How DMARC Protects Employees From Spear Phishing Attacks
Spear phishing is one of the biggest challenges facing enterprise organizations today. Here are just a few troubling stats to prove it:
- 95% of all attacks on enterprise networks are the result of successful spear phishing (Source: SANS Institute)
- 30% of phishing messages are opened by recipients and 12% click on attachments (Source: Verizon)
- Business Email Compromise scams (also known as “CEO Fraud”) have cost companies $2.3 billion in the past two years (Source: FBI)
DMARC (Domain-based Message Authentication Reporting and Conformance) has already proven hugely valuable for consumer mailbox providers and global brands looking to protect their customers. We estimate that today, over 70% of global consumer mailboxes are protected by DMARC with the major global mailbox providers adopting DMARC validation and blocking and an ever growing number of regional consumer mailbox providers implementing DMARC to protect their users too.
However, DMARC is not limited to just being a consumer protection tool—it does not distinguish between B2C and B2B environments. If a DMARC “reject” policy is published for an organization’s domains, that policy will be honored by any receiver validating DMARC, be it a consumer mailbox provider or an enterprise Secure Email Gateway (SEG). Over the past year, many enterprises have inquired about using DMARC in this way, similar to the way in which they use TLS (Transport Layer Security) to encrypt email in transit.
In this post, we’ll cover how DMARC blocks inbound spear phishing attacks, which SEGs are supporting DMARC today, and how your company can leverage this emerging capability.
How DMARC blocks inbound attacks
DMARC allows organizations to block spear phishing attacks—that spoof owned domains or partner domains—before they reach employee inboxes. That’s why more and more SEGs are supporting DMARC. There are already 11 commercial email gateways that explicitly include DMARC support and a few announcements are anticipated by mid-2016. This is not a surprise since Gartner looks at DMARC filtering as a strength in its Magic Quadrant for Secure Email Gateways report. Today, companies can instruct their SEG to block any malicious messages sent from domains under their control—as well as any DMARC-protected third party domains—that fail email authentication.
DMARC will block spear phishing attacks coming into the organization if:
- The attack spoofs the owned sending domains of a company or partner
- The domain owner has implemented a DMARC “reject” policy
- The email gateway supports DMARC
- DMARC checking has been activated on the email gateway
DMARC’s reporting provides information both to the operations team, to ensure the corporate gateways are working properly, and to the information security team about bad actors trying to leverage the company’s sending domains in their attacks.
Some things to keep in mind
Adding DMARC to the inbound filtering platform is a best practice that can both add a layer of security against fraudulent emails purporting to come from enterprise-owned domains and build trust with your vendors and suppliers. But while DMARC is an important factor in a multi-pronged spear phishing defense strategy, it does not offer total protection. DMARC does not counter more indirect attacks spoofing your brand using the Display Name and deliberately misspelled “cousin” domains.
In addition, if you move to a DMARC “reject” policy too soon, legitimate email that is not properly authenticating might get blocked along with the suspicious mail. Your company is at risk of blocking important internal business email like payslips and internal broadcasts as well as communication from suppliers like invoices. Before moving to “reject” you need full visibility into your email authentication ecosystem.
Implementing a DMARC “none” policy can be a great way to get that visibility into your vendors, into spear phishing attacks using owned domains, and into any other internal traffic (HR, Payroll), without risking blocking legitimate mail streams. Understanding how to read DMARC reports is an essential step in getting this visibility.
Finally, SEGs are still in the early stages of rolling out DMARC; reporting capabilities are limited and in some cases totally absent. Without DMARC reporting and visibility, an organization cannot determine which attacks were prevented and if legitimate traffic was blocked. Going purely off reporting from consumer mailbox providers does not provide full visibility into the email ecosystem: the organization’s, third parties, vendors, and malicious activity.
Next steps for your company
Implementing DMARC on your company’s main sending domains is the first step to protecting your enterprise from spear phishing attacks. Need help doing it? Return Path’s “Getting Started with DMARC” is a great step-by-step guide.
To learn more about how DMARC protects on the inbound, as well as what industry sectors are leading the way in the fight against email fraud, listen to this on-demand webinar I co-hosted back in February with Return Path, “Making Email Safe: DMARC Trends and Adoption.”
About Steve Jones
Steve Jones has served as Executive Director of DMARC.org since it became a non-profit advocacy initiative in February 2015, after serving as Secretary to the DMARC technical project for the preceding three years. Before becoming Director he spent nine years with Bank of America as a strategist, messaging architect, and team manager where his responsibilities included messaging, the social enterprise and online collaboration tools. He has participated in Internet standards efforts and spoken at M3AAWG, RSA, SANS, and USENIX conferences. Follow him on Twitter at @_smj.