Posts

One of the largest focuses for email security in the last year has been around DMARC and ransomware has emerged as one of the most financially damaging cybercrimes of this year. Now what is DMARC? Domain-Based Message Authentication, Reporting and Conformance as an email authentication protocol is used by domain owners of organizations big and small, to protect their domain from Business Email Compromise (BEC), direct domain spoofing, phishing attacks and other forms of email fraud.

DMARC helps you enjoy multiple benefits over time like a considerable boost in your email deliverability, and domain reputation. However a lesser known fact is that DMARC also serves as the first line of defense against Ransomware. Let’s enunciate how DMARC can protect against Ransomware and how ransomware can affect you.

What is Ransomware?

Ransomware is a type of malicious software (malware) that is installed on a computer, usually through the use of malware. The goal of the malicious code is to encrypt files on the computer, after which it typically demands payment in order to decrypt them.

Once the malware installation is in place, the criminal demands a ransom be paid by the victim to restore access to the data. It allows cybercriminals to encrypt sensitive data on computer systems, effectively protecting it from access. The cybercriminals then demand the victim pay a ransom sum to remove the encryption and restore access. Victims are typically faced with a message that tells them their documents, photos, and music files have been encrypted and to pay a ransom to allegedly “restore” the data. Typically, they ask the users to pay in Bitcoin and inform them how long they have to pay to avoid losing everything.

How Does Ransomware Work?

Ransomware has shown that poor security measures put companies at great risk. One of the most effective delivery mechanisms for ransomware is email phishing. Ransomware is often distributed through phishing. A common way this occurs is when an individual receives a malicious email that persuades them to open an attachment containing a file they should trust, like an invoice, that instead contains malware and begins the infection process.

The email will claim to be something official from a well-known company and contains an attachment pretending to be legitimate software, which is why it is very likely that unsuspecting customers, partners, or employees who are aware of your services would fall prey to them.

Security researchers have concluded that for an organization to become a target of phishing attacks with malicious links to malware downloads, the choice is ” opportunistic.” A lot of ransomware doesn’t have any external guidance as to who to target, and often the only thing guiding it is pure opportunity. This means, any organization whether it is a small business or a large enterprise, can be the next target if they have loopholes in their email security.

2021 recent security trends report have made the following distressing discoveries:

  • Since 2018, there has been a 350% rise in ransomware attacks making it one of the most popular attack vectors in recent time.
  • Cyber security experts believe there will be more ransomware attacks than ever in 2021.
  • More than 60% of all ransomware attacks in 2020 involved social actions, such as phishing.
  • New ransomware variants have increased by 46% in the last 2 years
  • 68,000 new ransomware Trojans for mobile have been detected
  • Security researchers have estimated that every 14 seconds a business falls victim to a ransomware attack

Does DMARC Protect Against Ransomware? DMARC and Ransomware

DMARC is the first line of defense against ransomware attacks. Since ransomware is usually delivered to victims in the form of malicious phishing emails from spoofed or forged company domains, DMARC helps protect your brand from being impersonated, which means such fake emails will be marked as spam or not get delivered when you have the protocol correctly configured.  DMARC and Ransomware: how does DMARC help?

  • DMARC authenticates your emails against SPF and DKIM authentication standards that helps filter malicious IP addresses, forgery and domain impersonation.
  • When a phishing email curated by an attacker with a malicious link to install ransomware arising from your domain name reaches a client/employee server, if you have
  • DMARC implemented the email is authenticated against SPF and DKIM.
  • The receiving server tries to verify the sending source and DKIM signature
  • The malicious email will fail verification checks and ultimately fail DMARC authentication due to domain misalignment
  • Now, if you have implemented DMARC at an enforced policy mode (p=reject/quarantine) the email after failing DMARC will either get marked as spam, or rejected, nullifying the chances of your receivers falling prey to the ransomware attack
  • Finally, evade additional SPF errors like too many DNS lookups, syntactical errors and implementation errors, to prevent your email authentication protocol from being invalidated
  • This ultimately safeguards your brand’s reputation, sensitive information and monetary assets

The first step to gaining protection against ransomware attacks is to sign up for DMARC analyzer today! We help you implement DMARC and shift to DMARC enforcement easily and in the least possible time. Start your email authentication journey today with DMARC.

