Organizations adopting the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard enable the validation and authentication of emails sent from their domain. Servers and security tools receiving email can perform DMARC checks and quickly detect spoofed emails trying to impersonate the organization. Eliminating these spoofed emails can drastically reduce both phishing emails and ransomware attacks.<\/p>\n\n\n\n
This article will explore how this works in more detail:<\/p>\n\n\n\n
Ransomware<\/a> attacks accounted for approximately one out of every five<\/a> cyber crimes in 2022 even as the number of ransomware attacks dropped by 23% compared to 2021. However, the impact of ransomware continues to grow as ransoms increase and attackers increase the magnitude of their overall threat with the addition of data exfiltration, extortion, and distributed denial of service<\/a> (DDoS) attacks.<\/p>\n\n\n\n The costs of ransomware attacks can be massive, including downtime, data loss, business reputation damage, recovery expenses, forensic investigation expenses, and significant psychological damages for the teams. Ransomware depends upon phishing for the majority of ransomware attacks, yet phishing also delivers other types of attacks. Phishing, in turn, often depends upon email spoofing to trick users into falling for the phishing attack.<\/p>\n\n\n\n A ransomware attack can spring from a single email, and phishing provides the most common entry point for ransomware. However, in most cases, clicking on a bad phishing link does not launch ransomware. Attacks that do launch immediately can usually only encrypt the computer for the phishing victim, which limits the ransom-earning potential. More insidious, news-worthy, and revenue generating ransomware attacks need widespread access to the organization for maximum impact.<\/p>\n\n\n\n To achieve the broader goal, 63% of phishing attacks seek to compromise credentials. By stealing credentials, the ransomware gang can then infiltrate the network, expand access, and attack the organization as a whole.<\/p>\n\n\n\n Although ransomware makes headlines because of their highly disruptive and obvious impact, phishing attacks can deliver a number of other highly harmful attacks such as business email compromise (BEC), credentials harvesting, keyloggers, remote access trojans (RATs), cryptojacking malware, and other spyware. RATs tend to be the malware of choice because they offer the flexibility of future attack options and the hackers can also resell their access to ransomware-as-a-service providers, cryptocurrency mining groups, bot farms, and more.<\/p>\n\n\n\n Spammers send an estimated 3.4 billion emails<\/a> every day, and Google blocks around 100 million phishing emails daily. Attackers use phishing to perform 47% of the attacks against North and South American organizations, 43% of the attacks against Asian organizations, and 42% of the attacks against European organizations. Microsoft even estimates that 94% of cyberattacks<\/a> begin with a malicious email.<\/p>\n\n\n\n Yet no one clicks on an unconvincing email. Most people will be tricked by emails that appear to be legitimate and sent by a familiar brand. LinkedIn, Microsoft, Adobe, and Google are top brands used in broad phishing attacks, but smaller brands will also be used in more targeted attacks.<\/p>\n\n\n\n It\u2019s not so difficult to fake an email. Attackers forge the \u201cFrom\u201d address to target victims with a fraudulent, \u201cspoofed<\/a>\u201d email that appears to be from a legitimate sender.<\/p>\n\n\n\n For example, perhaps an administrator at the law firm of GenericContracts.com clicks on a phishing link and the attackers scope out the firm. The attackers may find the firm too small to be worth a ransom attack but also realize that the firm does local work for dozens of larger corporations.<\/p>\n\n\n\n The ransomware attackers may choose to spoof the GenericContracts.com domain and send phishing emails to the stolen contact names for those larger corporations with \u201cOverdue Invoice\u201d PDF files laden with malware. With an existing working relationship with GenericContractors.com, the corporate clients are more likely to click on the phishing emails and enable future ransomware attacks.<\/p>\n\n\n\n Fortunately, DMARC<\/a> provides a way to stop email using fake \u201cFrom\u201d addresses and reduce spoofing email attacks. DMARC provides email authentication not only to validate official emails but also to invalidate imposter emails by enhancing other email authentication standards.<\/p>\n\n\n\n DMARC is published with an organization\u2019s Domain Name Service (DNS) and depends on the prior establishment of two other email authentication standards. The Sender Policy Framework<\/a> (SPF) lists all domains authorized to send emails on behalf of the organization. The DomainKeys Identified Mail<\/a> (DKIM) standard enables an organization to digitally sign emails from their domain using public key cryptography to verify that an email is delivered unaltered.<\/p>\n\n\n\n DMARC builds on SPF and DKIM to:<\/p>\n\n\n\n Extending the example above, hackers may forge a fake email spoofing the accounts payable department of GenericContracts.com in the \u201cFrom\u201d field of the text the reader can see. However, the email itself will be sent from their own domain of SpammyPhishing.com, which shows up only in the header of the email (normally hidden from the reader).<\/p>\n\n\n\n However, if GenericContract.com deployed an effective DMARC policy<\/a>, their clients\u2019 email server would perform a DMARC check. The DMARC check would fail the email for being sent from a non-authorized domain and for having misalignment (or non-matching) header and email \u201cFrom\u201d fields. The receiving email server would be notified that the spoofed emails are fraudulent and likely send the impersonating email to the SPAM folder or even discard them.<\/p>\n\n\n\n Additionally, GenericContracts.com would receive a report from their clients\u2019 emails servers that detail the campaign of phishing emails from SpammyPhishing.com. GenericContracts can then proactively warn customers about the phishing attack, search for their data breach, and report SpammyPhishing.com as a malicious URL.<\/p>\n\n\n\n Security specialists recommend using DMARC to help protect against ransomware attacks as an essential email security<\/a> tool. While DMARC primarily protects other organizations receiving emails attempting to impersonate the organization, DMARC makes the task of spoofing emails significantly more complicated for hackers and helps preserve the organization\u2019s brand image.<\/p>\n\n\n\n Of course, it\u2019s not the ultimate protection, as there are many other techniques hackers can deploy. Additionally, organizations need to enforce DMARC on their email receiving servers to perform the DMARC check. However, every protection deployed adds an additional layer of defense, and deploying DMARC also adds other benefits to the organization, such as improving the delivery of marketing emails.<\/p>\n\n\n\n DMARC can be challenging to configure correctly<\/a>; however, it provides powerful email protection against spoofing, phishing, and related attacks such as ransomware. Organizations need to adopt DMARC to protect themselves and others against spoofing attacks and to help erode the threat of spam, which accounted for 48% of all emails sent<\/a> in 2022.<\/p>\n\n\n\n For further reading on tools to secure email:<\/p>\n\n\n\n This article was originally written and published by Julien Maury<\/a> on September 21, 2021 and updated by Chad Kime<\/a> on June 6, 2023.<\/em><\/p>\n\n\nRansomware Depends on Phishing<\/h3>\n\n\n\n
Other Phishing-Delivered Attacks<\/h3>\n\n\n\n
Phishing Depends on Spoofing<\/h3>\n\n\n\n
How DMARC Works to Stop Ransomware<\/h2>\n\n\n\n
How Email Authentication Works<\/h3>\n\n\n\n
\n
DMARC Alignment Example<\/h3>\n\n\n\n
How to Use DMARC<\/h3>\n\n\n\n
Bottom Line: Adopt DMARC as an Essential Part of Email Security<\/h2>\n\n\n\n
\n