Email Structure

There are 3 core components to an email

The Envelope

A traditional letter would have the sender’s address, the destination, postage and an envelope that holds it all together including the letter itself. Much like traditional mail, email has an envelope that has information to about the sender and the reply to. When you receive an email, the server has already received the envelope – what you see is the contents as displayed to you by your email client (such as Gmail or Outlook).

We will come back to this later, but one feature of email is that the sender and the reply-to address don’t have to be the same. The email server verifies and then removes the envelope. So without adequate security, the headers that you see could seem to be authentic, but the real sender could be an imposter “enveloped” in a disguise. This has allowed scammers to spoof emails, sending emails that appear to come from Paypal but the response goes somewhere else entirely. Think of it as if the reply-to address on the envelope isn’t the same as the reply-to inside the actual letter.

The Header

The header identifies routing information for an email, which includes information like the sender, recipient, date and subject. Mandatory headers include the FROM, TO and DATE headers, while optional ones include the SUBJECT and CC (notice how you can send email with those two, but you can’t send an email without the other three).
Where email headers become risky are in the Return Path, the FROM display name, the alignment or appearance of the FROM domain name, the reply-to address, and the presence of any unusual or “clickbait”-like messages in the subject line.
The Return Path is the address that an email really comes from. Most of us won’t notice this because it’s stripped at the server level, so that we only see the FROM address in our email clients, but often an imposter will pretend to be sending from a trusted organization or domain while the Return Path can identify where they are actually coming. A good email filter will identify mismatches or inappropriate emails here and, under specific conditions, keep them away from users who may be targeted by imposter attacks.
The FROM display name could also be written as a familiar name, while the domain name attached to the email could be a general gmail or other account that anyone could create, or be a completely unknown domain altogether. As for the appearance of the domain name, there could be “lookalike” domains that confuse capital i’s and lower-case L’s, allowing “walmart.com” and “waImart.com” to look completely identical, while one is legitimate and the other is not. Another example that applies to most email clients is two “nn” letters together appearing to be an “m”. This is a great and simple way to pretend to be someone important.
A reply-to address could be another tricky workaround. For instance, a criminal could rig their email server to perfectly spoof all the headers that you receive in your email, but then to get access to whatever it is they’re trying to access (usually either money or data), they simply change the “reply-to” address so that when you click to reply button in your email client, you’ll be talking to them instead of the person you actually think you’re talking to.
One last point is to watch out for subject lines that scream urgency or offers that are too good to be true. Whether it’s something dramatic like “since our last meeting” or “I can’t believe you’ve done this”, there are all kinds of ways that criminals take advantage of urgency and eagerness to please in order to get your attention and trick you into doing something you’re not supposed to.

The Body

This contains the contents of the email, much like the letter part of the traditional email, as well as containing any attachments. While it should be safe and secure, this can be used to deceive you. Scammers imitate and impersonate your favorite brands, using logos, graphics and content to get you to trust them. They might make false requests phishing (yes, pun intended) for information or attempting to separate you from your money. Often, it can be as simple as something saying “Hey Bill, it’s Jim, please pay this invoice”.

The body of an email could also contain malicious links, either to password reset pages, fake signups for services, or to hosted forms of malware, ransomware, spyware or anything and everything that could damage you, steal your data, or get money for an attacker. Aside from the main body of an email, scammers are able to spread malware, viruses and other attack vectors (including, yes, fake invoices) through the body, by use of links or in attachments.

Where Email Security Comes In

Email security is designed to cover the security of your entire email infrastructure.

Some of the tools used in email security will include spam filtering to keep out unsolicited emails, while more targeted attacks are addressed by Advanced Threat Protection or ATP solutions. These solutions will scan for dangerous attachments or URLs within emails, and will also includes tests and criteria to programmatically judge whether an email is authentic or coming from an imposter. Sophisticated forms of these solutions will also “Sandbox” URLs and attachments, meaning that they will find a way to scan a URL every time it’s clicked, or they’ll open and execute attachments in test environments before they’re even delivered to ensure that the content is safe and can be trusted.

Encryption will ensure that your email setup is secure, that your inboxes are protected at rest and you can send and receive email with peace of mind. If any of that sounds a bit confusing, don’t worry, we will come back to those key concepts later on. This is only to illustrate that there’s a lot going on behind the scenes to ensure you are not putting yourself or your organization at risk when you go about your everyday use of email. This program will help you understand what your responsibilities are, but it also should illustrate the role technology is playing.

Before we get deeper into the individual threats and how to avoid falling victim to them, it’s important to recognize here that while the threats are real and menacing, email security awareness goes a long way to ensuring your security. The tools do a lot of the grunt work. In fact, they stop upwards of 99.9% of all unsolicited emails. With billions of emails being sent daily, there is a lot of data being generated in real-time. This data is used to allow email security providers to spot criminal trends, yet there is still a 1 in 1000 chance that the malicious email reaches you. In this case, your email security awareness will help reduce the impact of that email even closer to zero.