Email has been our primary source of communications in digital age. It is based on the conventional post mail concept where it was written at one place (letter head), package and seal (signature), delivered via postman (mail exchange), arrived at recipient (postbox), and lastly, open up and read (read).
However, likewise, there are malicious sender who can forge the mail contents and send you malicious mail, like ordering 500 cockroaches packaged in a sweetest happy birthday wrapping and then mailed to you on birthday. Upon arrival, to prevent these roaches infesting your place, you would want to inspect the contents by calling your real sender to verify the package. Otherwise, either contact the police just in case it is a bomb or something. The rule is never open a malicious package.
The pattern is the same as email. The only difference now is that instead of roaches, you get viruses or malware. They are more sophisticated and complicated that sometimes requires expert tools to handle them.
This section guides you on how to carefully inspect your email effectively to avoid getting malicious threat into your system.
CLARIFICATIONS: In this section, 3 ZORA agents will demonstrate most of the examples. They are:
"Cory" Galyna- acting as attacker / helpful co-worker.
"Anastasia" Oksanochka- acting as victim.
"Holloway"Chew Kean Ho - author of this page and share the role of co-worker.
Step #1: Never Trust Your Email
Upon receiving email, be it from a known and unknown person until you completed
the inspection. The idea is part of
zero trust policy, where
trust is earned.
Step #2: Check Email Metadata
The next thing to do is to explicitly check the email metadata similar to a mailed package. Metadata are the email/package delivery information, such as:
|Name||Receipient Name||Receipient Name|
|Location||Receiver Email Address (||Receiver Home/Office Address|
|Sender Person||Sender Name||Sender Name|
|Sender Address||Sender Email Address (||Sender Returning Address|
|Sender Recognition||Digital Signature||Insignia / seal|
A lot of metadata here can be exploited for both email and packages. Here are some case studies.
CASE I: Faking Receiver Name
One easy way is to fake the receiver name. Holloway received an email that appears as such on the webmail:
From it appearance, it looks like the sender is Anastasia. However, Holloway carefully inspect the sender email, showing that it was actually sent from Cory.
In this kind of situation, Holloway definitely will not trust the email content. Certainly, this is an identity theft which is punishable by law. The best course of action is to document this email and report to the relevant IT security department.
CASE II: Phishing Link
Assuming the received email is genuine from Anastasia, the next thing is to check the given link is not masked with malicious intent. You MUST always check the link before you click.
To do that, you need to:
- Right-click on the link.
Copy link address.
- Paste it on a notepad or text editor to check it.
This will show the true underlying link. From the case study above, it appeared that Holloway was pointed to another site instead of the office’s case archives.
With this checking, Holloway avoided himself from leaking secret data out to external malicious site.
CASE III: Malicious Attachment
Lastly, email with attachments are very commonly seen activity and is the the greatest source of getting a computer infected. Therefore one must carefully deal with attachment.
NOTE: back to the package example, malicious attachment refers to that 500 cockroaches in a beautiful package or malware in email. Either way, you want to avoid both of them.
Consider Cory is now sending Holloway a report attachment, after verifying the sender and any links in the email, Holloway then only download the attachment.
IMPORTANT RULE: NEVER entertain any attachment if email is malicious.
Simple logic: if you already know a package has 500 roaches, what is the the first thing you do? Obviously dispose them properly without opening it.
After downlaoded the attachment, you should do the following in sequences:
- Scan the attachment with your local anti-malware solution (e.g. Kaspersky). If there is a threat detected, do not open it. Just delete it and approach your tech assistant. Otherwise, follow the next step.
- If it is compressed file (
tar), you then unzip/untar it.
- Repeat step 1 again against the extracted files and directories.
FOR YOUR INFORMATION: some malware is able to get away from a compressed file scanning. Hence, to make sure you’re truly safe, you need to do it as a habit rather than overly relying on anti-malware to protect yourself.
Step 3: Process The Email
Once done reading and processing the attachment of the email, you MUST ensure that the email is processed too. That means either:
- you print it out as PDF and store it like a file OR
- trash it.
The job is considered done when the email left your inbox.
Inboxis not a place for you to store archived emails. Those belong to
Archivessection or in your datastore. Keeping the
Inboxas low as possible actually helps your IT support to quickly identify problems and assist you easily.
Just like your home mailbox, you never clog your mailbox with read mails. Rather, you either archive the contents of the mail or discard it into the trash.