Email addresses and addressees
Thursday, April 8, 2021
As our regular readers already know, Doctor Web’s experts recently analysed an attack that was carried out against Russia's critical infrastructure entities. This attack supposedly came from China. Here is our previous issue on this topic. Perhaps some facts escaped your notice when reading these materials. Let's recall:
In June 2020, the attackers began using a new domain name—sports[.]manhajnews[.]com.
…
The email text clearly indicated that the author is not a native Russian speaker.
…
The domain from which the payload is loaded was again disguised as a news site...
…
In the course of our investigation, we found another domain that was being used during this campaign—news[.]microotf[.]com.
These quotations show that:
- fraudsters use domains whose names are disguised as news-related names;
- these domains are not the ones frequently used by ordinary employees. How many people actually read news posts on the Microsoft website?
And here is a question for you: does anything here get your attention? Did you notice that the second domain is not "microsoft" but "microotf"? It's not obvious at first glance, and to his great embarrassment, the author of this issue initially missed that fact But, after all, this is a known fraudulent trick designed to capitalise on user carelessness. Clearly fraudsters are unlikely to hijack a domain belonging to Microsoft.
But let's get back to the topic of this issue. Do all employees need to be open to the outside world? For example, purchase managers and sales managers, just like an administrative office, should receive all their emails. Naturally with a note as to whether a message is spam, but they do need to receive all emails, with no exceptions.
But, warehouse workers don’t; they receive their emails via internal mail. Similarly, the accounting department most likely communicates with organisations from a known list.
Email restrictions can also be set according to their country of origin: for example, you can configure restrictions to receive emails from Russia only. The country of origin for an email is defined by the IP address of the sender and not by any characteristics specified in the message.
#VCI #corporate_security #fraudulent_email #Dr.Web_settings #email #spam #phishing
The Anti-virus Times recommends
Take a look at the results of our survey:
As you can see, in most cases, there are no restrictions for employees working remotely. And this is good news for cybercriminals. For most companies, for the foreseeable future, the situation is unlikely to change: the losses that businesses suffered during the pandemic led to budget reductions.
But there are still some features that are free! The restrictions we listed are, in most cases, configured on the mail server and are set by network administrators. You can also configure restrictions in our solutions for UNIX mail servers.
Personal products have fewer restrictions, but they still have them. Our anti-spam feature prevents users from receiving emails in Asian languages:
Do not neglect email restrictions, especially during these times.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Niuxin
03:01:49 2021-04-15
"The email text clearly indicated that the author is not a native Russian speaker."
"The country of origin for an email is defined by the IP address of the sender and not by any characteristics specified in the message."
"Our anti-spam feature prevents users from receiving emails in Asian languages"
GREEN
08:12:57 2021-04-08
Not bad recommendations, but for a huge number of small (almost complete absence of both mail servers and sysadmins) and most of the medium-sized companies (which, as a rule, have both) this is hardly applicable, since this requires desire manuals and tough admin. measures, and not everyday slovenliness and indifference ("well, this will never happen to us").
That's when the roasted rooster bites, then ... (laugh?).