Security Validation Best Practices: Email Gateways 

As a continuation of our blog series on security validation, we look at the Cymulate best practices for validating email-based threats against your secure email gateway. But first, let’s recall the principle of security validation as defined by Cymulate. 

If you missed the first blog in this series, check out Cymulate Best Practices for Security Validation. 

Email is the most frequently used delivery method of attack for exploiting security weaknesses, making email gateways one of the most critical components and first line of defense for defending against threat tactics like phishing, malware distribution, business email compromise, and scareware tactics aimed at deceiving users. 

Threat actors commonly use email to trap victims into clicking on a malicious link or downloading an executable payload to gain initial access to a network. Threat actors continuously refine these methods, making them increasingly difficult to detect. This underscores the importance of ongoing vigilance and validation that email gateway security controls are properly configured to detect and prevent such attacks. 

Recent Threat: Microsoft Outlook RCE (Remote Code Execution) Vulnerability 

Early in 2024, a significant vulnerability affecting email security for Microsoft Outlook was discovered and dubbed the Monika Link bug.  

• CVE-2024-21413 with CVSS Score: 9.8 Critical 

Successful exploitation of this vulnerability would allow a threat actor to craft a malicious link that bypasses the MS Office Protected View Protocol and opens the preview pane in editing mode rather than protected mode. This gives the threat actor elevated privileges, including read, write, and delete functionality which could lead to the leaking of local NTLM credential information and remote code execution (RCE). 

Over the past decade we have seen some of the most notorious cyber attacks that began with phishing emails.  

• 2023 T-Mobile 
• 2022 U.S. Department of Labor 
• 2021 Colonial Pipeline 
• 2020 SolarWinds 
• 2019 Wipro 
• 2018 Marriott International 
• 2017 Ukrainian Power Grid 
• 2016 Democratic National Committee (DNC) 
• 2015 Anthem Health Insurance 
• 2014 Sony Pictures 

These attacks serve as a constant reminder of the need to continuously optimize email security controls and stay vigilant as users when it comes to email. 

Frequent Validation of the Secure Email Gateway 

Malicious website links and payload variants are constantly evolving as threat actors execute more and more sophisticated phishing campaigns on unsuspecting users. Organizations rely on their secure email gateway as the first line of defense in blocking these emails from their users to protect their organization from attacks.  

Frequent validation that the secure email gateway is operating as intended and blocking malicious links and payloads is required to stop the constant flow of email-borne threats. 

Cymulate Best Practices 

The Cymulate best practices for email gateway security validation include a broad range of assessments and scenarios for malicious links (like the Monika Link bug) and files attached to emails and the policies used to govern them. These include: 

Malicious Links 

Malicious links and other objectionable content are constantly moving targets, requiring frequent validation against a comprehensive blacklist of known malicious websites updated from the latest threat intelligence. 

Security teams should validate the ability of their email gateway to analyze and block malicious links in the body of an email. This involves sending a full list of test emails with links that are known to lead to malicious sites to see if the email gateway can detect and block access to these sites. 

Malicious Attachments 

Threat groups continuously morph and obfuscate malicious attachments, so just like malicious links, these tests should be run frequently using a broad range of the latest known malware, ransomware, worms, and trojans updated from the latest threat intelligence.  

Security teams should validate the ability of their email gateway to analyze and block emails containing malicious attachments with known malware signatures. These tests should send a broad range of emails containing that latest known malware, including ransomware, worms, trojans, and other exploits embedded in attachments. 

Executable Payloads (Attachments) 

Testing policy enforcement for handling emails with executable payloads in files such as exe, com, scr, and bat file types is a critical part of security validation for your email gateway.   

A full range of tests should be run to validate that common executable file types are blocked by the gateway. Those file types should include files with extensions for: exe, com, scr, pif, vbs, vbe, js, jse, wsf, hta, bat, cmd, lnk, cpl, and msi. 

Dummy Code Execution  

Simulate the possibility for real malicious code execution using dummy files with potential code execution capabilities. These files are not actually malicious, but they do show proof of concept for inserting executable code into an organization.  

True File Type Detection 

This final test is used to validate that your email gateway can detect the actual type of file that has been attached to an email regardless of the file extension. Threat actors often disguise malicious files with misleading file extensions to avoid detection by the email gateway. 

Instead of relying solely on the file extension, true file type detection examines the actual contents of the file to identify its real format. As such, we need to validate the ability of your email gateway to detect the true file type and block malicious files from being sent to users. 

File Attachment Attachments 

This test of policy enforcement of the email gateway simply validates which file types attached to an email will be blocked by the gateway and which file types will be passed through to the user. 

Security teams should execute tests that send emails using a full range of file types (as many as 200 different types) to validate that the file type policy is configured correctly in the email gateway. Most organizations will have specific file types (like .dll and .exe files) that should be blocked by the gateway as these file types are known to be exploited by threat actors. 

Recommended Frequency: Weekly 

The goal of these best practices is to thoroughly test the effectiveness of an organization’s email gateway and policies by simulating a wide variety of email-based threats, including malware, worms, trojans, and exploits delivered through attachments and malicious links. 

Due to the constantly changing nature of malicious sites and attachments used by different threat actors, it is highly recommended that these validation tests be run weekly or whenever a change is made to the email gateway. 

A secure email gateway is your first line of defense against this preferred method of attack delivery. Continuous validation that your email gateway controls are operating as intended and can block the latest malicious links and payloads will go a long way to improving your cyber resilience. 

For more information, visit our web page and schedule a demo of our email gateway assessment.