Learn how to Publish a DMARC record

Before we proceed towards publishing a DMARC record, it is important to understand what is a DMARC record? A DMARC record is nothing but a DNS TXT record that can be published in your domain’s DNS (Domain Naming System) so as to configure Domain-Based Message Authentication, Reporting, and Conformance or DMARC for your domain. By configuring DMARC for your domain you as the domain owner now have the ability to specify to receiving servers how they should respond to emails that are sent from unauthorized or illegitimate sources.

Instructions for Generating Your DMARC Record

The process for generating your DMARC DNS Record is extremely simple if you use our free DMARC record generator tool for this purpose. All you need to do is fill up the following criteria:

  • Choose your DMARC policy mode(if you are just starting out with email authentication, we recommend a policy of p=none for you to begin with so you can monitor your email flow)
  • Choose the DMARC policy mode for your subdomains ( we recommend you to only activate this criteria if you wish to opt for a different policy for your subdomains, else, by default it takes up the same policy as your main domain)
  • Type in your desired email addresses wherein you want your DMARC RUA (aggregate) and RUF (Forensic) reports to be delivered to
  • Choose your DKIM alignment mode (for strict alignment the DKIM signature in the email header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your SPF alignment mode (for strict alignment the domain in the Return-path header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your forensic options (this represents under which circumstances you want to receive your forensic reports)

A typical error-free DMARC record looks something like this:

v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

The generated record is now to be published in your domain’s DNS on the subdomain: _dmarc.YOURDOMAIN.com

How to Publish Your DMARC Record? 

In order to publish your generated DMARC record, you will need to log in to your DNS console and navigate to the specific domain for which you want to configure DMARC.

After navigating to the domain in your DNS management console, you will need to specify the hostname and the resource type. Since DMARC exists in your domain as a DNS TXT record, the resource type for it is TXT, and the hostname to be specified in this case is : _dmarc 

Finally, you need to add the value of your DMARC record (the record you generated previously): v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Save changes to the whole process and you have successfully configured DMARC for your domain!

What Should be My Next Steps?

After you are done publishing your DMARC record your next step should be to focus on protecting your domain from scammers and impersonators. That is your main agenda anyway when you are implementing security protocols and email authentication services. Simply publishing a DMARC record with a p=none policy doesn’t offer any protection against domain spoofing attacks and email fraud. For that you need to shift to DMARC enforcement.

What is DMARC Enforcement?

You can achieve DMARC enforcement if you implement a DMARC policy mode of p=reject or p=quarantine. For maximum protection from domain spoofing attacks and BEC, we recommend a policy mode of reject.  However, the process for achieving DMARC enforcement isn’t as simple as changing your policy mode from monitoring to enforcement. To gain immunity from impersonation attacks all while making sure that your email deliverability doesn’t get impacted, what you need to do is:

  • Sign up with PowerDMARC and enable DMARC reporting for your domain
  • Get daily DMARC RUA reports on email authentication results available in an array of viewing options for ease of understanding
  • Get forensic report updates on the dashboard whenever emails fail authentication
  • Stay under the SPF hard limit to ensure your SPF record never gets invalidated

With DMARC aggregate and forensic reports, moving from monitoring to enforcement becomes a cakewalk for domain owners, as you can visually monitor your email flow and track and respond to deliverability issues instantaneously from the PowerDMARC platform. Sign up today for your free DMARC analyzer trial!

Email spoofing is a growing problem for an organization’s security. Spoofing occurs when a hacker sends an email that appears to have been sent from a trusted source/domain. Email spoofing isn’t a new concept. Defined as “the forgery of an email address header in order to make the message appear to be sent from someone or somewhere other than the actual source,” it has plagued brands for decades. Whenever an email is sent, the From address doesn’t display what server the email was actually sent from—instead it displays whatever domain is entered during the address creation process, thereby raising no suspicion among email recipients.

With the amount of data passing through email servers today, it should come as no surprise that spoofing is an issue for businesses.At the end of 2020,  we found that phishing incidents rose by a staggering 220% compared to the yearly average during the height of global pandemic fears.. Since not all spoofing attacks are carried out on a large scale, the actual number could be much higher. It is 2021, and the problem seems to be only worsening with each passing year. This is why brands are availing of secure protocols to authenticate their emails and steer clear of the malicious intentions of threat actors.

Email Spoofing: What Is It and How Does It Work?

