Online criminals hate us. We protect you from attacks that antivirus can't block.

Heimdal™ Email Fraud Prevention - Functionality

 

This article describes the functionality (behind the scenes) of the module. Click here for the overview article.

 

This functionality scans inbound and outbound email communication.

 

Heimdal™ Email Security module intercepts all outlook emails from Inbox and Sent folder. It should start when Heimdal is installed or when group policy is refreshed only if the outlook application is on. For intercepting emails, we created a secondary app named SecurityMonitor. It deals with the communication between outlook application and Security service. If Security service is closed, this secondary app should be closed.

 

If the Outlook application will start after Heimdal services, a trigger will be made to the Heimdal™ Email Security service and it must start the monitor application. As a fallback, if no trigger detected the module will check every 5 minutes if outlook has been opened and try to start the Heimdal™ Email SecurityMonitor app.


     After the application starts the following subfolders will be created: ‘Malicious’ and ‘In Assessment’. ‘Malicious’ contains all infected emails parsed with Heimdal Heimdal™ Email SecurityParser and old mails parsed with remote engine - CSIS old functionality. ‘In Assessment’ contains all partial infected email parsed with remote engine – the old functionality.

 

Heimdal™ Email Security will intercept every mail from the Inbox and Sent folder and it will send it to the Heimdal™ Email SecurityParser for validation. A response is received in max 10 minutes. If result status is infected, the mail will be moved to Mailicous subfolder from Inbox.

 

First time when Heimdal™ Email Security module is activated (and only once), it scans the inbox folder for the last X days (7 by default, configurable from GP) and send it to Heimdal™ Email SecurityParser for validations.

 

The user can delete / restore / cancel mail from dashboard. Delete will delete the mail from outlook. Restore will restore the email to initial folder- where it was intercepted. Cancel will cancel one of the actions above, if were not processed yet.

 

Thor Agent should show a popup notification when a mail is added or restored from Heimdal malicious folder if GP option is on.

 

Enabling “Enable Agent Balloon Notification Persistent” will allow you to see notifications until you close it. Whenever Heimdal™ Email Security moves a mail to the malicious folder, a popup will appear on the agent side, warning the user with the following text: “We detected a malicious email and we have moved it away from the inbox”. If the user decides the email is not infected (calling the restore option from dashboard), the ThorAgent popup will have the following text: “False positive detected, we have restored an email to your inbox” and the mail will be moved back to the original folder.

 

So far we tested with a small quantity of emails. We recommend testing a big quantity of emails: greater than 200. Another suggestion would be to test forwarded emails from different senders, different domains - addresses outside Heimdal organization.

 

Mail Parser – main logic for finding fraudulent emails

Logic

     The Mail Parser application is a score-based mechanism for finding a list of features that make an email to be potentially fraudulent. An email considered to be infected will have a score greater or equal than 150. Parsing the email is divided in three main parts, as it follows:

  1. Detecting features in the header of an email
  2. Detecting features in the body of an email.
  3. Detecting features in the attachments of an email.

After the mail went through the mail parser logic, the email will have a score which will tell if an email is considered to be infected, or not, based on a threshold. Each of these parts contain some rules having a specific score. The more rules are found in an email, the higher the score will be.

  1. Detecting features in the header of an email

The features that can be found in the header of an email are the following:

  • Sender Policy Framework (SPF) – an open standard that enables the owner of a domain to provide a public list of approved senders. More details about it can be found at: https://postmarkapp.com/guides/spf.

Depending of the value of the SPF the score for this feature will be the following:

SpfRuleNoneScore = 5;

SpfRuleNeutralScore = 10;

SpfRuleFailScore = 70;

SpfRuleSoftfailScore = 50;

SpfRulePermerrorScore = 10;

SpfRuleTemperrorScore = 15;

 

  • Domain Keys Identified Mail (DKIM) – this ensures that the messages aren’t altered in transit between the sending and the recipient servers.

