MailSlot: A ground breaking solution to block Phishing Attacks

On a chilling winter of Jan 2022 Wes Kussmaul, CEO of The Authenticity Institute asked Codegic to develop an MVP, MailSlot. The idea was to leverage the Osmio-backed digital identities along with personal identity scores (IDQA) to address and prevent phishing attacks. Team at Codegic was bit cautious due to the fact that add-ons were new to us. Soon we found what Wes had envisioned was a mix of PKI and Digital Signatures concepts we already knew. To be exact these were: S/MIME, digital certificate validation, OCSP, API integration.  After a couple of weeks of R&D our team found out that a Thunderbird add-on can be built helping users to trust or reject an incoming email.

Before continuing further on Codegic’s journey from idea to the first release, let’s look briefly at what are phishing attacks, to be exact, business email compromise (BEC) and its effects in recent years. A phishing attack is a hacking attempt to persuade recipients (most like via email) to respond to what the sender wants. This could either be:

• Asking for credentials
• Making payments
• Buying gift cards
• Releasing any confidential information

There are many reasons why phishing via email succeeds but here we focus on 3 key reasons:

• Spoofed email comes with an authentic looking branding (logos, colors, fonts, text)
• Email coming from a look alike trusted email address
• User training about phishing attacks has not been successful

Enterprises adopt protection solutions like implementing digital signing of emails or enabling SPAM filters. Both solutions have a few shortcomings. SPAM filters work on heuristics to ensure email is coming from the right source but tends to generate false positives or fail to pick phishing messages.

References

• Hotmail SPAM filter failure
• When SPAM filters fail

On the other hand, Digitally signed email helps in data integrity and identifying the email sender, but this protection can be circumvented by fooling users. Hackers can buy a cheap email signing certificate under a forged name and a look-alike domain. Registering a domain that looks similar to the one to be impersonated costs under $100. See how to get a cheap domain for amazoon.ai. Also vetting by a Certification Authority only checks email address existence and not vet the person itself (See more on S/MIME email certificate vetting). In short, a look-alike domain and a cheap s/mime certificate is the perfect recipe for a mega financial scam.

One good security option to stop phishing attacks is to train your employees detecting email anomalies. Training helps as a good deterrent but leaving humans to judge emails still gives plenty of room for judgmental failures. A fool proof solution must block any of such emails rather presenting it and leaving it to them. See more on why user training doesn’t stop phishing.

In 2021, the IC3 received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with losses at nearly $2.4 billion. This was mainly due to scams via social engineering or computer intrusion which required users to transfer funds. During Covid, as most of the companies were doing virtual meetings, hackers started hacking CEO or CFO email accounts. They created look alike email accounts to send virtual meeting invites. In this fake meeting, a still picture of the CEO is used and via chat message or fake audio instructions are sent for funds transfer to colleagues. Here are few more reports on BEC:

• As per artic wolf, Business email compromise issues doubled in the Q2 2022
• New Global Research Reveals that 90 Percent of Organizations Have Suffered One or More Successful Email Breaches in the Last 12 Months.

As per the above research:

Despite investments in secure email gateways and countless hours spent investigating suspicious emails, the survey revealed that the number of successful breaches caused by email attacks has almost doubled from the levels seen in 2019; respondents disclosed an average of 21.6 email breaches per organization in the current survey versus 11.3 average breaches in the previous one.

This is occurring even as organizations are hiring more IT and security staff to cope with challenges during the pandemic. What’s more, the cost associated with successful attacks are concerning even for the most secure company. The report shows that organizations are plagued by hidden costs in remediating these attacks once they have happened, with each email breach costing US organizations an average of $311,154 per year, and UK organizations an average of £107,959 per year.

In short, despite spending millions on software and infrastructure there is no fool proof solution to BEC attacks. MailSlot is aiming to change all that.

