Organizations should be aware of the latest vulnerabilities, software patches, and email security guidance
Email as we know it has been around since the early 1970s, when Ray Tomlinson added the @domain.com magic that enabled electronic mail to be sent and received across the Internet, regardless of the sending or receiving computer.
Four Billion Email Users
Today, fifty years later, more than four billion users worldwide enjoy the advantages of email. They send over three million emails every second. Almost all of us (95%) check email every day, and over half of us (58%) check our spam folders every day as well.
The email has transformed our personal and business lives, enabling instant two-way communication and all the conveniences that go with it. New business can be closed in a tiny fraction of the time it took half a century ago, and at a fraction of the cost.
Email Market Size and Ownership
Last year, in 2020, the size of the email market, in terms of revenue, was $47 billion.
Gmail for business ranks first by market share, with one-third (33%) of the email market—but Microsoft Exchange owns a 32% market share as well, so it’s virtually a tie.
GoDaddy has another 15% of the email market, with all other hosting providers accounting for less than 3% each.
One thing they have in common is that they’ve been hacked. And all are vulnerable to new hacking exploits and emerging threats. Despite its benefits, email has made us highly vulnerable targets for all kinds of spam, scams, and schemes.
Malware such as spyware, adware, Trojans, and viruses can be introduced to email systems by spam. Phishing attacks are notorious for luring unsuspecting victims into clicking on links or images that launch malware. Many of these attacks can compromise other applications, data, and computer operating systems as well.
Protect Email Servers and Clients
Using email requires an email server and an email client, and both need to be protected. The email server is simply software that runs on a computer and constantly communicates over the Internet, sending and receiving emails.
The email client is a software application, or webmail app, that enables us to read and manage our email messages. It can be an app on your phone, a URL accessed through your web browser or a desktop application such as Microsoft Outlook.
Microsoft Exchange is a server, for example, while Microsoft Outlook is an email client. They work together to provide email users with complete and positive customer experiences.
Most email clients can connect seamlessly to virtually any mail server, and most can connect to multiple email servers and work with multiple email accounts simultaneously and transparently. It wasn’t this way 50 years ago, of course, but it all seems to have evolved fairly well, with the exception of the spam, the scams, and the schemes. That’s why it’s important to secure both your email servers and email clients.
Latest MS Exchange Guidance
Microsoft Exchange continues to be an especially popular target for email attacks. The company’s most recent Patch Tuesday, on November 10, 2021, released several software updates intended to strengthen security in its Exchange servers in 2013, 2016, and 2019. The vulnerabilities addressed by this week’s patches date back to March of this year. That’s when on-premises versions of Exchange were compromised by a group of hackers, known as Hafnium, who was traced to Beijing, China.
Four vulnerabilities in on-premises Exchange server software were exploited at that time. In the November 10th Patch Tuesday, Microsoft warned that one newly-patched flaw still remains vulnerable to attack.
Two-factor authentication doesn’t seem to be foolproof in this particular case. Microsoft explains that the “Exchange bug CVE-2021-42321 is a post-authentication vulnerability in Exchange 2016 and 2019.” Some post-authentication attacks can render two-factor authentication useless because the malware they deliver takes effect after a user has authenticated with a second security factor.
Microsoft recommends that the updates released on November 10th be installed immediately to optimize security for Exchange on-prem environments. Organizations using Exchange Online do not need to install updates as the company has done that automatically.
Microsoft’s notes at the link directly above indicate that they did not release mitigation for the CVE-2021-42321 vulnerability and urge administrators to update their servers to resolve that vulnerability.
Additionally, the company is not releasing updates for older, unsupported versions of Exchange and instructs admins to update to one of the supported Exchange Cumulative Updates (CUs) in order to be able to install the November Patch Tuesday software updates.
What Else Can You Do to Improve Email Security?
