Pentester Sabri Haddouche just uncovered a major new email spoofing tactic. Named Mailsploit, the technique leverages bugs in email clients and allows hackers to launch undetectable email spoofing attacks. Over 30 email applications are vulnerable to attack, including popular clients like Microsoft Outlook 2016, Apple Mail, Yahoo! Mail and more.
Mailsploit easily passes through email servers and circumvents established spoofing protection tools like DMARC and spam filters. Emails sent with Mailsploit appear to come from totally legitimate senders. In most cases, unless email headers are inspected by technicians, emails sent using Mailsploit are undetectable.
It gets worse: According to Haddouche, emails sent using Mailsploit are virtually unstoppable at this point in time.
Where Do We Go From Here?
In a post-Mailsploit world, it is now more important than ever to avoid sending sensitive and confidential information over email. Email users everywhere must assume no information sent via email is secure.
Here are four ways you can fight Mailsploit and other email-based threats with security awareness training:
1. Teach Your Workforce Email Use Best Practices
Mailsploit is not the first email-based security threat facing your workforce — everyday they receive phishing emails and malware from hackers trying to breach your systems. Many of these attacks are developed to circumvent technical controls, leaving it up to your team to spot and prevent hacking attempts. It’s essential your security awareness training program covers email-based threats in detail and reinforces email use best practices.
2. Ask Your Workforce to Verify Email Sender Identity
Always take time to evaluate emails you receive before replying. If you don’t know the sender or it’s unusual for the sender to contact you, find another way to contact the sender other than email.
3. Educate Your Workforce About the Dangers of Sharing Sensitive Information Via Email
Email should never include sensitive information. This was true before the discovery of Mailsploit and remains especially true now. As soon as information leaves your network, you lose control over how the data is used and shared. Always call or find another way to communicate sensitive information.
4. Enroll Your Workforce in Ongoing Security Awareness Training
New security threats like Mailsploit emerge everyday. Enrolling your team in engaging security awareness training will keep them current on these threats and teach them the value of secure behavior.
SecurityIQ by PentestingExperts Institute integrates security awareness training, phishing simulations and personalized learning in one platform. It self-evolves with employees’ security aptitudes, roles and learning styles to create personalized learning experiences that motivate everyone to care about security and change their behaviors. This gives you more time to patch technical vulnerabilities, while ensuring your human firewall remains secure.