Email Whitelisting and the Risks of Automating Trust

Email whitelisting is the process of adding an email address to your approved senders list. In theory, it’s a smart choice because it ensures that important emails from trusted senders don’t wind up in junk or spam folders. In email security, whitelisting has the potential to cause unintended consequences. 

The trouble with automatic whitelisting 

A number of email security solutions have automated processes for whitelisting emails. Well intentioned, they inadvertently assign trust to email addresses for a number of unconvincing reasons. 

Automatic whitelisting is particularly problematic in the case of spear phishing or business email compromise (BEC). Some emails filters recognize simple email correspondence as a sign that a sender is trusted. For example, if you receive a spear phishing email and you respond to the hacker, the filter recognizes that you responded to the email, trust is assumed, and the email address is whitelisted. Going forward, emails from the hacker will not be filtered. 

Another way to trigger automatic whitelisting is through a CAPTCHA, which some email filters use to verify senders. In this scenario, if a user attempts to send you an email, the email filter triggers a CAPTCHA response test, which the sender must pass to verify that they’re not a robot. If the sender passes the test, their email address is verified and added to your whitelist. 

While the CAPTCHA method is effective in combatting spam bots, an email address that is trustworthy today might not be trustworthy tomorrow. If an email address is compromised after it has been whitelisted via CAPTCHA, it will not be filtered, rendering the CAPTCHA useless. 

Email whitelisting and compromised accounts 

According to a report by RiskBased Security, 37 billion data records were leaked in 2020. Of those records, 32 percent were email addresses. From phishing to malware, malicious emails distributed via compromised accounts can cause untold amounts of damage in corporate environments, including Microsoft 365.  

With a compromised Microsoft 365 account, a cybercriminal can launch phishing, malware, and spear phishing attacks from inside the suite. Recipients who are on the receiving end of these attacks often have no reason to suspect that an email is dangerous. Even when red flags are present, users might not recognize them if a sender is known to them. 

That’s exactly what happened with the wave of Emotet emails that were in rotation during mid to late 2020. Leveraging compromised accounts, hackers injected themselves into ongoing email threads, spreading Emotet malware via phishing links, Microsoft Office documents, and .ZIP files.  

Trust no one 

While your IT department can carefully select and remove safe senders, including individual email addresses and IPs, solutions that trigger automatic whitelists should be avoided. Trust by default offers a presumption of innocence that few—if any–email addresses should be afforded.  

Zero trust security architecture deviates from traditional architecture in that it never assumes that a sender is safe. With the zero trust security model, even internal senders are subject to continual authentication. Combined with the continual monitoring of email threats, both pre- and post-delivery, a zero trust email architecture assumes the worst and requires a thorough examination of each sender every time email delivery is attempted.