If you’re operating an on-premises MS Exchange environment, your actions are clear and urgent per the guidance above. If you are not, there are still actions you can take to improve your email security. Following are a few recommendations from experts in the email industry.
Larger Organizations. Large organizations generally have email security nailed down. Most have encryption programs for sensitive email and many of those encryption programs perform transparently, behind the scenes. Large organizations’ greatest vulnerabilities tend to lie with their employees. Typically, end-users don’t receive enough training in cybersecurity awareness and don’t know how to recognize phishing exploits and other social engineering schemes that aim to deliver malware.
Email or system administrators at any size organization should avoid running email clients under administrator privileges because this can expose your email software to hacking attacks. At a minimum, restrict privileges while you’re logged in as an administrator.
Smaller Organizations. In smaller organizations, email users can assist their employers by sharing the responsibility for email security and taking the following measures, as applicable. These safeguards are also recommended for employees who work at home, and for individual consumers who use email.
- Rethink Your Email Format. Most of us prefer to receive emails in HTML format or rich text format so that we can see images and links and digest email content more easily. However, these formats can expose you to risks. That’s why the use of plain text format is recommended when receiving or reading emails. In some cases, it’s as easy as clicking a button in your email program.
- Automatic Updates. We’ve said it before and we’ll say it again, and again. Always use the most current version of software and be sure to enable the automatic update feature if available. This goes for email software, anti-virus, and anti-malware software, all software. Often, software updates include important security updates that should be installed immediately.
- Virus Signatures. Always use antivirus software on your computer and choose software that includes a virus signature for monitoring your email files. Depending on the software, you may also be able to set the automatic update feature for virus signatures. This is important because computer viruses are constantly shifting and evolving—just like seasonal flu viruses.
- Be Suspicious. We’ve also said this before and will continue to chant it. Scrutinize every email as if it could do you harm. Look for misspellings in domain names or subject lines. Be suspicious of where an email has come from and what it is asking you to do, especially if that involves clicking on a link, going to a website, viewing a video or image, or opening an attachment.
- And Speaking of Attachments: Make sure that your anti-virus or anti-malware software scans all email attachments, whether PDFs or other documents or pictures before you open them. Today, most email security software has this feature and will immediately report if an attachment is risky. Listen to your software and other security tools!
- Think Before You Click Unsubscribe. When we receive unsolicited emails, especially from sources we don’t recognize, our first reaction is to click on the Unsubscribe link. This can have unintended consequences, however, when the email sender delivers malware to your system through that Unsubscribe link or takes you to a webpage that’s infected. The safest response in these cases is to delete the unsolicited message from your inbox or empty your spam folder if it landed there.
- Email Sender Etiquette. Some email programs are set to automatically send return receipts or read confirmations, by default. Check your settings and reconfigure them to turn off these features. That’s because these features can make it possible for an infected email to spread the infection to your email recipient.
The National Institute of Standards and Technology (NIST) also offers guidance for securing email and updating their downloadable document in October 2021.
Finally, organizations that operate customer loyalty programs, gift offers, and surveys collect sensitive information using website pages and online forms, and they drive customers to these tools via links in emails and pop-up ads. These companies need to identify and secure the vulnerabilities in their web pages, online forms, email enticements, and other tools to prevent hackers from stealing this hard-won data.
Summary
Email usage has come a very long way in 50 years, with more than four billion email users worldwide and some three million emails sent every second of every day. Not surprisingly, email has also become a highly popular vehicle for delivering malware and viruses. Phishing emails get more sophisticated all the time, making email security an ongoing challenge.
Microsoft Exchange owns a third of the email market and is a popular target for hackers, particularly nation-states seeking to do serious harm to government and enterprise organizations who use this email product. The November 10th series of software updates should be adopted immediately to thwart known vulnerabilities, and email administrators who haven’t already done so should read Microsoft’s guidance online.
All email users can assist their employers by following some basic best practices for email use, and organizations should make certain that their employees understand the importance of these email security practices.