One of the reasons I just wrote that four part series on where email authentication is helpful against phishing, and where it is not-so-helpful, is because I wanted to examine the John Podesta email hacks.
In case you’re not aware, John Podesta was the Chair of the Democratic Campaign to elect Hillary Clinton for President of the United States. Earlier this year, his email was hacked by an unknown party, and his emails were leaked to Wikileaks. This caused a tailspin in the election campaign of Hillary Clinton.
Opponents of Clinton seized upon some of the more sensitive (?) emails that showed the party colluding against Bernie Sanders in the primary, and purportedly showed some of the negatives of the Clinton campaign overall. Proponents of Clinton sought to downplay this as the content not being that bad as it’s how politics work, or that the criticisms were overblown, or that the Trump campaign was benefiting from their campaign not being hacked by a foreign power and thus not having a chance to have their own inner workings exposed.
Some (perhaps many) believe that this affected the outcome of the election by demotivating enough voters to not show up and vote, thus giving the election to Donald Trump. While there are other factors that contributed to the result, it’s probably true that removing some of them could have caused a different result. And it may be true that removing this one may have caused a different result.
Thanks, Thought Bubble.
Let’s assume for a moment that had Podesta not been hacked, Hillary Clinton would have won . How could Podesta have avoided being hacked?
When I first started reading in my Facebook feed  that Podesta had probably clicked on a phishing scam, entered in his username and password, and that’s how the hackers got into his account, I saw someone post “If the spoofed domain had published a #DMARC record, he would have never been hacked.”
Is that true?
I went and started doing some investigation.
First, I assumed that the message Podesta presumably clicked on was a direct phishing message. That may not be the case. Instead, here’s what happened:
- Podesta got a phishing message from “Google <firstname.lastname@example.org>” indicating someone had his password, and that Google blocked the sign in from an IP address . The IP address was geo-located to the Ukraine, and that he should change his password immediately. There is then a link to a bit.ly URL that redirects to a phishing page. It is not clear that Podesta acted on this email although it sure looks like a real Google notification.
- An email thread then ensues between an IT representative of the Clinton campaign with the above phishing message forwarded inline. His advice is that it is “a legitimate email  and that Podesta should change his password immediately.” He then advises to change the password at https://myaccount.google.com/security. In other words, he provided the correct advice.
- The reply got forwarded around, eventually going to Podesta as well as another Clinton staffer, who replies that they will get Podesta to change his email address and also use two step verification to sign in.
- At some point, someone (Podesta, in all likelihood) clicked on the link to reset his password but it appears he clicked on bit.ly link, and not the actual Google link.
Let’s look to see how technology could have helped.
First, DMARC wouldn’t have helped
I couldn’t find the original email message (the direct phishing) that was sent to Podesta, I could only find the email chain that contained the forwarded phishing message. Thus, I don’t know what IP address it was sent from.
However, we can see that it was spoofing accounts.googlemail.com.
As of today, accounts.googlemail.com does not publish a DMARC record. However, the parent domain googlemail.com publishes a DMARC reject record, with a subdomain policy of quarantine:
I did a quick search of our own email logs, and on March 19, 2016, googlemail.com had a DMARC record published. So, Google didn’t just add it after this hack was announced, it was in place at the time of the original phish.
Since this was a spoofed message, it would have failed DMARC and gotten marked as spam. So, unless the recipient of the message went digging through their spam folder and thought it was a real message, Podesta should never have seen it in the first place.
Now we move into speculation territory. I don’t know why I can’t find the original email, I can only find the forwarded version between the campaign staffers. How did this even come across someone’s eyes to begin with?
I know that sometimes with senior executives in corporations, both an administrator and the executive have access to the exec’s inbox. They do this so they can sort through their messages and separate out the less important ones, so that the exec is only focused on the important messages. I haven’t bothered to do the research in this case (I’m just a blogger on the Internet), but if this is the case here, then did a staffer dig into the spam folder, find this message and mistake it for a real message, and advise Podesta to change his password?
People digging through spam folders, rescuing malicious messages, and getting compromised is extremely common. That’s why we add messaging to our Safety Tips in Office 365 about why we marked it as spam or phish.
