Security Manager's Journal: Not-so-innocent email distribution lists

Is everything a potential security vulnerability? Is there nothing that a security manager shouldn't look at with suspicion?

Trouble Ticket

At issue: A phishing attack gets through to 900 users on a single email distribution list.

Action plan: Find out how many email distribution lists are externally available.

What, for example, could seem more innocent than an email distribution list? Such lists are convenient and ubiquitous, and in a company of any size at all, indispensable. They let you send an email to everyone in, say, marketing, by just putting the name of the marketing group in your email's "to" field. You don't have to worry about leaving anyone out, as long as your company's Exchange or Notes administrator sees to it that the lists are kept up to date. They certainly don't seem suspect.

Last week, however, distribution lists were implicated when we looked into something that turned out to be a rather brazen phishing expedition.

It started with the help desk receiving emails from several employees complaining that they were unable to access our company's payroll website and that they had gotten emails stating that either the certificate used to access the payroll site had expired (and they needed to click on a link to validate the certificate) or the password for the site had expired (and they needed to log in to change the password). That sounded like phishing to me, and sure enough, when I moved my curser over the link in the email, a very different Web address was displayed.

Wanting to know more, we investigated the link. What we found was that any user who had done the same was encouraged to install a file. We then downloaded the file in a secure environment for forensic analysis and identified it as a piece of malicious software for connecting to a site in China. It looked as if the idea was to trick unsuspecting users into making their PCs available to a command-and-control network operated out of China. Fortunately, our endpoint protection client is able to detect the software and prevent it from executing. Unfortunately, at any given time, about 6% to 7% of our desktops are not protected or haven't been updated with the proper pattern files, so there is the possibility that some machines on our network are now zombies.

But what does any of this have to do with distribution lists? Well, the phishing email was sent to an externally available distribution list with more than 900 users. That made it easy for us to determine which machines might be compromised, so we'll be able to check each one and make sure it has the proper endpoint protection client installed.

Rein In Those Lists

There was no good reason for this distribution list to be externally available. That led me to ask our email administrators how many of our distribution lists are configured similarly. The answer was astonishing: We have more than 3,000 distribution lists (and just 4,000 employees, mind you), and more than 400 of them are externally available. I can't see any reason why our external partners would need more than 20 or 30 lists. Clearly, we have a process problem.

In fact, some of our help desk staffers have been marking distribution lists as externally available by default. They will be educated to do otherwise. We are also going to audit all of the externally available lists and eliminate any for which there is no business justification. From now on, no distribution list will be externally available without my approval.

To ensure compliance, I'm having our security analyst investigate whether we can use our security incident and event management tool to alert us when a newly created distribution list is marked as "externally available." I've also asked our email administrators to investigate why our external spam-filtering service didn't protect us from this attack. And finally, this is a great opportunity to send out a global email to warn everyone about phishing attacks and provide tips on how to spot one.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place