When Whitelists Pile-Up: Email Security and Technical Debt
- Posted by
Yoav Nathaniel on May 23, 2019
Recently, I analyzed the inboxes of a company representing a typical enterprise account of more than 10,000 email users. I found something alarming.
Because of whitelisting configurations, 6.6% of the inboxes contained phishing emails that bypassed the email filters. These were malicious messages that would have been blocked if someone hadn't added the email addresses or, in some cases, entire domains to the whitelist.
When whitelisted domains, senders, and IPs accumulate over the years, there can be unintended consequences on your phishing catch rate.
Most whitelists begin when someone finds an important email in the spam folder. By adding the sender’s email address or entire domain to the whitelist, every email will bypass the spam filter and go straight to the inbox.
Ideally, only the most trusted partners are whitelisted, especially when typical communication might actually look a lot like spam. For example, a marketing group might send a lot of splashy clickbait messages. A finance department regularly sends and receives invoices and wire transfer requests that are often similar to malicious phishing attempts.
No matter why a company might add senders to a whitelist, the ultimate result is that all of these messages bypass email security filters.
As these lists grow over time, they become ever-enlarging holes in email security. An ideal whitelist would consist only of individual email addresses, but it is more common to find entire domains. Worse, very few people document why they might have added something in the first place, making it difficult to remove items later.
Whitelisting in Gmail and Office 365
Five years ago, there was no choice but to rely on whitelisting senders, domains, or IPs. Now, there are innovations that complement whitelisting to protect the inbox. Powered by Artificial Intelligence (AI), the default and advanced security in Office 365 and Gmail makes intelligent decisions about messages with sensitive origins or content. Additionally, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) identify authenticated senders, tackling the same problem as whitelisting in a different way.
Office 365 and Google automatically whitelist their own services. That means for organizations using those clients, all internal traffic is removed from scrutiny. While this is a surefire way to present messages from trusted collaborators going to spam, compromised accounts will be much harder to isolate when the inevitable credential compromise occurs.
Interestingly, documentation for Office 365 and Gmail do not mention the word “whitelist.” Instead, Gmail has the approved sender list, and Office 365 has Safe Senders and Safe Domains. Although this might look like mere rebranding, it’s not. Microsoft clarifies that “EOP will honor your users' Safe Senders and Recipients, but not Safe Domains.” Websites are compromised all the time, and betting that a domain will remain safe indefinitely can be a dangerous assumption.
💡Microsoft Office 365 White List Configuration TipA domain-based list in a mail flow rule isn't as secure as an IP address-based list, because domains can be spoofed. Any messages sent from these IP addresses aren't checked by the content filter. (link)
Combing through whitelists isn’t the most exciting way to spend time, but it must be done. Here are four ways to easily manage your whitelist:
- Whitelist particular email addresses instead of domains. Whitelisting entire domains makes it easier for emails from spoofed sources to circumvent your security. Whitelisting specific senders, however, is much more manageable way to achieve a similar result.
- Don’t whitelist your organization’s domain. Hackers commonly spoof their target’s domain so that the recipient has their guard lowered. If they spoof the message and content well enough, it will fool your email security, too.
- Don’t whitelist mega-companies, like Amazon or PayPal. One of every 25 branded emails is phishing, making whitelisting brands a risky endeavor. (Learn more stats in our 2019 Global Phish Report, and attend the web briefing on May 29.) Of the total number of brand impersonations Avanan observed in the wild, Amazon is the most frequently impersonated brand at 38%, right behind Microsoft. Whitelisting these globally-trusted brands makes hackers’ jobs much easier.
- Include thorough comments when adding items to the whitelist. This makes reviewing them in the future an easier task. Add why the item was whitelisted, and when.
When it comes to security, every bit of content should be scrutinized. Generally, letting static rules pile up without review is problematic, creating technical debt that will cost time and resources down the line.