Products

Email Security.cloud

Issue/Introduction

The Email Impersonation Control (EIC) service helps to guard organizations against CEO scams, business email scams, and spear phishing email messages.

EIC checks all email that is inbound to the organization for domain and user name impersonation, commonly known as spoofing.
EIC checks the legitimacy of all inbound email that appears to be sent from the organization's domains or users.

Note: The focus of EIC is the BODY FROM or 5322.From:.

We still recommend implementing Spoofed Sender Detection and implementing Symantec's SPF Records to tackle spoofing at the envelope sender or 5321.MailFrom. There's no connection between EIC and SPF in the portal or the scanning process. Approving a source in EIC does not cause it to be exempt from SPF or DMARC.

To approve a source to bypass SPF and or DMARC, approve it in Approved Senders list that belongs to Anti-Spam.

Resolution

EIC Settings

Expand the Default Settings section - focus on Action

To start, select an action to enable EIC. Choose to log, tag the subject line, quarantine, redirect to Admin, or to block and delete any EIC-flagged email. When EIC is first activated, it is recommended to use either the logging option or the tagging option. Once comfortable that the control works as expected, use a stronger action. Currently, the action is shared between Domain and User control. Once comfortable that the control works as expected, move on to a different action if you prefer.

See further in the article concerning the approved senders. To select which modes to work with, activate the following options in Domain Control Settings or User Control Settings respectively.

Expand the Domain Control Settings section

Once Domain Impersonation Control is enabled, quickly add all of the organization's provisioned domains with the check box - "All Provisioned Domains". These options are shown as "YourDomain and sub-domains". Additionally, manually enter or paste domains into the "Domains to Protect" text box. Once the changes are saved, EIC checks the sender information in inbound emails to protect selected domains.

Expand the User Control Settings section

The goal of User Impersonation Control is to protect those individuals in the organization who may have a higher profile. These individuals are more likely the targets of business email scams. Once user impersonation control is enabled select one or more LDAP groups that are synchronized with the portal (ClientNet). Use the syncronization tool that is found in Tools > Downloads. When imported in this way EIC can ensure that the display names in LDAP groups are checked against the sender information in an inbound email. Alternatively, enter or paste individual user names into the Protected User Names list.

In either case, it is recommended adding the groups or names of the organization's executives or publicly known employees. The Protected User Names list accepts one, two, or three names that are separated by a space.

Note that EIC checks the sender information in inbound email for a number of combinations of the names entered. For example, since EIC checks many combinations of the protected names and their initials, it is not necessary to add MPeters when the name added previously is Mark Peters.

Expand the Default Settings section - focus on Approved Senders

Legitimate sources can spoof a user. Trusted third-party senders need to be allowed. An example includes when a third-party such as a marketing company has been hired to send users email messages on behalf of the organization. To allow for this trusted sender, whitelist the marketing company's IP address(es), domain(s), or email address(es). Currently, the approved sender's list is shared between Domain and User control.

Note: The wildcard character isn't accepted in the Sender Domains or Sender Email Addresses section. The current iteration only supports 1-1 entries. Sub-domains must also be explicitly added. As for IPs, specify plain IPs or address ranges with CIDR notation. It is recommended exercising caution when whitelisting any domains or email addresses.

Reporting on EIC

This functionality also brings its own reporting option. In ClientNet go to Reports > Report Requests.

Start a new report. In the section Email Detailed Report (CSV), note the option for Email Impersonation Control. It can be selected. The remainders of the report settings are as normally configured. Pick a time frame, whether or not it is scheduled, and submit.

The report presents the emails that have triggered Domain or User EIC. In the report, information that is related to the email such as source information (IP, HELO, MSG-ID), envelope sender is presented. This information helps with the process of setting up exceptions. These exceptions are sources that are allowed to either spoof emails using one of the domains or one of the protected users.

Suggested configuration for first use

The initial suggested configuration and use of EIC is in a passive mode. This mode comes from the assumption that knowledge of the valid sources is limited at this point in time. By starting with Log only action, email disruption is avoided.

Set Action to Log Only
Enable Domain Impersonation Control
1. Pick All Provisioned Domains
User Impersonation Control
1. Pick Protected User Names
2. Add a selection of names you want to protect
Set up the report
Monitor the report
Amend the approved sources as needed
Repeat 5 and 6 as needed until happy with the results, after which update the action to something stronger

For each change made to the EIC service it is important to remember that there is approximately a one hour propagation time before those changes will be effective.

Need more control?

For more control over the various aspects of anti-spoof countermeasures, create custom Data Protection policies for Domain anti-spoofing and User anti-spoofing.

Deploying Email Impersonation Control (EIC)

Article ID: 150685

Updated On: