Webmail Security and Associated Best Practices

Webmail is popular for its many advantages over regular desktop email. One of its salient benefits is ubiquitous availability, which is a double-edged sword. The price paid for universal access is a greatly increased attack surface area. Below we will identify existing threats, the implications of being targeted, and best practices to effectively mitigate threats associated with the use of webmail.

Business employees often require access to work resources from outside of the office. As a result, web-based email has become one of the most widely used corporate communications resources. Email is the communication backbone that supports the smooth and successful operation of any company. Therefore, because of its high value and sensitive nature, email resources are often targeted by malicious attackers. Compromised email infrastructure can result in several problems, such as:

  • Intellectual property loss: This includes stolen company secrets, customer and partner information, internal memos, etc. These can be used for blackmail, or can even be sold on the internet to the highest bidder.
  • Email contact loss: Stolen address books can cause lost business opportunities while company contacts may be exposed to future spam and malware attacks.
  • Also, depending on local legislation, data breaches might have to be publicly disclosed and companies can be given significant fines.

Attackers have a multitude of options available at their disposal. Some malicious individuals may run a simple Web search to obtain your webmail URL. Once they have this information, they can employ bots (automated programs) to guess a correct username and password. The most common attack we see is targeted phishing emails spoofing the company’s IT helpdesk. These messages employ various social engineering tactics to trick users into giving up their password. Once the attackers have the passwords, they can login to the relevant webmail server and perform additional malicious activities.

Below are two samples of targeted phishing emails. In the first sample, the attacker directs the victim to a URL where they can capture the victim’s username and password. In this example they are using Google Docs, which is being used to host a simple form into which the attacker hopes the victim will input their details. The second sample is a simpler phishing email where the attacker just asks the victim to fill out details and reply with their username and password to a webmail account.

Effective security policies should be implemented to prevent phishing attempts and the following approaches can help mitigate these threats. When used together, you can appear less enticing to attackers and avoid becoming a victim.

Policy solutions

  • Implement a two-factor authentication process with a hardware or software token. This will require a user to provide a second set of authentication credentials (in addition to username and password) to log into webmail.
  • Consider allowing only specific users access to webmail. This will reduce the attack surface area, which in turn reduces the probability of being targeted. In many companies, not all employees truly need webmail access outside of office hours.
  • Hide your webmail URL from search engine crawlers by setting up a robots.txt in the root of your webmail server.
  • Avoid generic or easily guessable webmail URLs (such as webmail.domain.com or mail.domain.com).
  • Enforce an effective password policy (such as requiring complex passwords) and force regular password changes.
  • Limit the total number of messages per user. This can be based on a per-day or per-hour limit.

User education

  • Ask your IT department to publish monthly advisories and hold regular brief meetings and training modules regarding security best practices.
  • Login pages can have friendly security reminders which change depending on the season. For example, during holidays or festive seasons be aware of suspicious themed attachments.
  • Educate users on how to recognize phishing attempts. For example, showing users a sample email would help them better recognize phishing attempts.
  • Discourage use of webmail on public or shared computers which might have key loggers or other malware installed.

Pro-active measures

  • Ensure server and webmail software are patched with the latest updates to prevent vulnerabilities from being exploited.
  • Frequently monitor authentication and access logs for suspicious events, such as sudden spikes in user activity. Administrators can be alerted to disable compromised accounts.

Of all of the above approaches, our experience has shown that the most effective way to mitigate becoming a target is to implement a two-factor authentication process. If an attacker cannot gain access to your webmail server because you utilize such technology, they will simply move on to the next target which doesn’t.