The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned election-related entities to be on the lookout for phishing attacks.
In an insight piece published on September 10, CISA highlighted malicious actors' preference for phishing attacks in their efforts to target political parties, think tanks and other entities that might be involved in an election. The security agency noted that malicious actors could use a successful phish to lay the groundwork for secondary attacks. For instance, those nefarious individuals could use a compromised password to conduct password spraying attacks against multiple web accounts of a single user. They could also use an exposed set of credentials to launch brute-force attacks. Responding to those threats, CISA recommended that election-related entities take several steps to enhance their email security. First, it emphasized the importance of organizations of using provider-offered services such as multi-factor authentication (MFA) and advanced protection tools. Second, it noted that organizations could better secure their users' accounts with the help of MFA, a password manager, a breach monitoring service and guidelines that encourage "user-friendly" passwords consisting of multi-word sequences instead of combinations containing symbols and/or numbers. Third, it urged organizations to uphold authentication and reduce the likelihood of spoofed phishing emails by enabling STARTTLS, disabling outdated protocols, implementing SPF and DKIM as well as ideally configuring a "reject" DMARC policy. Finally, it recommended that organizations configure their email gateway solutions to detect phishing emails with the help of updated blocklists, header screening and other best practices. This bulletin arrived on the same day when Microsoft revealed that malicious actors from Russia, China and Iran were launching digital attacks against both campaigns in the 2020 U.S. presidential election. These findings emphasize the importance of organizations educating their users about spear-phishing and other well-known types of phishing attacks that are in circulation today. This resource is a good place to start.