How to Detect that Your Domains are Being Abused for Phishing by Using DNS

Conference:  BlackHat USA 2019



As a high-profile public-sector organization, the Dutch Tax and Customs Administration deals with criminals claiming to be representatives of the organization and contacting the public with phishing e-mails every day. By using RFC's like, RFC7208 – Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, we have developed a technique to identify phishing attacks that are carried out under the disguise of the Dutch Tax and Customs Administration. This technique is universally applicable. A precondition is access to the DNS logging. By means of this technique, insight can be obtained where the phishing e-mails are sent from and to whom the phishing e-mails are sent. In this talk we will start by explaining which standards are available to increase e-mail security. We will briefly discuss protocols such as: STARTTLS, SPF, DKIM, DMARC, DANE and MTA-STS. We also discuss advanced SPF options. Finally, we will link all of those protocols to detect if our domains are being abused for phishing attacks. The framework we have developed gives you more insight in phishing attacks conducted under the disguise of your organization's name. We firmly believe that if these techniques are used everywhere, it would lead to a significant decrease of phishing e-mails.