More details can be found at: https://postmarkapp.com/guides/dkim. We are checking the email headers, we can’t do a real dkim check. Depending of the value of the DKIM the score for this feature will be the following:

DkimNone = 5;

DkimNeutral = 10;

DkimPolicy = 15;

DkimFail = 70;

DkimTempError = 10;

DkimPermError = 15;

 

  • Domain Based Message Authentication, Reporting & Conformance (DMARC) – standard that prevents spammer from using your domain without using your permission, see also https://postmarkapp.com/guides/dmarc. This relies on SPF and DKIM. For this we are also only check the headers, not a real check.

DmarcNone = 5;

DmarcTempError = 10;

DmarcPermError = 15;

DmarcFailed = 100;

DmarcBestGuessPass = 5;

DmarcCustom = 50;

DmarcUnknown = 10;

 

Depending of the value of the DKIM the score for this feature will be the following:

ARCRuleNoneScore = 0;

ARCRuleFailScore = 70;

 

  • Infected domains – We check that the from domain (the sender’s domain) is not infected against our database. If the sender’s domain is considered to be infected, a value of 50 will be added to the total score.
  • SPF, DKIM, DMARC, ARC, Infected domains are currently checked only if the email is external. For instance, in Heimdal only mails having [EXT] in the subject checks points 1-5.

 

  1. Detecting features in the body of an email

 

Parsing the body is divided in two parts:

  • Extracting features from the html of the email, as it follows:
    • Extracting any kind of url from the email, and checking it against infected domains database, after skipping the outlook safe link feature. For each url infected found, the score will be increased with the value of 25.
    • Detecting if an email contains javascript. For each beginning of script found, the score will be increased with 20.
    • Trying to detect the zero font phising technique: https://www.avanan.com/blog/zerofont-phishing-attack. For each ‘font-size: <whatevervalue> px’ found in text, the score will be increased with the value of 2.

 

  • Extracting features from the text of the email, as it follows:
    • Extract card information details (such as IBAN, card number, card expiration date, CVV). If this feature is found, the score will be increased with a value of 25, regardless of the number of cards found.
    • Extracting money amounts from the text (containing digits, i.e. ‘two dollars’ will not be found.) All ISO_4217 currencies will be checked. Even if there are multiple money amount found, the score will be increased only with the value of 25, regardless of the number of money amounts found.
    • Detect if the mail contains financial keywords (Most of them are in english, and some of them in Danish, german, swedish, Norwegian). For this feature the score will be increased with a value of 25, regardless of the number of keywords found. The financial keywords list that is currently checked is the following:
  1. <english>
  2. <word>account\s+number</word>
  3. <word>bank\s*account</word>
  4. <word>bank</word>
  5. <word>swift\s+code</word>
  6. <word>swift</word>
  7. <word>bic</word>
  8. <word>invoice</word>
  9. <word>payment</word>
  10. <word>SEPA</word>
  11. <word>transaction[s]?</word>
  12. </english>
  13. <danish>
  14. <word>konto</word>
  15. <word>faktura</word>
  16. <word>betaling</word>
  17. <word>betale?</word>
  18. <word>saldo</word>
  19. <word>kontosaldo</word>
  20. <word>overførsel</word>
  21. <word>overføre?</word>
  22. </danish>
  23. <german>
  24. <word>rechnung</word>
  25. <word>zahlung</word>
  26. </german>
  27. <swedish>
  28. <word>betalning</word>
  29. <word>betala</word>
  30. <word>balans</word>
  31. <word>balansen</word>
  32. <word>overföring</word>
  33. <word>overföra</word>
  34. </swedish>
  35. <norwegian>
  36. <word>bankkonto</word>
  37. <word>kontonummer</word>
  38. <word>hurtigkode</word>
  39. <word>innbetaling</word>
  40. <word>balansere</word>
  41. </norwegian>

 

  • Detect if the mail contains sensitive keywords (same languages as financial keywords). We check html keywords, and text keywords. For each keyword found, the score will be increased with 3.

