In last week’s blog, our experts provided an explanation on what a Business Email Compromise (BEC) scam involves.

Employees, and/or business partners, are strategically targeted with emails appearing to be from a trusted source (a CEO or manager). To deliver even more deception, the email content is meticulously designed, using corporate email signatures, and sometimes even skilfully crafted (but fake) email threads. As a final trick, the emails seem to come from a legitimate company email server.

Employees fall for these email attacks, because they combine three critical elements to give the impression of legitimacy:

  • The “sender” is known and trusted
  • The email is sent to a logical recipient
  • The message originates from a seemingly trusted email domain

Cyber-criminals have the most success with domains that are a close variant of a company’s actual email domain. For example: instead of, the criminal will register, or Registering of fake domains is growing increasingly popular as more domain extensions are made available. To turn their cybersquatting domain into the base camp of a spear phishing attack, the cyber-criminal simply activates the domain’s MX record.

ATTENTION ALL CIOs! Your company’s MX record is the key to proactive BEC defense.

A Mail Exchanger record (MX record) is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient’s domain, and provides a preference value which is used to prioritise mail delivery if multiple mail servers are available. The set of MX records belonging to a domain name, specifies how email should be routed with the Simple Mail Transfer Protocol (SMTP).

Resource records are the basic information element of the Domain Name System (DNS). They are organised within the DNS based on their name field, which is a fully qualified domain name (FQDN) of a node in the DNS tree. In the case of an MX record, this specifies the domain name of a mail recipient’s email address, i.e. the portion after the @ symbol.

A Mail Transfer Agent (MTA) is software that looks at an email address and either delivers the email to a local mailbox, or sends it back out over the Internet to a remote machine.

When an e-mail message is sent through the Internet, the sending Mail Transfer Agent (MTA) queries the Domain Name System for the MX records of each recipient’s domain name. This MX query returns a list of mail exchange servers that are accepting incoming mail for that domain. The preference number for each record dictates the priority given to each server. The smaller the preference number, the higher the priority. Therefore, the sending agent will first try to establish an SMTP connection with the server that has the smallest preference number.

Tech Tip: The MX records with the lowest preference numbers are the most preferred. This phrasing, however, can be confusing, so the preference number is sometimes referred to as the “distance”: smaller distances are more preferred.

The SMTP client must try (and retry) each of the relevant addresses in the server list in priority order, until a delivery attempt succeeds. If there is more than one MX record with the same preference number, all of those must be tried before moving on to longer distance servers.

Generally, the primary server (i.e. one that knows how to deliver to the relevant user’s e-mail mailbox) is the most preferred, or has the highest priority. Lower priority servers, such as backup servers or secondary servers, usually keep the messages in a queue waiting for the primary server to become available. If both servers are online or in some way connected to one another, the backup server will typically queue a message briefly and immediately forward it to the primary server.

To carry out their attacks, spammers often redirect emails to one of the backup (long distance) servers of a domain first, to evade any anti-spam filters that might be running on the primary (shortest distance/highest preference) server. Backup servers usually have different anti-spam software, and using them can allow spammers to hide their IP address from the primary MX servers.

How MX Records Can Help To Detect Threats

CIOs should immediately begin monitoring for similar domains, particularly similar domains with active MX records.

Domain monitoring is not a new thing – it’s been an important cyber defense tool for years, however historically, monitoring has been more focussed on trademark infringement and is often a slow and tedious process primarily managed by the legal department of a business. A weakened trademark can have a significant impact on a business, but the defense process can take months (even years!) to complete.

In today’s world, a rogue domain with an active MX record, presents a much larger danger. It is the launch pad for future email attacks that can steal funds, infect your business networks with malware or ransomware, or give criminals access into the inner workings of your company.

MX records can provide early warning signs that your company may be under attack from spear phishing. You can take immediate steps to block any emails coming in from any possibly malicious domains. Once an MX record is activated, quick, decisive action is required to minimise the danger and neutralise the threat.

Implementing integrated MX-record monitoring, and proactively blocking inbound emails from dodgy domains, will drastically reduce your company’s risk of spear phishing or BEC attacks.

FraudWatch International can protect you from online brand abuse. Make us a part of your cyber security strategy today and avoid the cyber-attacks of tomorrow.