PowerShell command:
Set-TransportConfig -InternalSMTPServers 192.168.25.3
Step 4: Establish Email Rejection Rule
Create a rule that rejects all emails from addresses that don’t exist in your SPF record by executing the following command:
Set -SenderIdConfig -SpoofedDomainAction Reject
Method 2: Use a Dedicated Receive Connector
Exchange servers use Receive connectors to control incoming SMTP communication from external messaging servers (those out of the organization’s purview), services in the local or remote Exchange servers, and email clients that use SMTP. These connectors are automatically created when Exchange Mailbox Server is set up.
In a default configuration, an Exchange Server is set to receive emails from anonymous users. This vulnerability allows a malicious employee to exploit the system. Unfortunately, you cannot block emails from anonymous users completely, as you will not be able to receive important emails from external email addresses. Therefore, you can create another receive connector that uses domain credentials (login ID and password of users and applications) rather than IP addresses to authorize email senders. Although, this means you have to create a domain account for every device and application (web-based printer, for instance) that has to send emails to Exchange.
An Exchange Server has a Receive connector on TCP port 25, which accepts external connections, i.e., anonymous emails from SMTP servers. However, you can create another connector for internal SMTP connections on the same port. The server can select the appropriate connector for each connection on its own.
How to Create a New Receive Connector?
To create a new Receive connector, run the following PowerShell command:
New-ReceiveConnector –Name “Internal Client SMTP” –TransportRole FrontendTransport –Usage Custom –Bindings 0.0.0.0:25 –RemoteIPRanges 192.168.25.0/24 –AuthMechanism TLS,Integrated –PermissionGroups ExchangeUsers
Once the new Receive connector is created, you can try sending a spoofed email. Since now you have a security mechanism in place, you will receive an error code and the email will not be delivered.
Conclusion
As an Exchange administrator, you must maintain email security and prevent email spoofing at all costs. The techniques mentioned in this post, combined with measures like frequent training sessions on IT security, can help prevent email spoofing to a great extent.