One of the key links in addressing BEC is the lack of human intervention to vet humans. Vetting humans is common in real world where attesters attest to the identity of a person based on various evidence of identity documents or other measures to confirm that the person is who they say they are.

The Authenticity Institute  works to  bring Real Security to your organization and Real Privacy to your employees, members, or subscribers.  To accomplish this an individual goes through an initial enrollment process which links a digital certificate (Osmio Key Pair) to their electronic device (PC or Laptop) and assigns an initial Identity Quality Score (IDQA).

Once you have received a digital ID from Osmio CA, through the Osmio enrollment process,  you will need is to install it on your device.

On Windows, you can install the Digital ID (PFX/PKCS#12) by opening it and putting in the password. This will then be registered inside Windows Personal Key store and hence picked up by Outlook Desktop automatically. To assure that the digital ID is indeed installed run ‘Manage User Certificates‘ and then check for the ‘Personal‘ certificates area.

In case of Thunderbird, installing the digital ID is bit lengthy and requires configuring it inside the Thunderbird email client unlike Outlook, Thunderbird will not automatically pick the Digital ID from within the operating system (Windows or Linux). Learn more on how to import a digital ID in Thunderbird.

To protect from phishing attack, MailSlot ensures that:

• Incoming emails are digitally signed
• Signer’s certificate is issued by Osmio Certification Authority
• Signer’s certificate is not expired
• Signer’s certificate is not revoked
• IDQA score of the signer is acceptable to you

All of these steps ensure signed emails are sent by real individual. If any of these checks fail, MailSlot Add-on marks such emails as not trusted and moves it to an untrusted folder. The add-on also ensures that emails from both Thunderbird and Outlook will always be signed and blocks sending unsigned emails. All trusted inbound emails the show respective IDQA score of the sender for the user to review.

The minimum acceptable IDQA is set using an application called MIDAS hosted on-premises at the enterprise. The enterprise administrator can login with TLS client authentication and configure the minimum acceptable IDQA score for specific email accounts.. The IDQA score for a user is set by the attestation officer in a face-face meeting with the user, ranges from 0-72 based on 8 key factors:

• Degree of protection of personal assets
• Quality of enrollment practices
• Quality of means of assertion
• Quality of Authoritative attestation
• Attestation from others
• Quality of the credential
• Degree of assumption of liability
• Reputation of the Credential

The minimum acceptable IDQA scores should vary based on the type of the authority an employee has thus a CEO will have a higher minimum acceptable IDQA score than a salesperson. This means that for an incoming email if the calculated IDQA score is 30 while the CEO’s minimum acceptable IDQA score set by the enterprise is 25, the email will be marked as untrusted.

With a good set of developer documentation, Codegic team were quick to speed. Being an open source initiative, you get loads of information about Thunderbird Add-on development with access to samples and help from thunderbird developers. Following an agile method, development started in February 2022, and we were able to release the first beta in April 2022 and the final in June 2022.

While the team was excited to fix phishing issued for Thunderbird users, R&D was also done to also explore the likely hood of developing a similar add-on for Outlook. While Windows is the predominantly used Operating System with more than 70% worldwide usage, a phishing solution which doesn’t cover Windows or to be exact Outlook was not sensible.

Microsoft Outlook comes in both cloud and desktop versions. While the cloud version helps in mobility it lacks the capability to run custom logic to process signed emails. The desktop version allows development of custom add-ons allowing powerful and more advanced processing of S/MIME. In May, Codegic R&D team started the work for an Outlook Desktop based solution. Development kickstarted in June and followed by a series of beta versions in June, version 1.0 was released in July 22. Till then multiple versions are releases improving its performance and functionality. As of now it stands at v1.2.3.

It was an exciting experience working with the team at The Authenticity Institute and MailSlot. Specially with Wes, with his critical viewpoint of the solution and John, who is always ready to help on requirement understanding. Not to forget Grant, seasoned entrepreneur, MailSlot mentor & enthusiast, who is ever keen to add more features and an avid cat lover too!