Email spoofing is used in phishing attacks to trick users into thinking the message came from a person or entity they either know or can trust. A cybercriminal uses a spoofing attack to trick recipients into thinking the message came from someone it didn’t. This lets attackers harm you without letting you trace them back. If you see an email from the IRS saying that they sent your refund to a different bank account, it may be a spoofing attack. Phishing attacks can also be carried out via email spoofing, which is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details (PIN numbers), often for malicious ends. The term comes from ‘fishing’ for a victim by pretending to be trustworthy.

In SMTP, when outgoing messages are assigned a sender address by the client application; outbound emails servers have no way to tell if the sender address is legitimate or spoofed. Hence, email spoofing is possible because the email system used to represent email addresses does not provide a way for outgoing servers to verify that the sender address is legitimate. This is why large industry players are opting for protocols like SPF, DKIM and DMARC to authorize their legitimate email addresses, and minimize impersonation attacks.

Breaking Down the Anatomy of an Email Spoofing Attack

Each email client uses a specific application program interface (API) to send email. Some applications allow users to configure the sender address of an outgoing message from a drop- down menu containing email addresses. However, this ability can also be invoked using scripts written in any language. Each open mail message has a sender address that displays the address of the originating user’s email application or service. By reconfiguring the application or service, an attacker can send email on behalf of any person.

Let’s just say that now it is possible to send thousands of fake messages from an authentic email domain! Moreover, you don’t have to be an expert in programming to use this script. Threat actors can edit the code according to their preference and begin sending a message using another sender’s email domain. This is exactly how an email spoofing attack is perpetrated.

Email Spoofing as a Vector of Ransomware

Email spoofing paves the way for the spread of malware and ransomware. If you don’t know what ransomware is, it is a malicious software which perpetually blocks access to your sensitive data or system and demands an amount of money (ransom) in exchange for decrypting your data again. Ransomware attacks make organizations and individuals lose tons of money every year and lead to huge data breaches.

DMARC and email authentication also acts as the first line of defense against ransomware by protecting your domain from the malicious intentions of spoofers and impersonators.

Threats Involved for Small, Medium and Large Businesses

Brand identity is vital to a business’s success. Customers are drawn to recognizable brands and rely on them for consistency. But cybercriminals use anything they can to take advantage of this trust, jeopardizing your customers’ safety with phishing emails, malware, and email spoofing activities. The average organization loses between $20 and $70 million a year due to email fraud. It is important to note that spoofing can involve trademark and other intellectual property violations as well, inflicting a considerable amount of damage to a company’s reputation and credibility, in the following two ways:

  • Your partners or esteemed customers can open a spoofed email and end up compromising their confidential data. Cybercriminals can inject ransomware into their system leading to financial losses, through spoofed emails posing to be you. Therefore the next time they might be reluctant to open even your legitimate emails, making them lose faith in your brand.
  • Recipient email servers can flag your legitimate emails as spam and lodge them in the junk folder due to deflation in server reputation, thereby drastically impacting your email deliverability rate.

Either ways, without an ounce of doubt, your customer-facing brand will be on the receiving end of all complications. Despite the efforts of IT professionals, 72% of all cyber attacks begin with a malicious email, and 70% of all data breaches involve social engineering tactics to spoof company domains – making email authentication practices like DMARC, a critical priority.

DMARC: Your One-Stop Solution against Email Spoofing

Domain-Based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol which when implemented correctly can drastically minimize email spoofing, BEC and impersonation attacks. DMARC works in unison with two standard authentication practices- SPF and DKIM, to authenticate outbound messages, providing a way to specify to receiving servers how they should respond to emails failing authentication checks.

Read more about what is DMARC?

If you want to protect your domain from the malicious intentions of spoofers, the first step is to implement DMARC correctly. But before you do so, you need to set up SPF and DKIM for your domain. PowerDMARC’s free SPF and DKIM record generators can aid you in generating  these records to be published in your DNS, with a single click. After successfully configuring these protocols, go through the following steps to implement DMARC:

  • Generate an error-free DMARC record using PowerDMARC’s free DMARC record generator
  • Publish the record in your domain’s DNS
  • Gradually move to a DMARC enforcement policy of p=reject
  • Monitor your email ecosystem and receive detailed authentication aggregate and forensic (RUA/RUF) reports with our DMARC analyzer tool

Limitations to Overcome While Achieving DMARC Enforcement

You have published an error-free DMARC record, and moved to a policy of enforcement, and yet you are facing issues in email delivery? The problem can be far more complicated than you think. If you didn’t already know, your SPF authentication protocol has a limit of 10 DNS lookups. However, if you used cloud-based email service providers and various third-party vendors, you can easily exceed this limit. As soon as you do so, SPF breaks and even legitimate emails fail authentication, leading your emails to land in the junk folder or not being delivered at all.

