Crown Logo

Technology Support For San Diego Since 1996

Click here for 60 minute consultation858-483-8770

Just because something is marked fraud doesn’t mean that it’s a closed case

Everyone’s email inbox is vulnerable to scammers. The protocol was developed in a different world, where it was quite expensive to spend your time and resources blasting obnoxious spam indiscriminately at blocks of internet users. For this reason, there has to be tooling in between the wild world of the internet and your inbox, curating and guessing at what’s a real message and what’s a fake. Today, we’ll take a closer look at what’s usually in the quarantine, and when it’s appropriate to release an email, or even allowlist a sender.

Quarantine providers

Because email servers can’t just deliver all of the mail that’s sent to them-the results would be inboxes that are functionally useless because they are full of non-stop spam-there has to be a layer of protection that is variably intelligent. I say “variably” because some of the most effective rules are really simple, like blocking all emails from outside of your country. Of course, this doesn’t work for every business, depending on how you interact with international team members, vendors, or contractors. On the other hand, it can be a reasonable way to cut down on certain kinds of unsolicited emails.

The more complex approaches to these rules rely on having very large samples of what’s happening globally with people’s inboxes. If, for instance, a great deal of spam is coming from one specific IP address, then that IP address can be identified and blocked automatically by Microsoft (365/Outlook), Google (Gmail), or third-party tools like Proofpoint. These big players in the space can see how email is going, as a whole, and have algorithms that are looking for patterns that will identify spam. Behind the scenes, these algorithms are ranking the reputation of any IP address as it sends email.

This technique (and scanning content for fraud or spam or checking to see if they comply with security standards like DMARC) enables the email security provider to know what should be blocked, placed in quarantine, or delivered. Blocking is typically something that happens when your administrator writes a rule and the email doesn’t meet the criteria for being allowed; these emails don’t go to a quarantine, they’re just discarded. Delivered mail is the mail that finds its way to your inbox, waiting for you to read or interact with it.

What goes to the quarantine?

Anything that follows the rules you’ve set up but still seems suspicious for one reason or another is placed in the quarantine, where interactions with the email are limited for security’s sake. The quarantine isn’t intended to block the emails, but rather, to allow users to see if they can supply some feedback on which emails are legitimate or illegitimate.

It may be annoying, but quarantines should catch some false positives from time to time. It’s designed this way: to have user feedback as part of the security process. Of course, you know best who you do business with and when you’re waiting for a specific email. Having that more perfect knowledge of what should be happening in your inbox is part of why you receive a-often daily, but sometimes more frequent-digest of everything in your quarantine.

Because scams sometimes model themselves on real business processes, those business processes seem to be associated with scams by the machine learning (ML) techniques that determine what gets quarantined and what gets delivered. We’ve seen that organizations with a high throughput of invoices, high number of vendors interacted with, or geographically diverse client/customer base tend to have more of their emails quarantined, and also have a greater amount of messages land in their quarantine. The email security provider will scan emails to see if their content looks like current scams-if there are many active scam campaigns that are based on sending phony invoices, then emails with invoices attached will seem more suspicious for a time.

Finding that the algorithm has placed a real invoice in the quarantine, though, isn’t due to an abundance of caution-it’s just a regular level of caution. This is, again, because the quarantine doesn’t need to be a perfect judge of each email. It uses user and administrator feedback to deliver the best security outcomes.

Email security as a collective issue

When a vendor or client reaches out asking “haven’t you received that email I sent?” it’s best to simply not face that moment with frustration against the design; the frustrations that abound when your company’s network has been infiltrated due to poor email vigilance would be much greater. It’d be best if everyone got onboard with email security best practices and realized that we should all have the same responsibility to lower the likelihood of a compromised account due to phishing, since the risk is contagious.

If someone at a vendor of yours has their account compromised, that account can then be used to send malicious emails that expose your organization to an attack. Missing an expected email until you talk to someone else is just a token that your company is doing its part to minimize the risk of your partners and everyone that you do business with. Some business leaders see a competitive advantage in getting rid of the quarantine to help speed up their processes, but they’re making a shrewd calculation that could associate their brand with poor data security practices, and possibly limit the trust that clients would give them in the future.

When to allowlist and when not to allowlist

If an important contact of yours is consistently ending up in a spam folder or quarantine, you can put the sender or their domain (the part of their address after the “@” which identifies their domain/organization) on an allowlist (formerly called “whitelisting”). This list or action might be called something different based on your email/email security provider; in Proofpoint, this is called the Safe Sender list. Allowed senders’ emails will be delivered regardless of what might make them seem suspicious to Microsoft, Google, or Proofpoint.

It would be best to only whitelist users and domains who have DMARC configured on their outgoing mail server. This protocol helps administrators and services validate that the email is unchanged and comes from who it says it comes from. If a sender has DMARC enabled, it’s harder for people to impersonate them, making it more palatable to allow all of their emails to go to you.

There is at least one scenario in which allowing a sender to always reach your inbox might become a big problem: when their account (or someone at their domain’s account) is compromised. If they’re on an allowlist but they’ve had their account hacked, there will be a specific amount of time where their email address is under someone else’s control and can deliver mail unfettered to your inbox. In this case, any email content scanning that could have stopped the attack will not be able to flag the malicious emails sent by an impersonator.

It is often the most convenient thing to do about messages that routinely get quarantined. At this point, one should way the risks of having business impeded against the risks that the sender will be compromised in the future. It might not be possible to get an accurate assessment of this risk, however. If you asked most people, they’d likely say that they’re not likely at all to fall for an email scam and give access to their account to an attacker. We know, however, that there are plenty of security breaches every day, and email account compromise is the number one security threat to many organizations.

The best practice might just be increased vigilance and increased interaction with the quarantine; the next best thing would be to only allowlist senders and domains with very important contacts. Some other important ways to approach this selective allowlisting:

  • Allow the least number of senders-allow a single user instead of a whole domain/organization when possible
  • Allow for yourself or few users who interact with the sender, instead of allowing them to send to your whole organization, when possible
  • Review allowlisted senders/organizations semi-annually or annually; if you’ve wrapped up work with a specific client or on a project, delete the allowed senders from that organization to return them to regular email filtering policies

With these procedures and norms in place, you’re likely to get the best out of your email security without greatly increasing the risk of an incident.

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team