One of the greatest threats to cybersecurity could be sitting in an email inbox right now in the form of a spoofed email. And traditional email security solutions may not be enough to mitigate the threat.
In May, the National Security Agency (NSA) joined the Federal Bureau of Investigation (FBI) and the U.S. Department of State in releasing a Cybersecurity Advisory (CSA) that stated, "North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts,’ warning organizations about the threat posted by Democratic People’s Republic of Korea (DPRK, aka North Korea) techniques that allow emails to appear to be from legitimate journalists, academics, or other experts in East Asian affairs…”
And in early August, Reddit users noted that Apple Intelligence, a beta feature in the upcoming iOS 18 release that bakes native AI features into the OS including AI summaries in the Mail app, was marking phishing emails as a priority in the Mail app on iOS 18.1 developer beta 1. The AI-powered filter seemingly disregards the sender’s address and only determines an email’s importance by scanning its text. This could be a significant problem if not fixed by the time it's released.
Whether from North Korea or closer to home, if you're an MSP or MSSP and want to decrease the chances that spoofed email makes its way into your -- or your customers’ -- inboxes in the first place, DMARC can help you do so.
DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance”, is an email authentication policy and reporting protocol. It builds on the widely-deployed sender policy framework (SPF) and domain keys identified message (DKIM) email authentication protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
According to the Kaseya Security Survey Report 2023, the most common vector for a ransomware attack is via email. And one way cyberattackers make their email incursions more effective is via spoofing – impersonating a legitimate email sender’s address to increase the chances an unsuspecting user will open the email and interact with it in the way the attacker needs them to.
DMARC is an open standard, and until recently, its use has been sporadic and optional. But in October 2023, Google and Yahoo announced that bulk senders will be subject to more stringent requirements for authentication of the mail sent to these two mailbox providers, said Al Iverson, industry research and community engagement lead of hosted DMARC and DMARC-as-a-service provider Valimail.
But DMARC isn't fool-proof, and it is only one part of a layered email security strategy, Iverson said. Recent Darktrace research confirmed that email phishing remains a top threat, with 17.8 million phishing emails detected between December 2023 and July 2024, 62% of which bypassed DMARC checks designed to safeguard against unauthorized use.
That's not an indictment of DMARC, Iverson said, but rather proof that technology is evolving just as attackers' tactics, techniques and procedures are adapting.
"DMARC is only one star in the sky, and is only one part of the whole constellation of things you need to do from an email security, business security and business email compromise (BEC) prevention standpoint," Iverson said. "It's about perspective and understanding that unless you just completely eliminate access entirely, you're never going to be 100% secure. Recently, security researchers were talking about one of the big secure email gateways that was open to relay; taking mail that would come through from any user of Microsoft 365 and it was re-authenticating that mail. It was a flaw that bad guys figured out and then used that secure email gateway to send spoofed email and phishing attacks," he said. It's an updated version of the way attackers in the late 1990s would bounce malicious mail through open relay servers to hide the original source and bypass spam filter checks, Iverson explained.
"It's a prime example of why there are millions, if not billions of messages, unfortunately, passing full authentication checks -- it's not a failure of the authentication mechanism itself, but rather it's a failure of the pathways in to these gateways that are not secure," he said.
From an attackers perspective, they're taking advantage of the fact that they can spoof a legitimate sender using the same general rules that would otherwise cause an email to be flagged, said Nathaniel Jones, director of strategic threat and engagement, Darktrace.
So what can MSPs and MSSPs do to protect their clients and their clients' customers? There are a number of basic approaches, said Jones, one of which is using anomaly detection, as Darktrace does in their solutions. This is especially important with regard to third-party interaction, as with MSPs, MSSPs, service providers and other third parties that may inadvertently be a weak point through which attackers can breach an organization.
"For us, it's anomaly detection that's based, at least in part, on behavior," Jones said. "Why is someone talking to, emailing, communicating with a third party that they've never spoken to before? You see a lot of email rules around those third parties, either upstream or downstream because that tends to be the case of why people get compromised. They have associated partners that get compromised and then attackers use that 'in' to blast victims with email," he said.
It's critical to first audit the settings of any secure email gateways so that relay settings aren't too broad, said Iverson. That can help filter out a lot of malicious messages before they even reach their targets. And, of course, the human factor remains a massive risk. Technology and behavior-based analysis can work together to mitigate the risk.
"If somebody can hack my account and hack my computer, my work laptop, they can now send email as me, and it's going to authenticate just fine," Iverson said. "So you have to both protect that laptop environment with device management tools and also train your users to mitigate that risk as much as possible," he said.
Iverson said employees should always be looking first for reasons to believe an email might be malicious and then attempt to disprove that, rather than trust email is legitimate as the default.
"I'm always looking for the negative factors -- I'm doing header checks, hovering my cursor over a link to see where it goes, and all that to see if I can prove these things are invalid. I'm looking for a reason to kick it out and not not trust it. But that's only that first step. If I can't find anything that way, then I will go out of band and make sure it's legitimate by, say, calling someone on the phone and asking, 'Did you send me this?'"
Jones said the human risk factor, though still significant, has actually improved over the last few decades as security awareness training becomes more regular and the vast majority of people understand, even at a basic level, the risks inherent in technology.
"I think it has improved in terms of general security awareness," he said. "People are understanding why this is a problem now, whereas 10 or 15 years ago, people never looked at the header of the email! Now, they know to look at it and what they should do. There have also been technology advancements that put in stopgap measures if someone does click on a malicious link, a popup will ask if they're sure, or a security scanner can stop it," he said.
As obvious as it sounds, you can't put all your eggs in one basket when it comes to email security. Attackers will always try to find ways around any defense solution, but a layered, multi-pronged approach can go a long way toward making your email secure.
"Anomaly based detection is important. Knowing your own estate, knowing who your people are, who does what, who you work with and what looks weird is important. And being able to leverage technology tools to help you do that will get you most of the way there," Jones said.
