Email as we know it has been around since the early 1970s, when Ray Tomlinson added the @domain.com magic that enabled electronic mail to be sent and received across the Internet, regardless of the sending or receiving computer.
Today, fifty years later, more than four billion users worldwide enjoy the advantages of email. They send over three million emails every second. Almost all of us (95%) check email every day, and over half of us (58%) check our spam folders every day as well.
Last year, in 2020, the size of the email market, in terms of revenue, was $47 billion.
Gmail for business ranks first by market share, with one-third (33%) of the email market—but Microsoft Exchange owns a 32% market share as well, so it’s virtually a tie.
GoDaddy has another 15% of the email market, with all other hosting providers accounting for less than 3% each.
One thing they have in common is that they’ve been hacked. And all are vulnerable to new hacking exploits and emerging threats. Despite its benefits, email has made us highly vulnerable targets for all kinds of spam, scams, and schemes.
Malware such as spyware, adware, Trojans, and viruses can be introduced to email systems by spam. Phishing attacks are notorious for luring unsuspecting victims into clicking on links or images that launch malware. Many of these attacks can compromise other applications, data, and computer operating systems as well.
Using email requires an email server and an email client, and both need to be protected. The email server is simply software that runs on a computer and constantly communicates over the Internet, sending and receiving emails.
The email client is a software application, or webmail app, that enables us to read and manage our email messages. It can be an app on your phone, a URL accessed through your web browser or a desktop application such as Microsoft Outlook.
Microsoft Exchange is a server, for example, while Microsoft Outlook is an email client. They work together to provide email users with complete and positive customer experiences.
Most email clients can connect seamlessly to virtually any mail server, and most can connect to multiple email servers and work with multiple email accounts simultaneously and transparently. It wasn’t this way 50 years ago, of course, but it all seems to have evolved fairly well, with the exception of the spam, the scams, and the schemes. That’s why it’s important to secure both your email servers and email clients.
Microsoft Exchange continues to be an especially popular target for email attacks. The company’s most recent Patch Tuesday, on November 10, 2021, released several software updates intended to strengthen security in its Exchange servers in 2013, 2016, and 2019. The vulnerabilities addressed by this week’s patches date back to March of this year. That’s when on-premises versions of Exchange were compromised by a group of hackers, known as Hafnium, who was traced to Beijing, China.
Four vulnerabilities in on-premises Exchange server software were exploited at that time. In the November 10th Patch Tuesday, Microsoft warned that one newly-patched flaw still remains vulnerable to attack.
Two-factor authentication doesn’t seem to be foolproof in this particular case. Microsoft explains that the “Exchange bug CVE-2021-42321 is a post-authentication vulnerability in Exchange 2016 and 2019.” Some post-authentication attacks can render two-factor authentication useless because the malware they deliver takes effect after a user has authenticated with a second security factor.
Microsoft recommends that the updates released on November 10th be installed immediately to optimize security for Exchange on-prem environments. Organizations using Exchange Online do not need to install updates as the company has done that automatically.
Microsoft’s notes at the link directly above indicate that they did not release mitigation for the CVE-2021-42321 vulnerability and urge administrators to update their servers to resolve that vulnerability.
Additionally, the company is not releasing updates for older, unsupported versions of Exchange and instructs admins to update to one of the supported Exchange Cumulative Updates (CUs) in order to be able to install the November Patch Tuesday software updates.
If you’re operating an on-premises MS Exchange environment, your actions are clear and urgent per the guidance above. If you are not, there are still actions you can take to improve your email security. Following are a few recommendations from experts in the email industry.
Larger Organizations. Large organizations generally have email security nailed down. Most have encryption programs for sensitive email and many of those encryption programs perform transparently, behind the scenes. Large organizations’ greatest vulnerabilities tend to lie with their employees. Typically, end-users don’t receive enough training in cybersecurity awareness and don’t know how to recognize phishing exploits and other social engineering schemes that aim to deliver malware.
Email or system administrators at any size organization should avoid running email clients under administrator privileges because this can expose your email software to hacking attacks. At a minimum, restrict privileges while you’re logged in as an administrator.
Smaller Organizations. In smaller organizations, email users can assist their employers by sharing the responsibility for email security and taking the following measures, as applicable. These safeguards are also recommended for employees who work at home, and for individual consumers who use email.
The National Institute of Standards and Technology (NIST) also offers guidance for securing email and updating their downloadable document in October 2021.
Finally, organizations that operate customer loyalty programs, gift offers, and surveys collect sensitive information using website pages and online forms, and they drive customers to these tools via links in emails and pop-up ads. These companies need to identify and secure the vulnerabilities in their web pages, online forms, email enticements, and other tools to prevent hackers from stealing this hard-won data.
Email usage has come a very long way in 50 years, with more than four billion email users worldwide and some three million emails sent every second of every day. Not surprisingly, email has also become a highly popular vehicle for delivering malware and viruses. Phishing emails get more sophisticated all the time, making email security an ongoing challenge.
Microsoft Exchange owns a third of the email market and is a popular target for hackers, particularly nation-states seeking to do serious harm to government and enterprise organizations who use this email product. The November 10th series of software updates should be adopted immediately to thwart known vulnerabilities, and email administrators who haven’t already done so should read Microsoft’s guidance online.
All email users can assist their employers by following some basic best practices for email use, and organizations should make certain that their employees understand the importance of these email security practices.