You have a new (malicious) secure email!

When attackers find something that works, unfortunately, they will happily keep using it to target your users. Malicious “Secure Email” messages are still a threat, and it is important to continue to remind all email users what to watch out for.

The most dangerous thing about this type of email is that it often comes from a trusted contact who is not aware that their email account has been compromised. So, the person receiving the email may know and commonly send/receive encrypted messages with the sender, which makes it that much more convincing. Additionally, messages can arrive via real secure file sharing services, or using Microsoft’s email encryption, which can confuse spam filters.

Some quick pointers on spotting these types of email attacks:

• Secure email messages should be treated like attachments. If you weren’t expecting that message, at that time, reach out to the sender to verify.
• Just because a message is “secure” doesn’t mean the contents are safe. If an encrypted message contains a strange or suspicious looking document or link, stop, and reach out to your Security or IT Team when in doubt.
• Sometimes the message may have clues, such as it will say it is from “Dropbox” but may have a “SharePoint” link, or some other mismatch. A legitimate message will not look like this.
• Because one goal of this type of email attack is to compromise real accounts, you may get a secure email from someone you know and trust. It may even have a familiar subject line or attachment name. These can be the hardest to spot. The giveaway on these can be timing, if you weren’t expecting it at this time, or something else seems “off”, it is always best to just directly email (don’t hit reply!) or call the sender, just to make sure.
• Another variation is that the content or subject looks familiar, but it is coming from someone at the sender’s company that you don’t normally correspond with. Again, in this case, reach out to someone you know at the sending company to verify.
• Trust your gut! Human brains can be very good at spotting irregularities or changes in patterns that we can’t always put our finger on...but something seems wrong. Don’t ignore this feeling! Reach out to your IT team when in doubt. Any IT or security professional would rather take a few minutes to answer a question than work countless hours trying to respond to a security breach!

Bottom line: Don’t wait for your annual security awareness training presentation to cover this threat. Like any good security training, we should continuously send out information, reminders, and tips on how all employees can help keep their organization secure.

Authored by: Jeremy Johnson, CISSP, OSCP