Can DMARC Stop All Business Email Compromise Attacks?

If you think DMARC – Domain Message Authentication Reporting & Conformance – is the solution to defend against email spoofing, impersonation or business email compromise attacks, you would be only partially correct. It helps but doesn’t by itself solve the entire problem.

Overall these social engineering heavy, impersonation type of email attacks have become a key go-to method for cybercriminals, helping them reap by some estimatebillions of dollars of ill-gotten gains every year. Why are attackers so focused on these types of attacks?  It is simple: The returns are good, the cost of entry is low, technical innovations aren’t needed, and the risk of getting caught is negligible. 

DMARC, when used in conjunction with other DNS authentication capabilities such as DKIM and SPF, can help stop attackers from spoofing or hijacking the email domains of trusted senders, thus effectively taking away one method attackers use to fool their intended victims.  Unfortunately, many organizations don’t support these security standards with the deployments of their email systems.  The FTC recently released a study which confirmed this.  However, using these email security standards alone will not sufficiently defend your organization from the full variety of malware-less impersonation attacks.  Why not?

Unfortunately, attackers are creative.  One way around DMARC/DKIM/SPF-oriented security controls is to register and use valid domains which are similar to, but not exactly the same as, your domain or the domain of one your trusted partners or customers.  For example, using Mirnecast.com instead of the proper Mimecast.com as the sending domain for an attack against Mimecast or someone expecting an email from Mimecast.  Notice the difference - rn .vs. m? 

Mirnecast.com is a perfectly valid domain, the fact that it is quite similar to Mimecast.com is not an issue for email routing on the Internet, but is a big problem for a person who applies only a cursory glance to the sending domain and has no automated email security controls. 

And, of course, there is nothing DMARC can do to stop attackers using free mail accounts to launch their attacks.  Most organizations can’t broadly block emails from Gmail, Yahoo, or Hotmail because they are the source of many legitimate emails. 

The best solution for protecting your organization from an email impersonation attack is to combine the use of DMARC, DKIM and SPF with Mimecast’s Targeted Threat Protection – Impersonation Protect, so inbound messages can be analyzed to determine their validity before being delivered to the users’ inbox.  Inspecting the content of the email for keywords (wire transfer, W-2, credit card etc.) in combination with the validity and newness of the sending domain, the accuracy of the display and reply-to name, in conjunction with using DMARC and family of email security standards, can provide a  strong defense against  malware-less, email-borne impersonation attacks.

Unfortunately, most organizations have not adopted these types of sophisticated email security controls whether at the domain registry or individual mail inspection level.  However, as more businesses adopt email security technologies such as DMARC/DKIM/SPF, the level of protection will increase for everyone on the Internet. Adding DMARC to Mimecast’s security portfolio helps our customers better protect their email domains as well as filter and flag any unauthenticated senders, which leads to improved security for all Mimecast customers.

To learn more about Mimecast’s DMARC implementation in particular and DNS Authentication policies please check out this document in the Mimecaster Central community.

FILED IN