By Eyal Benishti on January 22, 2018

Complimenting DMARC with IronSights to Overcome Email Spoofing & Business Email Compromise

Complimenting DMARC

From small businesses to federal agencies and Fortune 500s, no one is immune from the risk of a cyberattack. And as we’ve written about extensively before, phishing remains the primary enabler of most attacks, and sophisticated hackers can now generate fraudulent messages that are almost impossible to identify.

As the federal government implements its use of the Domain-based Message Authorization System (DMARC), more and more businesses in the private sector have followed suit, embracing the authentication protocol as a means to enhance their email security. Yet while DMARC can help reduce some risk of email spoofing and business email compromise (BEC), it has its own challenges and vulnerabilities that make it just one piece of a much larger phishing mitigation puzzle.

Filtering out Email Spoofing & Business Email Compromise

Initially launched in 2012, DMARC is an email-verification system designed to detect and prevent email spoofing and BEC. In recent months, DMARC it has gained more adoption as the federal agencies implement it to comply with a directive from the Department of Homeland Security.

DMARC is built upon the Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) and offers linkage to the author's domain name, policies on how to handle authentication failures, and reporting from receivers to senders. Any organization can use DMARC to attempt to foil email spoofing and prevent phishing and spear-phishing attacks. DMRC enables organizations that fail authorization tests to send them to a spam folder or even block them. There are three settings: reject, quarantine and none.

Many early adopters have implemented DMARC using the "none" monitoring mode, which doesn't change how messages are treated but does offer visibility into mail being sent under the domain name. To get DMARC up and going, an administrator must typically identify domain alignment and the email address to receive DMARC reports. They must then create their DMARC record and then implement it into DNS. It seems simple on the surface but the system still has vulnerabilities.

DMARC’s Challenges and Vulnerabilities

DMARC can be effective in filtering out and reducing the number of fraudulent emails that attempt to hit users’ inboxes. And as many organizations decide whether or not to implement it, security professionals say more widespread adoption could reduce the volume of phishing attacks. Yet DMARC is not the be-all and end-all of email security. It can have a number of flaws that not only leave organizations at risk, but could also lead to rejecting legitimate messages.

Some of DMARCs challenges include:

Sophisticated Hackers Can Still Take Advantage of Vulnerabilities

Hackers and criminal organizations are continually finding ways to bypass email security. The latest way around DMARC is Mailsploit, a phishing method that enables attackers to create a nearly undetectable spoof. Mailsploit can sneak past DMARC by exploiting how email servers handle text data differently than operating systems. The exploit ultimately enables them to trick email servers into reading emails heads in a different way from how email client programs do. Exploits can take advantage of how the email sender name is displayed to bypass DMARC. And because Mail Transfer Agents don't detect or block spoofed email addresses, they will usually relay those emails if the original address seems legitimate.

DKIM and SPF Have Their Own Vulnerabilities

DMARC relies on DKIM and SPF, both of which have their own vulnerabilities. First, DKIM only verifies data integrity by way of time of signing and time of verifying and it does little to prevent display name spoofing. And Valimail noted on its blog that SPF isn't always easy to implement correctly and can have some built-in limitations. Because there is a domain lookup limit, some senders are failing to authenticate with SPF, even though they should pass. SPF also uses the Return-Path address without considering the "human-readable" from address. This leaves an open window for phishing attacks that have authenticated by have a fake "from" address.

DMARC Can Break Your Mail Flow

DMARC can and will break your mail flow if you don't get up both SPF and DKIM before changing a DMARC policy to anything above "none." This can cause a backlog in email messages. And failure to properly set up DMARC in the first place could result in accidentally marketing many of your user's messages as fraudulent.

DMARC Not Built for Robust Cloud App Usage

The limitations of SPF’s 10 domain-lookup threshold present challenges for organizations that use a variety of cloud-based services. According to an article in Dark Reading, “Since each cloud service typically uses between 3-5 rule sets, you’ll probably run into the 10-lookup limit with only three cloud services.” As more companies transition to the cloud, it will become more unobtainable to consistently update DNS records with the IP address information needed to satisfy SPF.

DMARC Requires Significant Maintenance Beyond Authorization

DMARC adoption can be challenging. Jeff Wilbur, director of the Online Trust Alliance told eWEEK that organizations must first inventory their domains and ensure that SPF and DKIM are properly implemented. They can then start implementing a DMARC record with a policy of "none, but will also have to engage in continuous maintenance of their cloud-based solutions, as independent actions by third parties can affect a company's email operations. According to a staff perspective report by the FTC, complex email configurations and the use of third party and cloud providers may make it challenging to implement DMARC the use of a "reject" notification.

Mailbox-level Email Protection with IronSights

IRONSCALES complements DMARC with IronSights, the first and only phishing detection technology that combines human intelligence with machine learning to detect anomalies and communications habits at the mailbox level. Unlike alternative legacy products that not only monitor at the gateway level, IronSights does everything at the mailbox level and eliminates the challenges while reducing false positives.

It's best to think of IronSights as an employee’s virtual security analyst, analyzing all emails at the mailbox level in search of anomalies between past and present communications. Using deep email scans to check the credibility of the email sender’s reputation, IronSights helps users determine if the sender can be trusted. It also uses machine learning algorithms to cross-reference suspicious attempts by hackers to manipulate and reuse phishing emails that bypass spam filters, or those that attempt to hide their identity by using common impersonation and spoofing tactics.

IronSights also validates sender reputation and authenticity, while also assessing behavioral patterns in search of anomalies in communications. Its algorithms continuously improve the detection of irregular communications patterns based on learned experiences that negate false positives and bolster proactive defenses. When email spoofing or impersonation is identified, Advanced InMail visual phishing alerts (including recipient, rating and possible impersonation) help users report the threat in real time.

For more information on how IronSights compliments DMARC, click here.

Published by Eyal Benishti January 22, 2018

Join thousands of your peers! Subscribe to our blog.

Ironscales needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.