With the new year here, it might be time to not just look forward, but take stock of something that comes up a lot on the blog: email safety. Email is probably the most reliable way of communicating with people between organizations, but it can be messy and unusable without extra filtering from an email service, which Crown Computers recommends. These services rely on patterns and large operations, so they’re more likely to let through targeted attacks, which are much more successful and damaging to your security. Either way, extra security services for your email can address two major problems in emails (through attachment sandboxing and URL rewriting), which we’ll show you in detail for today’s blog post.
Attachments
The most obvious for email safety is to stay away from HTML attachments in any email. It looks like any other email attachment, but hopefully your email client (both mobile and workstation) points out to you that it’s an .html file. HTML is classically the type of file that a website is stored in, which is kind of like text but can contain code to be executed by your browser. This means that an .html file, when opened, can ask your web browser to do “some work” for it. That could mean displaying a simple website, or reaching out to a remote server or website (more on this below), or executing some malicious code as part of an attack on your network or workstation.
Over the past couple of decades, the browser has become a more and more popular place for your computer’s resources to be used. Your browser kind of treats websites like they are apps that are installed remotely and leverages a scripting language like JavaScript to use your processing power instead of the server’s. In other words, if the browser tells your computer what to run, then .html files are kind of like the new .exe file.
The popular attacks that use this method utilize JavaScript in an .html file, which, when opened, installs malware on your device. Since it’s your browser that’s making the malware, it often evades detection by traditional antivirus—this is why you need modern endpoint detection, which can detect novel malware. Attachment sandboxing can help: Microsoft 365, for instance, has Application Guard, which opens your attachments in a way that cannot alter your operating system.
To stay away from these types of attacks, it’s preferable to just not open attachments, at least from external recipients (those who are outside of your organization). It may seem extreme, but given the risks that are out there, it’s probably completely socially acceptable to never open attachments; if something’s important, then you can find a way to transfer or download the file another way. If you’re unwilling to take that step, you’ll need a service like Proofpoint to help secure all of your internal and external emails.
Links
Clicking links in emails have the same kind of function as the .html attachment: when you click it, your browser tries to establish a connection with a server “out on the internet.” If you’re lucky, the server is a known bad guy, and your email provider scans the link on the way out and blocks it. This is called URL rewriting, and it allows your email security provider to do its best to check if the link you’re clicking is legitimate. But again, it’s not 100% effective.
The links that you find in emails can be used for things other than running malicious code: they can be used as a signal that you’re looking at spam emails. Once an attacker knows that you’re susceptible to clicking on links, they’ll know how to better target you in future attempts at compromising you.
Think of it this way: every connection that you make to every website can be traced by the owner of the server (in addition to your service provider, including your VPN provider). This means that clicking a link in an email is like sending a text message to the attacker, letting them know that you clicked the link. It’s a very small signal, but it’s one that can open the spam floodgates and increase the likelihood that you’ll click the wrong thing in the future.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team