Many cyber attacks begin with an email from either an unknown individual or someone posing as your contact from a partner or even your own company, your bank, or any of your service providers. This message may either come with an embedded link that when clicked leads to a malicious site designed to steal login credentials or an attachment that’s really a piece of malware in disguise. And to make sure targets either click the link or download the attachment, it always comes with a convincing ploy, such as:
“We noticed several failed attempts to log in to your account. Please update your username and password.”
“You received an important voicemail from (your boss’s name).”
“Attached is the invoice for (the last supplier shipment you received). Please send the payment to (bank account details) immediately to avoid late charges.”
Malicious emails can be tough to spot, especially if they look just the same as the normal communications you get from contacts or use their names. Without proper scrutiny, anyone can fall for a seemingly harmless email. And let’s face it, none of us really take time out to scrutinize every email address we come in contact with.
In this post, we looked at a combination of ways to check if an email may be considered dangerous.
Is the Email Domain a Potential Typosquatting Domain?
One of the common ways cyber attackers are able to dupe users into thinking an email is legitimate is by using look-alike or typosquatting domains. These domains typically use big name brands, such as Microsoft, Amazon, or Google. Examples of typosquatting domains would be micrоsоft.com, аmаzоn.com, and gооglе.com (where the lowercase o, a, and e were replaced with Cyrillic characters).
Is the Email Domain Newly Registered?
Cybercriminals are also known for using newly registered domains (NRDs) for use in their malicious campaigns. That’s why it’s pretty standard for companies to monitor and block NRDs from accessing their networks when considered necessary. One way to do that is by subscribing to an NRD data feed and including potentially harmful email addresses sporting the domains in the daily feeds to your blocklist. An example would be onlinestore-apple[.]com from an NRD data feed for 15 May 2021. A check on VirusTotal revealed that it is malicious.
Is the Email Domain Bulk-Registered?
Another known cybercriminal tactic to get to as many potential victims as possible is bulk registering domain names. Apart from monitoring NRDs, organizations also typically watch out for bulk-registered domains and consider adding these to their blocklists. Examples would be xiaomi14[.]ru, xiaomi53[.]ru, xiaomi52[.]ru, and 408 more similar variants from the typosquatting data feed for 15 May 2021. These could be potentially used to scam Xiaomi consumers.
Is the Email Domain Disposable?
A telltale sign of a potentially abusive email address is one that uses a disposable service. You can prevent such emails from getting into corporate inboxes by monitoring disposable email domain data feeds and adding these to your blocklist. An example of this would be support@10minutemail[.]net from the disposable email data feed for 26 May 2021. An email validation API like https://emailverification.whoisxmlapi.com/api would tell you that the email address is disposable.
Is the Domain a Known Threat Indicator of Compromise?
Security researchers make it a point to let the public know what domains and IP addresses they should disallow from accessing their network to avoid compromise. In the same way that you should avoid clicking domains identified as indicators of compromise (IoCs), so should you never open messages of email addresses that contain them.
---
Answering the five questions above can help complete your process of scrutinizing email addresses thoroughly—notably to detect and avoid possible threats.