{"id":27784,"date":"2024-07-29T23:04:12","date_gmt":"2024-07-29T17:34:12","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/from-reply-to-check\/27784\/"},"modified":"2024-07-29T23:04:22","modified_gmt":"2024-07-29T17:34:22","slug":"from-reply-to-check","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/from-reply-to-check\/27784\/","title":{"rendered":"Why compare From and Reply-To?"},"content":{"rendered":"<p>We\u2019ve recently improved the accuracy of detecting spear phishing and business email compromise (BEC) attacks by adding a tiny but important check to our email security products. Now, if our mail-protection engine flags an email as suspicious for whatever reason, we match the domain in the <em>From<\/em> header against that in the <em>Reply To<\/em> header. And it\u2019s surprisingly effective; this simple check succeeds in weeding out a large portion of rather sophisticated attacks. Here\u2019s how it works.<\/p>\n<h2>How to detect sophisticated email attacks?<\/h2>\n<p>\nSpear phishers who carry out targeted email attacks traditionally go to great lengths to make their emails seen legitimate. These aren\u2019t the kind of bad guys who email out attachments with Trojans inside; instead, they tend to hide phishing links under multiple layers of subterfuge. And this is why security solutions capable of detecting targeted emails rarely deliver a verdict based on a single criterion, but rather on a combination of suspicious signs. Matching the <em>From<\/em> and <em>Reply To<\/em> fields is one of these criteria.<\/p>\n<h2>How does matching the headers help?<\/h2>\n<p>\nMost attackers, even when compromising business correspondence, don\u2019t bother hacking legitimate domains. Instead, they exploit the often-limited \u201cexpertise\u201d of mail-server administrators. In fact, on a huge number of domains, mail authentication methods \u2014 like <em>Sender Policy Framework<\/em> (SPF), and especially <em>Domain-based Message Authentication, Reporting, and Conformance<\/em> (DMARC) \u2014 don\u2019t work very effectively (if at all). In the best-case scenario, these mechanisms are technically enabled, but configured so loosely to avoid false positives that they become practically useless.<\/p>\n<p>This laxity allows threat actors (sometimes including those behind full-blown APT attacks) to simply take the domain of the targeted organization and put it in the <em>From<\/em>, or even the <em>SMTP From<\/em> header. However, since they don\u2019t want to just deliver an email, but also get a direct reply to it, they have to put their own address in the <em>Reply To<\/em> field. This tends to be a disposable email address or an address hosted on a free email service. And that\u2019s what gives them away.<\/p>\n<div id=\"attachment_51861\" style=\"width: 719px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2024\/07\/29230419\/from-reply-to-check-headers.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-51861\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2024\/07\/29230419\/from-reply-to-check-headers.jpg\" alt=\"From and Reply To headers in the suspicious letter\" width=\"709\" height=\"350\" class=\"size-full wp-image-51861\"><\/a><p id=\"caption-attachment-51861\" class=\"wp-caption-text\">From and Reply To headers in the suspicious letter<\/p><\/div>\n<h2>Why not match the headers all the time?<\/h2>\n<p><em>From<\/em><\/p>\n<p> and <em>Reply To<\/em> don\u2019t always have to match. There are many legitimate cases when an email may be sent from one mail server, but the reply is expected to another. The simplest example of this is newsletters and marketing emails: a specialized mailing-service provider sends them, but its client is the one who\u2019s interested in the responses. Therefore, if the <em>From<\/em> and <em>Reply To<\/em> check were always enabled, it\u2019d generate false positives.<\/p>\n<h2>Where\u2019s the technology deployed?<\/h2>\n<p>\nThe check is integrated into all our corporate email security products: <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=in_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Microsoft Exchange Server<\/a>, <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/microsoft-office-365-security?icid=in_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kso365___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Office 365<\/a>, <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=in_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Linux Mail Server<\/a>, and <a href=\"https:\/\/www.kaspersky.co.in\/small-to-medium-business-security\/mail-security-appliance?icid=in_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Secure Mail Gateway<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"kesb-trial\" value=\"18465\">\n","protected":false},"excerpt":{"rendered":"<p>A simple technology that significantly improves email protection.<\/p>\n","protected":false},"author":2598,"featured_media":27787,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2036,2609],"tags":[2833,19,76,504,1037],"class_list":{"0":"post-27784","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-bec","10":"tag-email","11":"tag-phishing","12":"tag-products-2","13":"tag-technologies"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/from-reply-to-check\/27784\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/from-reply-to-check\/23114\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/from-reply-to-check\/30466\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/from-reply-to-check\/27994\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/from-reply-to-check\/37982\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/from-reply-to-check\/51859\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/from-reply-to-check\/28128\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/from-reply-to-check\/33927\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/from-reply-to-check\/33592\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/products-2\/","name":"products"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=27784"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27784\/revisions"}],"predecessor-version":[{"id":27786,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27784\/revisions\/27786"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/27787"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=27784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=27784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=27784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}