As your SPF record gets invalidated due to too many DNS lookups, your domain again becomes vulnerable to email spoofing attacks and BEC. Therefore staying under the SPF 10 lookup limit is imperative to ensure  email deliverability. This is why we recommend PowerSPF, your automatic SPF flatenner, that shrinks your SPF record to a single include statement, negating redundant and nested IP addresses. We also run periodical checks to monitor changes made by your service providers to their respective IP addresses, ensuring that your SPF record is always up-to-date.

PowerDMARC assembles a range of email authentication protocols like SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI to give your domain a reputation and deliverability boost. Sign up today to get your free DMARC analyzer.

All right, you’ve just gone through the whole process of setting up DMARC for your domain. You published your SPF, DKIM and DMARC records, you analysed all your reports, fixed delivery issues, bumped up your enforcement level from p=none to quarantine and finally to reject. You’re officially 100% DMARC-enforced. Congratulations! Now only your emails reach people’s inboxes. No one’s going to impersonate your brand if you can help it.

So that’s it, right? Your domain’s secured and we can all go home happy, knowing your emails are going to be safe. Right…?

Well, not exactly. DMARC is kind of like exercise and diet: you do it for a while and lose a bunch of weight and get some sick abs, and everything’s going great. But if you stop, all those gains you just made are slowly going to diminish, and the risk of spoofing starts creeping back in. But don’t freak out! Just like with diet and exercise, getting fit (ie. getting to 100% enforcement) is the hardest part. Once you’ve done that, you just need to maintain it on that same level, which is much easier.

Okay, enough with the analogies, let’s get down to business. If you’ve just implemented and enforced DMARC on your domain, what’s the next step? How do you continue keeping your domain and email channels secure?

What to Do After Achieving DMARC Enforcement

The #1 reason that email security doesn’t simply end after you reach 100% enforcement is that attack patterns, phishing scams, and sending sources are always changing. A popular trend in email scams often doesn’t even last longer than a couple of months. Think of the WannaCry ransomware attacks in 2018, or even something as recent as the WHO Coronavirus phishing scams in early 2020. You don’t see much of those in the wild right now, do you?

Cybercriminals are constantly changing their tactics, and malicious sending sources are always changing and multiplying, and there’s not much you can do about it. What you can do is prepare your brand for any possible cyberattack that could come at you. And the way to do that is through DMARC monitoring & visibility .

Even after you’re enforced, you still need to be in total control of your email channels. That means you have to know which IP addresses are sending emails through your domain, where you’re having issues with email delivery or authentication, and identify and respond to any potential spoofing attempt or malicious server carrying a phishing campaign on your behalf. The more you monitor your domain, the better you’ll come to understand it. And consequently, the better you’ll be able to secure your emails, your data and your brand.

Why DMARC Monitoring is So Important

Identifying new mail sources
When you monitor your email channels, you’re not just checking to see if everything’s going okay. You’re also going to be looking for new IPs sending emails from your domain. Your organization might change its partners or third party vendors every so often, which means their IPs might become authorized to send emails on your behalf. Is that new sending source just one of your new vendors, or is it someone trying to impersonate your brand? If you analyse your reports regularly, you’ll have a definite answer to that.

PowerDMARC lets you view your DMARC reports according to every sending source for your domain.

Understanding new trends of domain abuse
As I mentioned earlier, attackers are always finding new ways to impersonate brands and trick people into giving them data and money. But if you only ever look at your DMARC reports once every couple of months, you’re not going to notice any telltale signs of spoofing. Unless you regularly monitor the email traffic in your domain, you won’t notice trends or patterns in suspicious activity, and when you are hit with a spoofing attack, you’ll be just as clueless as the people targeted by the email. And trust me, that’s never a good look for your brand.

Find and blacklist malicious IPs
It’s not enough just to find who exactly is trying to abuse your domain, you need to shut them down ASAP. When you’re aware of your sending sources, it’s much easier to pinpoint an offending IP, and once you’ve found it, you can report that IP to their hosting provider and have them blacklisted. This way, you permanently eliminate that specific threat and avoid a spoofing attack.

With Power Take Down, you find the location of a malicious IP, their history of abuse, and have them taken down.

