Suped

How can a cybersecurity company safely send malicious files to clients for testing purposes without being blocked?

11 Marketer opinions3 Expert opinions4 Technical articles4 Resources

Summary

Cybersecurity companies aiming to safely deliver malicious files for testing require a multi-faceted approach that combines technical safeguards, clear communication, and adherence to legal and ethical standards. Utilizing separate infrastructure like throwaway domains, VPS, and EC2 instances helps isolate testing and protect sender reputation. Requesting clients to whitelist IPs and leveraging advanced delivery policies in platforms like Microsoft 365 can bypass filters. Transparency is crucial; informing recipients, their IT security teams, and even engaging with security and anti-spam vendors fosters trust and collaboration. Before sending, files should be analyzed in sandbox environments. Clear contractual agreements outlining scope and responsibilities are essential for legal protection. Encrypted archives can offer a basic level of bypass, but client awareness of the risks is key. Throughout the process, protecting sender reputation is paramount to ensure the continued deliverability of legitimate emails. Overall, balancing effective testing with ethical practices and minimizing potential harm is crucial.

Key findings

  • Separate Infrastructure: Using distinct domains, IPs, VPS, or EC2 instances isolates testing and protects the primary email infrastructure's reputation.
  • Bypass Mechanisms: Whitelisting IPs, leveraging advanced delivery policies, and encrypted archives can help bypass email filters.
  • Transparency and Communication: Informing recipients, IT teams, security vendors, and anti-spam services is crucial for trust and coordination.
  • Sandbox Analysis: Analyzing potentially harmful files in a sandbox before sending enhances safety.
  • Contractual Agreements: Clear agreements outlining testing scope and responsibilities are essential for legal protection.
  • Reputation Protection: Protecting sender reputation is paramount for continued deliverability of legitimate emails.

Key considerations

  • Domain and IP Isolation: Properly configuring and managing separate infrastructure is critical to prevent spillover effects on the primary domain.
  • Ethical Implications: Balancing effective testing with the need to protect recipients from potential harm is crucial.
  • Legal and Regulatory Compliance: Testing activities must comply with data protection, privacy, and other relevant laws.
  • Security Vendor Approval: When possible, obtaining approval from the client's security vendor can streamline testing and improve accuracy.
  • Ongoing Monitoring: Continuously monitoring sender reputation and adapting strategies as needed is essential for long-term success.

What email marketers say
11Marketer opinions

Cybersecurity companies face challenges in delivering malicious files for testing purposes without being blocked by security filters. The solutions involve a multi-faceted approach including technical configurations, process and communication strategies, and legal considerations. Key recommendations include using separate domains and IPs for testing, whitelisting IPs with clients, informing recipients and IT security teams, utilizing sandboxes, securing contractual agreements, and potentially using encrypted archives. Additionally, communication and coordination with anti-spam vendors are important. The overall goal is to minimize the impact on sender reputation and ensure that testing is conducted ethically and legally.

Key opinions

  • Separate Infrastructure: Using distinct domains and IP addresses dedicated to security testing helps isolate any negative impacts on the primary email infrastructure.
  • Whitelisting: Requesting clients to whitelist specific testing IPs can bypass security filters, ensuring delivery of test files.
  • Clear Communication: Informing recipients, their IT security teams, and, potentially, security vendors about the tests is crucial for transparency and coordination.
  • Sandbox Analysis: Analyzing malicious files in a sandbox environment prior to sending them to clients adds an extra layer of safety.
  • Legal Agreements: Establishing clear contractual agreements outlining the testing scope and responsibilities is essential for legal protection.
  • Anti-Spam Coordination: Working with anti-spam vendors can help prevent testing activities from negatively impacting sender reputation and overall deliverability.

Key considerations

  • Sender Reputation: Security testing can negatively affect sender reputation, impacting the deliverability of legitimate emails. Mitigation strategies are necessary.
  • Ethical Implications: It's important to balance thorough security testing with the need to protect recipients from potential harm.
  • Legal Compliance: Testing activities must comply with all relevant laws and regulations, including data protection and privacy laws.
  • Security Vendor Approval: If possible, it is key to have approval from the security vendor of your client as they are the most effective way to protect clients from any harm.
Marketer view

Email marketer from Reddit suggests ensuring that recipients are fully aware of the testing and the nature of the files they may receive. Clear communication is key, manage expectations. They suggest informing recipients before sending to them and giving a heads up to the internal security teams.

