Why MX Records Matter in the Fight Against BEC and Spear Phishing

Written by

From whaling schemes designed to steal millions of dollars from a company in a single transaction, to malware attacks that can cripple systems until a ransom is paid, criminal attacks using carefully created and carefully targeted emails are on the rise. The FBI recently reported that global losses related to these Business Email Compromise (BEC) scams experienced a 270% increase from January 2015 to April 2016.

These kinds of attacks do real damage. Billions of dollars have been stolen through these schemes, directly affecting corporate bottom lines.

In these sophisticated attacks, employees, and/or business partners are targeted by emails that appear to come from a trusted source, possibly a company executive or a manager. The emails are meticulously designed, with corporate standard email signatures and sometimes with carefully crafted, completely fictitious thread of “prior” emails. Finally, they seem to originate from a legitimate corporate email server. These emails succeed because they combine three critical elements to create legitimacy....


(1)      The "sender" is known and trusted

(2)      The emails are sent to logical recipients

(3)      They originate from a seemingly trusted email domain

The most effective attacks originate from a domain that is a close variant of a company’s actual email domain. (Instead of XYZ.com, they’ll register XYZ.biz, or XYZ-finance.net). Cyber squatters register domains like those every day. To turn that cybersquatting domain into a spear phishing platform, a potential phisher activates the domain’s MX record. CISOs take note – the MX record is the key to proactive BEC defenses.

An MX record is a type of resource record in the Domain Name System that specifies a mail server responsible for sending and accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. An active MX record allows a domain to communicate with other emails domains to send and receive messages. It also can help security professionals predict when an attack may be imminent.

Using MX Records to Detect Threats

CISOs should immediately begin monitoring, or engage a partner for monitoring the internet for similar domains, especially for similar domains with active MX records.

Domain monitoring is nothing new. It has been an important part of a company’s cyber defenses, for years. So what has changed?

Historically, domain monitoring has been a slow-moving battleground, managed by the legal department. That’s because until recently, a copycat domain’s biggest threat to an enterprise was in the area of trademark infringement.

Trademark infringement is important, but it usually takes time for infringement to have a tangible impact on an enterprise. When third parties register a similar sounding domain, or a domain using an actual trademark, it weakens, or in legal terms, “dilutes” the uniqueness of the real trademark. If a trademark owner does not defend their trademark from diluting activities, it is possible that the trademark holder could lose their trademark rights. The defense process, usually managed by the legal team, is well-defined, and has many steps. It can take months (and possibly years!) to complete, and in the world of trademark infringement, that timeline is just fine….


The modern cyber threat world is starkly different.

Today, a rogue domain with an MX-record represents danger on an entirely different scale. It is a launching platform for an imminent email attack or attacks that can steal funds or trade secrets, infect business networks with malware or ransomware, or give criminals deeper access into company networks. Frankly, there is only one reason for a criminal to activate the MX record of a copycat domain, or to acquire a similar domain with an active MX record – to attack.

To CISOs who are trying to protect their company from spear phishers, MX records can be an early warning system. When CISOs gain intelligence about rogue domains with active MX records, they can take immediate steps to block any email to the enterprise that originates from these possibly dangerous domains. When an MX record goes active on a similar-looking domain, seconds count. Take decisive action right away. Neutralize these potential attack platforms.

CISOs, it’s time to talk to your legal teams about the realities of modern spear phishing attacks. In many cases it makes sense for security teams to take over domain monitoring, integrating domain monitoring, anti-phishing, and other beyond-the-perimeter cyber defense initiatives. Of course, legal should still be alerted if any similar domains are discovered, because they could still represent a trademark risk. However, by implementing integrated MX-record monitoring, and proactively blocking inbound emails from these potential attack platforms, security is dramatically reducing the enterprises’ imminent risks from spear phish or BEC attacks.


In fact, security will probably mitigate the immediate threat from these attacks before the legal team sends out the first cease and desist letter.

What’s hot on Infosecurity Magazine?