Control over deliverability
Even if you were careful to bring DMARC up to 100% enforcement without affecting your email delivery rates, it’s important to continuously ensure consistently high deliverability. After all, what’s the use of all that email security if none of the emails are making it to their destination? By monitoring your email reports, you can see which ones passed, failed or didn’t align with DMARC, and discover the source of the problem. Without monitoring, it would be impossible to know if your emails are being delivered, let alone fix the issue.

PowerDMARC gives you the option of viewing reports based on their DMARC status so you can instantly identify which ones didn’t make it through.

 

Our cutting-edge platform offers 24×7 domain monitoring and even gives you a dedicated security response team that can manage a security breach for you. Learn more about PowerDMARC extended support.

At first glance, Microsoft’s Office 365 suite seems to be pretty…sweet, right? Not only do you get a whole host of productivity apps, cloud storage, and an email service, but you’re also protected from spam with Microsoft’s own email security solutions. No wonder it’s the most widely adopted enterprise email solution available, with a 54% market share and over 155 million active users. You’re probably one of them, too.

But if a cybersecurity company’s writing a blog about Office 365, there’s got to be something more to it, right? Well, yeah. There is. So let’s talk about what exactly the issue is with Office 365’s security options, and why you really need to know about this.

What Microsoft Office 365 Security is Good At

Before we talk about the problems with it, let’s first quickly get this out of the way: Microsoft Office 365 Advanced Threat Protection (what a mouthful) is quite effective at basic email security. It will be able to stop spam emails, malware, and viruses from making their way into you inbox.

This is good enough if you’re only looking for some basic anti-spam protection. But that’s the problem: low-level spam like this usually doesn’t pose the biggest threat. Most email providers offer some form of basic protection by blocking email from suspicious sources. The real threat—the kind that can make your organization lose money, data and brand integrity—are emails carefully engineered so you don’t realize that they’re fake.

This is when you get into serious cybercrime territory.

What Microsoft Office 365 Can’t Protect You From

Microsoft Office 365’s security solution works like an anti-spam filter, using algorithms to determine if an email is similar to other spam or phishing emails. But what happens when you’re hit with a far more sophisticated attack using social engineering, or targeted at a specific employee or group of employees?

These aren’t your run-of-the-mill spam emails sent out to tens of thousands of people at once. Business Email Compromise (BEC) and Vendor Email Compromise (VEC) are examples of how attackers carefully select a target, learn more information about their organization by spying on their emails, and at a strategic point, send a fake invoice or request via email, asking for money to be transferred or data to be shared.

This tactic, broadly known as spear phishing, makes it appear that email is coming from someone within your own organization, or a trusted partner or vendor. Even under careful inspection, these emails can look very realistic and are nearly impossible to detect, even for seasoned cybersecurity experts.

If an attacker pretends to be your boss or the CEO of your organization and sends you an email, it’s unlikely that you’ll check to see if the email looks genuine or not. This is exactly what makes BEC and CEO fraud so dangerous. Office 365 will not be able to protect you against this sort of attack because these are ostensibly coming from a real person, and the algorithms will not consider it to be a spam email.

How Can You Secure Office 365 Against BEC and Spear Phishing?

Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an email security protocol that uses information provided by the domain owner to protect receivers from spoofed email. When you implement DMARC on your organization’s domain, receiving servers will check each and every email coming from your domain against the DNS records you published.

But if Office 365 ATP couldn’t prevent targeted spoofing attacks, how does DMARC do it?

Well, DMARC functions very differently than an anti-spam filter. While spam filters check incoming email entering your inbox, DMARC authenticates outgoing email sent by your organization’s domain. What this means is that if someone is trying to impersonate your organization and send you phishing emails, as long as you’re DMARC-enforced, those emails will be dumped in the spam folder or blocked entirely.

And get this — it also means that if a cybercriminal was using your trusted brand to send phishing emails, even your customers wouldn’t have to deal with them, either. DMARC actually helps protect your business, too.

But there’s more: Office 365 doesn’t actually give your organization any visibility on a phishing attack, it just blocks spam email. But if you want to properly secure your domain, you need to know exactly who or what is trying to impersonate your brand, and take immediate action. DMARC provides this data, including the IP addresses of abusive sending sources, as well as the number of emails they send. PowerDMARC takes this to the next level with advanced DMARC analytics right on your dashboard.

Learn more about what PowerDMARC can do for your brand.