February 2025 - Reddit
Marketer view

Email marketer from Email Geeks shares experience with an AV vendor client, who had a pre-req doc for bypassing filtering for phishing tests and spun up a new Azure IP for each client for virus/malicious file testing, with Microsoft being aware of their activities.

January 2024 - Email Geeks
Marketer view

Email marketer from StackExchange suggests talking to the clients IT security team and making them aware of the pen test or security testing you are conducting for the company. It is important to ensure that any real attacks can be stopped and this gives a good indication of the companies overall security strength.

November 2022 - StackExchange
Marketer view

Email marketer from StackExchange responds with the suggestion to request clients to whitelist specific IP addresses used for penetration testing and simulated attacks. This would allow the testing emails, including those with malicious payloads, to bypass security filters.

March 2024 - StackExchange
Marketer view

Email marketer from Cybersecurity Community Forum suggests setting up separate test email accounts on a different domain. The accounts should be dedicated to sending the test emails and use a different IP range than the standard company communications. This should limit any damage done to the companies domain.

February 2023 - Cybersecurity Community Forum
Marketer view

Email marketer from Reddit says to reach out and try and get approval to send through the security vendor of the client. This can be time consuming but allows the test to go through as expected and get a more reliable outcome of the companies security strength. They should be informed about the test and the exact nature of the files sent to them.

December 2021 - Reddit
Marketer view

Email marketer from InfoSec Institute explains the importance of clear contractual agreements. These agreements will outline the scope, methods, and responsibilities related to sending potentially harmful content to clients for testing. This is to ensure proper authorization and mitigate potential legal issues.

January 2023 - InfoSec Institute
Marketer view

Email marketer from LinkedIn explains the importance of using a separate domain for sending test emails, especially those containing potentially malicious content, to avoid damaging the reputation of your primary domain.

August 2024 - LinkedIn
Marketer view

Email marketer from Email Geeks mentions their A/S engine tweaks to allow suspect content through for vetted security vendors doing phishing testing, suggesting spinning up an EC2 or Azure instance for the described use case.

March 2024 - Email Geeks
Marketer view

Email marketer from Security Forums suggests sending the potentially malicious files to a sandbox environment for analysis before sending them directly to clients. This can help verify the malicious nature of the file and ensure it's handled safely by the recipient's security systems.

June 2022 - Security Forums
Marketer view

Email marketer from Cybersecurity Blog mentions using encrypted archives (e.g., password-protected ZIP files) to deliver the files. This may bypass some basic email security filters, but it requires the client to have the password and understand the risks.

December 2024 - Cybersecurity Blog

What the experts say
3Expert opinions

When cybersecurity companies need to send malicious files to clients for testing, it's crucial to do so without getting blocked and while protecting sender reputation. Experts recommend using throwaway domains, possibly with a VPS, for sending the files. They also stress the importance of safeguarding sender reputation to avoid affecting legitimate email streams. Building relationships with anti-spam vendors can also help, as they may be more lenient if they understand the testing criteria.

Key opinions

  • Use Throwaway Domains/VPS: Utilizing separate infrastructure like throwaway domains and VPS helps to isolate testing activities from the main domain and protect sender reputation.
  • Protect Sender Reputation: Maintaining a positive sender reputation is critical to ensure continued deliverability of legitimate emails.
  • Engage with Anti-Spam Vendors: Building relationships with anti-spam vendors can lead to more flexibility during testing and better understanding of security levels.

Key considerations

  • Domain Isolation: Properly setting up and managing throwaway domains and VPS is essential to prevent any spillover effects on the primary domain.
  • Reputation Management: Continuously monitoring and protecting sender reputation is an ongoing process that requires vigilance.
  • Vendor Coordination: Establishing and maintaining open communication with anti-spam vendors requires time and effort but can be beneficial.
Expert view

Expert from Spam Resource, Laura Atkins, emphasizes the need to protect sender reputation when conducting security tests, highlighting the risk of damaging legitimate email streams. It is important to plan your testing to avoid affecting your sender reputation.

June 2023 - Spam Resource
Expert view

Expert from Email Geeks suggests sending malicious files from a throw away domain and possibly a VPS somewhere for cybersecurity testing.