The only way DMARC would have helped is that instead of publishing a subdomain policy of sp=quarantine, the domain published sp=reject (or no subdomain policy at all, so any *.googlemail.com domain would inherit the parent domain policy of p=reject). But then again, Google doesn’t necessarily reject all messages with that record that fail DMARC (neither does Office 365), they sometimes go to the Junk folder. So even that is not a guarantee.
Second, I do think that the IT department made a big mistake
The one big mistake I do think the IT department made (assuming that the message was not originally in the spam folder and subsequently rescued and forwarded [or even if it was]) was not “defanging” the malicious URL.
“Defanging” is my term for making a dangerous URL not dangerous. For example, suppose this was a malicious URL:
A defanged URL might be this:
The above link is no longer clickable. You can see that the IT person did provide the correct URL to Google’s password reset page, but Podesta clicked on the wrong one. The IT person no doubt thought he was providing the right advice about changing the password, but he left the dangerous content still in the message. There was still room for error, and in this case it mattered.
Before forwarding the message, he should have either deleted the link entirely, or defanged it. That would have totally prevented Podesta from doing the wrong thing.
It’s unclear whether two-factor authentication was ever set up. Many (most?) people don’t use it, but right from Day 1 there ought to have been a policy in place to require it, especially for executives.
Third, I don’t blame Podesta for clicking on the URL
I was reading on Slashdot and some of the commenters were calling Podesta an idiot for ignoring the actual URL and instead clicking on the bit.ly link.
Yet if he were an average Internet user using a mobile device, and was advised to change his password by people on his own team, it’s natural to assume he would scroll down the page, see the Google sign-in page, and gloss over the details in the middle. We all rely upon mental shortcuts, and all of us also know that high-ranking executives don’t read email in detail (I spend a long time editing my emails when I want an executive to weigh in on something).
Besides which, on a mobile device, it’s not like he can hover-to-uncover where the link goes to.
So for someone to be told to change his password, and then while scrolling down quickly he were to see the picture, it’s not a stretch for most of us to click it.
Fourth, even if nobody fell for this hack, there’s still plenty of other ways to get hacked
My guess is that this original message was marked as spam due to email authentication, but somehow it was rescued and still managed to trick the user. But even if the phisher wasn’t spoofing googlemail.com, they could have spoofed Google in any number of ways such as random IT phishing attacks, weakly protected domain attacks, and impersonation attacks).
Would Podesta himself have fallen for this? Would his staff? It’s unclear.
But one thing we know for sure, the attackers would have kept hacking until they finally did get access. If not on Podesta himself, then someone else.
Fifth, this is not the first time I have seen a hack like this, and a combination of technologies is required, along with a security policy
Earlier this year, I saw an attack where a phisher sent a message with a malicious link to an executive and it got through to him. He forwarded it to his assistant where she clicked on the link and got infected with malware. The original target wasn’t compromised, but someone else within the organization was.
This Podesta phishing attack doesn’t seem to have fooled the recipient, but still succeeded by accident.
Thus, an attack has multiple paths to success.
One thing we do at Microsoft is apply policy. I can’t check my corporate email on my phone without two-factor authentication; I have an iPhone SE  and I had to install an app from Microsoft and put in a PIN number which was verified with a phone call. I have to renew that authenticator app every so often. I can’t access my work email on my laptop unless I am using Windows 10, and it forces me to login using my fingerprint. So there’s multifactor authentication that way.
You can see my IT department has taken the decision out of my hands, and that it is a corporate policy. It’s still possible to hack me, but it’s way harder.
People in high ranking positions need to be aware they are under attack, and their security departments need to implement policy that make it easy for them to get their word done. This is my personal recommendation to all government departments – I preach the virtues of email authentication, and that’s important. But securing the endpoint is also important because attacks can succeed indirectly.
Even by accident.
 Yes, yes, I know that’s not necessarily true. See the Thought Bubble.
 As we all know, our Facebook feeds are not the most reliable source of accurate news.
 There’s a story floating about that the staffer who wrote “This is a legitimate email” meant to write “This is an illegitimate email”, and that’s the reason why Podesta clicked on the link. Had he wrote it the first way, Podesta never would have clicked. I doubt that, the crux of the message was that he had to change his password, not whether or not the message was legitimate. I think the URL should have been defanged.
 Yes, Microsoft employees can have iPhones.