Suspicious emails from Postmaster

In IT terms the ‘Postmaster’ is the generic name given to an email server administrator or the alias used for system-generated emails coming from the exchange server. Every domain has one (e.g. postmaster@myexampledomain.co.za) and every user should at some point have received an email from their respective postmaster. The Postmaster is typically inherently trusted by individuals as it is generally utilised to communicate mailbox alerts with end-users. These alerts could be anything relating to email delivery notifications and statuses, password expirations, mailbox limits, security events, and the like.

Hackers know this too and actively utilise the recognised postmaster address as a means to trick users into trusting illegitimate emails claiming that their passwords have expired, or mailboxes are full. The techniques vary from campaign to campaign where hackers may spoof1 the target organisation’s postmaster account, making it seem like an email that originates from the organisation’s exchange administrator, or craft the layout of an email to look identical to the template used internally for notifications. A ‘dark-ages’ example of these kinds of campaigns would be akin to a thief dressing as a postman and delivering mail/letters to gain entry to a home.

In most cases, automated spam filtering systems running on the exchange servers detect these spoofed emails and reject them, preventing the faked emails from ever reaching the end-users. But with persistence and perseverance from the hackers, some still make it through. There are various reasons as to why they’re able to evade detection but in most incidents, it’ll be due to previously unseen or unrecognised techniques. Hacking is a Hacker’s day job after all …

According to Microsoft, email accounts are usually hacked by cybercriminals because they are considered to be a weak link in an organisation’s security pipeline. Also, when hacked, they unlock a virtual treasure trove of information, including personal data, contacts and sensitive corporate documents etc. Whenever anyone signs up for any online service, the user must typically enter an email address, and whoever controls that email address can reset the password and take over the account. All this can happen without the immediate knowledge of the account’s rightful owner.

To put this in perspective, Microsoft gave the example of an organisation having say 300 employees with each employee having about 10 accounts linked back to their organisation’s email addresses. That would be 3000 accounts associated with the organisation. This is in addition to email communication and contact lists which a hackers might get access to monitor or control.

According to Mimecast, email phishing attacks are still the most favoured attack vector used by cyber criminals with it more than doubling each year. Mimecast also reports that socially engineered COVID-19-related threats are specifically targeted at remote workers under the pandemic lockdown. It is also reported that business email compromises have remained the costliest cyber threat by far with cyber criminals managing to get about $1.8 billion during 2020.

Identifying spoofed postmaster emails is relatively simple as there are a few common ways that campaigns are phrased in order to generate a response from the user. The following are a few of the more popular ones that are used in spoofed postmaster emails:

  • MAILBOX IS FULL
  • PLEASE LOG IN TO VIEW
  • PASSWORD HAS EXPIRED
  • ACCOUNT WILL BE BLOCKED
  • RE-AUTHENTICATE ACCOUNT
  • AUTHENTICATE DOMAIN CREDENTIALS
  • URGENT EMAILS HELD, LOG IN TO RELEASE

These spoofed emails will most likely also contain a link or URL to allow quick navigation to a login page. If one is unsure about whether a postmaster email is a spoof or not it is advisable to simply ignore the email and contact your organisation’s IT administrator to get their feedback and advice.

1Spoof: In the context of information security, especially network security, a spoofing attack is a situation in which an individual or program successfully identifies itself as someone else by falsifying data in order to gain an illegitimate advantage.