For many organizations cloud-based email services, paired with third-party filtering providers, form the first line of defense against malicious threats. The critical alliance between cloud email and secure email gateways is designed to safeguard against email-borne threats effectively. Yet, the allure of advanced features and the rapid pace of digital transformation can obscure the importance of seamless integration between these components, leading to significant security configuration gaps.
A new study titled “Unfiltered: Measuring Cloud-based Email Filtering Bypasses” highlights the often-overlooked yet critical aspect of correctly configuring the interaction between email services and their filtering counterparts, revealing a startling reality: the majority of bypass vulnerabilities arise from incorrect configurations.
The Loosely Coupled Approach: A Double-Edged Sword
At the core of this challenge lies the “loosely coupled” approach adopted by many organizations, where incoming emails are initially directed through a third-party filtering service before reaching the primary email hosting provider, such as Gmail or Microsoft Exchange Online. This method is predicated on the assumption that it will filter out malicious emails effectively.
However, this approach collapses if the email hosting provider is not strictly configured to accept messages exclusively from the filtering service. The research emphasizes that such bypasses are not mere theoretical risks but prevalent issues, with empirical evidence suggesting that approximately 80% of organizations employing popular cloud-based email filtering services are vulnerable to these bypasses.
DNS: The Achilles’ Heel
The fundamental issue resides in the configuration of the DNS “Mail Exchanger” (MX) record, which is meant to direct incoming traffic exclusively to the filtering service, which then forwards “clean” emails to the email hosting provider. In theory, this would ensure that only safe emails reach the cloud email platform.
However, the absence of a strict lock, allowing the hosting provider to accept emails solely from the filtering service, paves the way for attackers to directly send malicious emails to the hosting provider, circumventing any security measures. This not only compromises an organization’s email security integrity but also undermines the value of investing in third-party filtering services.
Far-Reaching Implications
The findings of this study bear significant implications, necessitating a reevaluation of current email security practices and highlighting the need for improved guidance from both email service and filtering providers. Organizations are urged to take decisive action by ensuring their configurations adhere to security best practices, including the validation of their MX records and IP whitelisting policies, to maintain a stringent email delivery pathway.
Simplifying Security in the Cloud Era
While the vulnerability described in the report is a matter of proper configuration, there is a good reason that 80% of organizations are plagued with this issue. Managing the complex interaction between the email filtering solution and the cloud email platform in a way that eliminates malicious emails without impeding or falsely rejecting valid emails is easier said than done.
That isn’t the only challenge, though. Even if everything is properly configured so that only clean email from the email filtering solution are allowed to reach the cloud email provider, this arrangement only analyzes email that is entering or leaving the network. Phishing scams and business email compromise (BEC) attacks may exist in the environment for weeks, traversing from internal mailbox to internal mailbox, and avoid detection until a message is sent to an external email address.
There is a fundamentally different approach to email security that is not vulnerable to the misconfiguration errors that traditional secure email gateways and email filtering services suffer from, because it analyzes traffic at the level of the individual mailbox. By conducting out-of-band monitoring—analyzing traffic outside of the normal communication channel to ensure that it continues operating even if a system is compromised or endpoint security controls are disabled. This not only reduces the risk of bypass vulnerabilities but also empowers administrators to uphold a robust email security posture with unwavering confidence.
Improve Your Email Security
The research revealed in “Unfiltered: Measuring Cloud-based Email Filtering Bypasses” serves as a vital reminder that the prevailing model of email security is easily subverted by configuration challenges. Addressing those issues and getting the system properly configured is a good idea for organizations that rely on those solutions for email security.
- Tackling Swivel Chair Syndrome - November 14, 2024
- Unlocking Proactive Compliance with Adobe’s Common Controls Framework - October 14, 2024
- Unlocking the Power of Continuous Threat Exposure Management - October 8, 2024