RST: Email Protections

At Tetra Defense, the ransomware cases we respond to and investigate daily share a recurring theme: there are simple, and oftentimes inexpensive preventative measures that can be taken before disaster strikes. As part of our series on our Ransomware Stress Test™, learn how your unique cybersecurity environment can benefit from safeguarding your email.

Email: a crucial pillar of communication for any modern business, organization, or individual. It has been considered to be critical infrastructure since its creation and popular use, and as a result, it continues to be a main target for threat actors. While pop culture has exposed the clichés of foreign royalty asking for money or the mysterious “survey” that could earn you prizes, modern phishing campaigns are unfortunately lesser known, and more likely to be successful.

When a malicious email campaign is successful (i.e., a user answers the message’s call to action), threat actors usually have several options:

  • They can harvest credentials that allow them to send messages from a credible email address
  • They can begin to lay the groundwork for a ransomware attack if a malicious attachment or link is opened via an email

Many of the ransomware attacks we see begin with a workstation compromised through an email-delivered attack. Since this method of entry is still so prevalent, our Ransomware Stress Test emphasizes strong email filtering, scanning, and preventive controls as a critical safeguard. With the right tools and awareness training, most of these attacks can be thwarted before they make their way to an end-user’s inbox. We recommend implementing an email gateway, a sandbox, and three email protection mechanisms. As with any security protocol, these controls must be well-configured to block malicious emails and also allow the business to operate effectively.

Email Gateway

An email gateway acts as a protective barrier between emails from the outside internet and individual inboxes within a network. Using an email security gateway assists in preventing the transmission of emails that send malware, transfer malicious information, or go against company policy. An email gateway can protect your organization from email threats and data leaks by verifying links and attachments before a user can open them within a message.

Some solutions also offer email spoofing to provide an email backup in the case of downtime. There are many options on the market for third party email gateways. Vendors can often offer solutions for cloud-based email as well as on-prem appliances. A little research could go a long way in finding the email gateway that best fits your organization.


Sandboxing incoming and outgoing attachments is another effective malware prevention tool. An anti-malware sandboxing mechanism or service opens and executes attachments in a safe environment, further protecting you from more sophisticated email attacks. As with an email gateway, there are many options out there that provide this service. Many security vendors often combine an email gateway solution along with malware sandboxing and analysis. It is Tetra Defense’s recommendation to set up a test environment and sample the products you are considering before determining if they are the best fit for your organization.

Email Protection Mechanisms

Some important protections to consider include Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance.  These mechanisms work together to prove and protect a sender’s authentication which assists in preventing spoofed emails to appear as though they are coming from your domain. SPF is an email-authentication framework to prevent sender address forgery. SPF works with your DNS servers to restrict who can send emails from your domain, ensuring only authenticated users are able to send messages.

DKIM allows you to add a digital signature to the email message header to ensure your emails remain trusted and have not been compromised. Both SPF and DKIM give the email sender the ability to specify which email servers are allowed to send an email on your behalf. Once SPF and DKIM are set up, you use a DMARC policy to define how SPF and DKIM should be handled by email servers.

Tales from the Trenches

Phishing for credentials is a common strategy employed by threat actors that can lead to thousands (and sometimes millions) of dollars in losses. Companies that employ the proper email framework policies, as well as an email gateway, are at a lower risk of being phished.

Tetra Defense has investigated many Office 365 cases where proper framework policies like an email gateway or sandboxing were not employed in the environment. A recent case involved a fraudulent invoice being paid in the amount of $900,000 — the request coming from what looked like an internal account that was actually a spoofed email. In this case, a gateway mechanism would have marked the external email as “external,” which could have sent a red flag before payment was issued.

While technical mechanisms could have served as a safeguard in this situation, we would be remiss to not highlight the importance of security training. Tetra is a firm proponent of awareness programs and employee security training initiatives — they are critically important for protecting the sensitive data that organizations possess, and employees benefit by learning how to recognize malicious activity.

Resource Hub

In order to secure your organization’s email protections, we recommend beginning research here. Our team crosses paths with numerous tools and services through our work. When it comes to Email Protections, here are some of our fan favorites:

Microsoft O365 SPF

Google G Suite SPF

Microsoft O365 DKIM

Google G Suite DKIM

Microsoft O365 DMARC

Google G Suite DMARC

Check out some related content on our blog: