Email Security 2018 Wrap-up – Your People are Your Weakest Link

January 1st, 2019 – Mimecast posted their most read blog post for all of 2018.

Email Security dos and donts for Employees“.

Another report from proofpoint with the same theme – to paraphase – “sorry, but humans are the problem”.

The Human Factor 2018. People-Centered Threats Define the Landscape“.

Those pesky humans – your staff – remain the top email threat vector, regardless of the sophisticated technologies used to protect email. Web and email security providers ability to block web and email threats is improving all the time. They are releasing more robust security solutions, adept at catching exploits – smarter, more accurate, greater control and visibility into threat activity and behaviour.

What if there is no technology based threat in the email? Of absolutely any type. No attachment, no embedded formatting or scripting exploits, no dodgy links (at all), nothing. Just text convincing the recipient to divulge sensitive business information.

Social engineering targets human nature. Our desire to be helpful, to get stuff done, to rush through tasks, to connect, curiosity – all marvellously human characteristics, but not intuitively matched with cybersecurity!

Human behaviour will never be free of error, lapses in judgement, or gaps in knowledge. That needs to be ok – “they’re/we’re/she’s/he’s only human”. We have to work with reality, to counter and plan for this reality.

Which means staff email security training. The best Cybersecurity solutions today are starting to incorporate AI measures to address social engineering. Do they negate the need for staff awareness? Of course not. I’m not hearing any email security provider contradict this advice today.

Tak the view structured email security staff awareness training is just as important as email security solutions and email authentication (DMARC, DKIM, SPF).

That is why the reports from Mimecast and proofpoint are talking up the human factor in email and web security. You’ll start reading in similar wrap-up security reports about the consequences of lack of security training – expressed as substantial financial losses.


DMARC, DKIM, Gmail, and Domain Aliases in send-as email address

Setup G Suite DKIM to prevent DMARC Failure in Gmail when using send-as email addresses with Secondary Domains/Domain Aliases

Regarding DKIM’s impact on DMARC pass/fail when using G Suite secondary domains/domain aliases in Gmail send-as email address aliases.

Assuming present and correct SPF and DMARC config. DMARC tests will fail sending from Gmail. When –

  1. DKIM is not enabled in G Suite: Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) for the secondary domains/domain aliases
  2. Google will automatically sign outgoing email messages if DKIM not setup, and that is the issue! The email header DKIM value (d=”domain name”) is not aligned (i.e. the same!) as the email Header “From” value.

Don’t rely on online DMARC validators! Check sent email headers:

Open the email headers of sent emails. Look for

  • The Envelope From (i.e., Return Path or Mail-From)
  • The “Friendly” From (i.e., “Header” From)
  • The d=domain in the DKIM-Signature’

Regarding DMARC and DKIM alignment: Check in the email header d=”domain name” is identical to the Header From “domain name”. DMARC also checks SPF alignment, but I’m focussed on DKIM d=”domain name”and G Suite secondary domain/domain aliases for now.

How to enable DKIM for all secondary domains/domain aliases in G Suite

In Google Admin Dashboard – make sure you head to Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) and –

  1. Generate 2048 bit DKIM record values for every domain you’ve setup in your Gmail account to send-as from
  2. Create the DKIM DNS record with that domainkey and TXT record value in the relevant secondary domains/domain aliases DNS zone
  3. Click “Start Authentication” after the new DKIM DNS record has had a chance to be refreshed and propogated
  4. If you see green text “Authenticating email” with a green tick. DKIM is enabled.






Barracuda Email Threat Scanner for Office 365 – Free Tool

A sobering thought this – your Office 365 mailbox may be harbouring emails containing spear phishing and targeted attacks.

The free web-based Threat Scanner for Office 365 from Barracuda uses their Sentinel Artificial Intelligence engine to scan for threats already in your Office 365 account. It identifies advanced threats and includes information such as the sender of the risk, and details about the risk including what the risk is targeting.

As Barracuda describes here – the free Barracuda Threat Scanner for Office 365 scans for

  • Spear phishing attacks
  • CEO fraud and employee impersonation
  • Popular web service impersonation (Outlook, DocuSign, Dropbox, Apple)
  • Account takeover attempts

Scan results are generated and a report sent to your registered email address within 24 hours.

Sign up here to scan your Office 365 mailbox for email-based threats. Click here:


People – Email Security’s Weakest Link

Email was simpler back then. Pre-cloud era, all you had was a best in class firewall, a strong antivirus/antispam solution, and excellent security software covering every endpoint.

But these email security solutions are no longer enough. Email is by far the most important communications application, correspondingly the number-one method carrying security breaches into organisations.

Adoption of best practice email security resilience measures is a big problem. An alarmingly high percentage of organisations are not on board with the basics – SPF, DKIM, DMARC reporting, and the advanced threat protection security solutions available today.

If adopted – multi-layer intelligent AI driven email security solutions are catching up in effectiveness.

So now hackers are starting to side-step improving security technology. How? By targeting humans. Social engineering is a dark capability, with no technology necessary – just soft skills!

Social engineering tricks staff into taking actions compromising organisational security. Exploitation of human vulnerabilities and foibles have turned into the number-one most effective strategy for attackers.

For example, email fraud targets key staff with direct access to corporate financial data and decision-making power. Their email addresses are impersonated or literally hacked and taken over, then used to send instructions to colleagues internally that carry the weight of the impersonated sender’s organisational authority.

A Holistic Organisation-Wide Cyber Security Strategy

Technology-based defenses with threat intelligence to combat email attacks are critical and non-negotiable,  but today threat protection technologies are just one pillar of an overarching security strategy.

If hackers use a combination of technical and non-technical (i.e. human-to-human!) strategies to breach security, then everyone’s a stakeholder in  Every staff member has a role to play in cyber resilience to email fraud. All end-users need enrollment in a security awareness program. Some end-users are are more phish-prone than others, but move forward on the principle all staff are targets, so all staff will benefit from increased security awareness.

A holistic email security solution should prevent email based attacks before they occur, then must consider email continuity and email recoverability. What is the plan to keep business email communications operating if email is down? Sending and receiving email during a business-wide email system outage must be a scenario planned for.

If emails are lost then the capability to restore email to the required granularity is required – from individual emails, mailboxes, to email system-wide restoration.

Technology is only one part of an Email Security Strategy

Email security’s weakest link is people. Respond to this reality by raising staff awareness of their role in a comprehensive email security strategy. Train for a healthy wariness when it comes to evaluating emails containing –

  • Email links and attachments
  • Domain spoofing and impersonation
  • User impersonation
  • Links to fake online applications

Keeping email security top of mind is now non-negotiable for all employees. Attackers leverage humans to side-step security technology. So create a security culture at work that sets the tone for how email is used.



FAQ – Microsoft Azure Files and Azure File Sync

For an overview on Microsoft Azure Files and Azure File Sync a great resource to understand and learn more can be found at this link:

Click here:

Azure Files with Azure File Sync is a game-changer. Microsoft’s answer provides an authoritative answer and direction for using the cloud as a business file server dilemma – which is:

How do you centralize your company’s file shares in the cloud, but at the same time keep the performance of an on-premises file server?

While not first to answer this question, Microsoft’s authority and credibility legitimizes the cloud-as-a-fileserver strategy with Azure Files and Azure File Sync.



Phishing and the Human Attack Surface

So what is a hacker to do if corporate security defenses are becoming more effective? Companies are adopting more sophisticated multi-layered security technologies and processes.

Business are ramping up their investment in their security to protect themselves. Two-factor authentication, quicker operating system patching, firewalls, endpoint protection everywhere, email and web secure protection – the sophistication of advanced security measures are increasing in their effectiveness.

increasingly cybercriminals are going after the softest target – me and you. The human attack surface, with its wildly variable and fallible behaviour.

To illustrate how the human factor is the cyber attacker’s holy grail, here are some fun (not) findings from proofpoint’s Human Factor 2018 Report.

  1. Social engineering is the hacker’s key to phishing success. Not technology. A critical point, as social engineering is person-to-person. It  neatly sidesteps all those expensive advanced security technologies and engages directly with us folks. Humans who are gullible, easily deceived, under-trained, probably tired, busy, certainly curious, want to help, and have fingers that left-click quicker than their brain engages.
  2. A fun proofpoint recommendation: Use phishing simulations to see who in your business falls for it. Find out who clicks then make an example of them (ok proofpoint didn’t say that last part).
  3. Business Email Compromise (BEC)  almost totally relies on analogue person-to person strategies. None of the usual signs such as malicious links and attachments. The email message doesn’t get caught by standard security filtering, and instead uses convincing language to trick the recipient to take the desired insecure action (the requisite “bean spillage” i.e. pay a invoice, transfer money). Though, phone and other communications are commonly used during attacker’s research phase to uncover the key players in an organisation. It’s social engineering to find names and roles – most often C-level and finance department. Any action that persuades the victim the disclosure of sensitive information and sending of money is legitimate and authorized.

Human nature is always the biggest vulnerability. Check out the Human Factor 2018 Report from proofpoint here.



Turn on and Configure Gmail’s Anti-Phishing Capabilities

Gmail’s anti-phishing capabilities have been around since April 2018 in Australia. I’m just not seeing the uptake these new email safety features deserve.

I’m going to stay on point in this blog with Cloud Admin’s current focus on email authentication – email spoofing (SPF, DKIM, DMARC). So my focus is on the Gmail Safety’s section – “Spoofing and Authentication”.

The other 2 sections in G Suite Admin under Apps > G Suite > Gmail > Safety are “Attachments” and “Links and external images” are just as important! These email security settings need equal attention. I’m doing a disservice to the criticality of new settings addressing how attachments are as the attack vector of choice – so be sure to configure these new settings as well.

Back to “Spoofing and Authentication” for this post.

Scroll down and click on “Safety”, under G Suite Admin Console’s Gmail settings.

“Spoofing and Authentication” Gmail Settings Safety Section


  1. Choose customize settings in the Spoofing and Authentication section.
  2. For each safety setting (listed below) in this section – recommend choosing option “Keep email in inbox and show warning” from the drop-down option list. Make sure this option is manually chosen, as it’s default for some options and not default for others.
  3. Once you’ve lived with the emails “delivered to your inbox with warning for a while, AND you know your SPF, DKIM, and DMARC configuration is working for your domain, revisit the settings and re-configure preferred options for each setting. For example the setting “protect against inbound emails spoofing your domain” is a straight- forward choice – change the option to send those emails straight to spam.

The safety options are (to choose option “Keep email in inbox and show warning”):

  • Protect against domain spoofing based on similar domain names
  • Protect against spoofing of employee names
  • Protect against inbound emails spoofing your domain
  • Protect against any unauthenticated emails – not authenticated (SPF or DKIM)

Why choose “Keep email in inbox and show warning”?

Any emails picked up by the new safety settings still arrive in your inbox like before, but now they come with a warning!

You get to learn what Gmail’s safety measures are doing with the enabled safety settings – specifically regarding phishing attacks due to spoofing and unauthenticated emails.

Email security is an evolving space, and not all email providers support best practice email authentication measures,  so you’ll need to choose the option to still deliver the email to your inbox, accompanied now with a warning.

As I said, live with the option to “keep email in inbox and show warning” for a while, then reconfigure your Gmail Safety Settings to your preferences.

You can read more here:


Prevent Outgoing Spam in G Suite with DMARC

Learn how to prevent outgoing spam in Google G Suite with DMARC. Google is a key DMARC standard participant, thankfully, as a significant percentage of all email traffic passes through Google’s email infrastructure.

Given Google’s DMARC support, implementation of the DMARC email authentication protocol is a no-brainer and will help you regain control over spammers spoofing your email, who do this by impersonating your “From:” email address.

Learn more about DMARC for Google G Suite by clicking this link:

Then to learn how to add DMARC to your business email domain, go here:


How to Setup Office 365 SPF, DKIM, and DMARC

Office 365 has a compelling suite of security features. In fact you can justify the migrating your business email to Office 365 (Exchange Online) even from a security perspective, to ramp up your security best practices.

Email protection and authentication in Office 365 requires manual work. Deterring email spoofing (impersonating your email “from” address) includes as a solid start – the SPF, DKIM, and DMARC email authentication standards.

  1. To setup SPF in Office 365 to prevent spoofing:
  2. To setup DKIM in Office 365 to validate your outgoing email from your business domain:
  3. DMARC depends on SPF and DKIM to work. Once SPF and DKIM are configured, tested, and working – don’t forget DMARC.