UK NCSC

The United Kingdom's National Cyber Security Centre (NCSC) has announced a new email security check service to help organizations identify vulnerabilities that could allow attackers to spoof emails or lead to email privacy breaches.

The government agency, which leads the UK's cyber security mission, says the Email Security Check tool requires no sign-ups or personal details.

This service was developed and is now provided online for free as a direct response to some UK sectors having a superficial adoption of recommended email security controls (as low as just 7% in some cases), as highlighted in NCSC's guidance on email security and anti-spoofing.

Using Email Security Check allows defenders to look up publicly available information about email domains and check for anti-spoofing and email privacy risks.

It works by checking publicly available internet DNS records to verify if anti-spoofing controls (notably the DMARC Policy) are correctly configured and the TLS configuration by initiating a server "handshake."

"It checks that anti-spoofing standards, such as DMARC, are configured correctly to help organisations prevent cyber criminals from abusing their domain and sending out malicious emails pretending to be them," the NCSC said.

"It also looks up whether privacy protocols, such as TLS, are in place to ensure that emails are encrypted when in transit so they cannot be accessed and remain confidential between mail servers."

While the Email Security Check service will only be able to identify vulnerabilities that cybercriminals can discover, its goal is to help organizations identify them before they're exploited and the email domain targeted in attacks.

Eligible organizations can also gain access to more "in-depth guidance" on securing their email by signing up for the NCSC's free Mail Check service.

However, Mail Check is not currently available for the private sector, but only to orgs from central government, local authorities, devolved administrations, emergency services, NHS organizations, academia, and charities.

"Our new Email Security Check tool helps users identify where they can do more to prevent spoofing and protect privacy and offers practical advice on how to stay secure," said Paul Maddinson, NCSC Director for National Resilience and Strategy.

"By following the recommended actions, organisations can help bolster their defences, demonstrate they taken security seriously, and make life harder for cyber criminals."

Although the tool can check the security of email domains, it cannot check if individual emails or email domains are malicious. The NCSC advises those receiving suspicious emails to report them by forwarding them to report@phishing.gov.uk.

Related Articles:

Ransomware as a Service and the Strange Economics of the Dark Web

Price drop: Get an security and IT education for just $39.97

Over 100 US and EU orgs targeted in StrelaStealer malware attacks

UK bakery Greggs is latest victim of recent POS system outages

What the Latest Ransomware Attacks Teach About Defending Networks