August 2022 - Email Geeks
Expert view

Expert from Word to the Wise suggests building a relationship with different anti-spam vendors/services. If they know what your testing criteria is for specific clients, they may be more lenient in the blocking of emails to allow you to conduct your tests and get a better idea of security levels. They also indicate that if you do affect your sending reputation it may affect future email delivery.

November 2023 - Word to the Wise

What the documentation says
4Technical articles

Microsoft 365, AWS, NCSC and NIST documentation provide guidance on sending malicious files for security testing. Microsoft 365 offers advanced delivery policies to bypass filters for simulated phishing attacks. AWS describes using EC2 instances for sending emails with caution and adherence to usage policies. NCSC emphasizes explicit agreements, controlled environments, and clear communication for penetration testing. NIST provides guidelines for vulnerability testing, including proper authorization, containment, and ethical practices. All sources highlight the importance of careful planning and adherence to best practices to avoid causing harm or violating policies.

Key findings

  • Advanced Delivery Policies: Microsoft 365 offers features to bypass filters for simulated phishing attacks, requiring configuration of sending IPs and domains.
  • EC2 Instances for Email: AWS EC2 instances can be configured to send emails, but adherence to acceptable use policies is crucial.
  • Penetration Testing Guidance: NCSC emphasizes explicit agreements, controlled environments, and clear communication for safe penetration testing.
  • Vulnerability Testing Guidelines: NIST provides guidelines for vulnerability testing, highlighting proper authorization, containment strategies, and ethical practices.

Key considerations

  • Policy Adherence: Following acceptable use policies of email platforms and cloud providers is essential to avoid penalties.
  • Authorization: Obtaining explicit authorization before conducting any security testing is a must to avoid legal and ethical issues.
  • Communication: Maintaining clear communication with clients and relevant stakeholders ensures that testing activities are transparent and understood.
  • Controlled Environments: Ensuring that testing activities are conducted within controlled environments minimizes the risk of unintended consequences.
Technical article

Documentation from Microsoft Learn explains that Microsoft 365 offers advanced delivery policies to allow simulated phishing attacks for training purposes to bypass filters. These policies require configuration to identify the sending IP addresses and domains used for the simulations, ensuring legitimate tests are delivered while maintaining overall security.

June 2023 - Microsoft Learn
Technical article

Documentation from NIST provides guidelines for vulnerability testing, including considerations for safely handling potentially harmful content. It includes recommendations on obtaining proper authorization, implementing containment strategies, and adhering to ethical testing practices.

August 2024 - NIST Website
Technical article

Documentation from NCSC details guidance on conducting penetration testing, which includes considerations for safely handling and delivering potentially malicious payloads. It emphasizes the need for explicit agreements, controlled environments, and clear communication with the client.

March 2024 - NCSC Website
Technical article

Documentation from AWS describes the use of EC2 instances for sending emails, which can be configured to bypass some filtering mechanisms. However, they emphasize the importance of adhering to AWS's acceptable use policy and obtaining necessary permissions before sending any potentially harmful content.

April 2024 - AWS Documentation

Related resources
4Resources

[PSA] Newer TP-Link Routers send ALL your web traffic to 3rd party ...
[PSA] Newer TP-Link Routers send ALL your web traffic to 3rd party ...

Posted by u/ArmoredCavalry - 2,024 votes and 262 comments

Reddit
Phishing simulations are blocked, no allowlisting possible? - ESET ...
Phishing simulations are blocked, no allowlisting possible? - ESET ...

We have several customers 365 tenants in ECOS at the moment. One of our customers has just migrated to ECOS/365 and they have phishing awareness tests 3 times a year. Last week they did another phishing test, which we first tested out with some test users and they came in the inbox, using the dom...

ESET Security Forum
Is whitelisting email senders a good idea any more? - Collaboration ...
Is whitelisting email senders a good idea any more? - Collaboration ...

The idea of whitelisting senders was to prevent legitimate emails being accidentally sent to spam. However with the rise of cyber attacks especially when a hacker gains access to an email account and uses that compromised email account to send out attachments, malware links or phishing for information to all the contacts on that account. So whitelisting a sender you trust does mean that they won’t end up in the spam folder as result of over filtering, but does mean that you are potentially expo...

Spiceworks Community
What is Cross-site Scripting (XSS): prevention and fixes
What is Cross-site Scripting (XSS): prevention and fixes

This article will show you how Cross-site Scripting attacks work and how you can use Acunetix WVS to protect your website against them.

Acunetix

Related questions