The html keywords checked are the following (the list with regex, \s here means whitespace characters):

  1. <english>
  2. <word>sensitive</word>
  3. <word>secret</word>
  4. <word>secrecy</word>
  5. <word>confidential</word>
  6. <word>confidentiality</word>
  7. <word>urgently</word>
  8. <word>immediate</word>
  9. <word>immediately</word>
  10. <word>emergency</word>
  11. <word>today</word>
  12. <word>unclaimed</word>
  13. <word>Next\s*of\s*Kin</word>
  14. <word>pin</word>
  15. <word>password</word>
  16. <word>ID\s*card</word>
  17. <word>fortune</word>
  18. <word>asset</word>
  19. <word>treasury</word>
  20. <word>treasure</word>
  21. <word>investment</word>
  22. <word>invest</word>
  23. <word>inheritance</word>
  24. </english>
  25. <danish>
  26. <word>i\s?dag</word>
  27. <word>hurtigt?</word>
  28. <word>presserende</word>
  29. <word>hastende</word>
  30. <word>hemmeligt?</word>
  31. <word>fortroligt?</word>
  32. </danish>
  33. <german>
  34. <word>heute</word>
  35. <word>schnell</word>
  36. <word>dringend</word>
  37. <word>geheim</word>
  38. <word>vertraulich</word>
  39. </german>
  40. <swedish>
  41. <word>snabb</word>
  42. <word>hemlighet</word>
  43. <word>konfidentiell</word>
  44. </swedish>
  45. <norwegian>
  46. <word>følsom</word>
  47. <word>konfidensiell</word>
  48. <word>haster</word>
  49. </norwegian>

 

The sensitive keywords are the following:

  1. <english>
  2. <word>sensitive</word>
  3. <word>secret</word>
  4. <word>secrecy</word>
  5. <word>confidential</word>
  6. <word>confidentiality</word>
  7. <word>urgent\s*(transfer)?</word>
  8. <word>urgently</word>
  9. <word>immediate</word>
  10. <word>immediately</word>
  11. <word>emergency</word>
  12. <word>today</word>
  13. <word>unclaimed</word>
  14. <word>Next\s*of\s*Kin</word>
  15. <word>pin</word>
  16. <word>password</word>
  17. <word>ID\s*card</word>
  18. <word>fortune</word>
  19. <word>asset</word>
  20. <word>treasury</word>
  21. <word>treasure</word>
  22. <word>investment</word>
  23. <word>invest</word>
  24. <word>inherit</word>
  25. <word>inheritance</word>
  26. </english>
  27. <danish>
  28. <word>i\s?dag</word>
  29. <word>hurtigt?</word>
  30. <word>presserende</word>
  31. <word>hastende</word>
  32. <word>hemmeligt?</word>
  33. <word>fortroligt?</word>
  34. </danish>
  35. <german>
  36. <word>heute</word>
  37. <word>schnell</word>
  38. <word>dringend</word>
  39. <word>geheim</word>
  40. <word>vertraulich</word>
  41. </german>
  42. <swedish>
  43. <word>snabb</word>
  44. <word>hemlighet</word>
  45. <word>konfidentiell</word>
  46. </swedish>
  47. <norwegian>
  48. <word>følsom</word>
  49. <word>konfidensiell</word>
  50. <word>haster</word>
  51. </norwegian>

 

By adding more keywords like this in an email you can increase the score. We make a difference between html/text since ‘inherit’ is a keyword used very often in CSS.

  • Any suggestion for adding sensitive / financial keywords is welcome.

 

3. Detecting features in the attachments of an email

For attachments, the only thing that is currently done is checking the attachment extensions. For each extensions found, the score is increased each time. The following extensions are considered to be infected:

.ace .ade .ani .adp .apk .appx .app .bat .cab .docm .exe .hta .ins .isp .iso .jar .js .jse .lib .lnk .mde .msc .msi .msix .msixbundle .msp

.mst .nsh .reg .pif .ps1 .scr .sct .vbe .vbs .vxd .wsc .wsf .wsh

For each attachment found from this list, the score will be increased with a value of 20.

 

Any suggestion for checking other extensions is welcome.

In the future, the same logic currently applied to the body will be applied also for attachments.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.