Why Email Authentication and DMARC email security Can’t Protect Your Organization from Phishing Attacks

How can a titan like Office 365, defended and protected by advanced email authentication protocols DMARC, DKIM and SPF, still be such a fertile breeding ground for countless phishing attacks? Even more importantly, how can your company protect itself from the relentless onslaught of email threats?

SPF, DKIM, and DMARC aggregate to offer a necessary email defense that nevertheless fails with regularity, exposing organizations to Business Email Compromise (BEC), ransomware, and other phish-borne threats that are responsible for nearly 95 percent of today’s cybercrime havoc.

The reasons SPF, DKIM, and DMARC fall short in stopping phish are demonstrated in Area 1’s latest webinar: Bypass DMARC in 60 minutes or less: Why email authentication doesn’t protect you against phish.

The purpose of SPF DKIM, and DMARC is to allow Internet Service Providers (ISPs) and mail services to verify that a sender is indeed authorized to send email from your domain; they work to prevent an imposter from sending emails on your behalf with your domain address.

Sender Policy Framework (SPF)
SPF is a key component of email, revealing the origin of a message — the IP address of an individual data center. SPF allows domain owners to define which email servers (or services) are allowed to send on their behalf. But despite its utility, SPF can be difficult to set up and deploy properly. It takes time to verify, and it isn’t fail-proof against compromised sites, domains, and accounts.

Domain Keys Identified Mail (DKIM)
DKIM provides an encryption key and digital signature which verifies that an email message was not faked or altered. DKIM ensures that an email traveling from server to server is not tampered with by anyone in the middle. Like SPF, DKIM is frustrating to deploy, slow to verify, and fails against compromised sites.

Domain-based Message Authentication, Reporting and Conformance (DMARC)
DMARC is “the mother of all enforcement engines in email authentication.” DMARC sits on top of, builds on, and unifies SPF and DKIM into a common framework. It allows domain owners to specify how they would like their email to be handled if it fails an authorization test. But it’s complex for customers to configure its rejection level, and policies of less than 100 percent rejection are essentially meaningless, security-wise. Many organizations, for fear of accidentally dropping wanted messages, do not configure messages to be rejected if authentication fails. The alternative, delivering messages or adding them to a quarantine folder, still introduces risk.

Used in conjunction with each other, SPF, DKIM and DMARC can be a helpful deterrent against some attacks. Yet, as noted by our experts, there are still cases where emails pass one protocol and fail others, not to mention the stubborn issues of compromised sites, domains and accounts. That this happens underscores one fundamental weakness of email authentication itself — it wasn’t built to protect against the sophisticated phishing attacks used today.

Advanced Email Security:

Webmail is a banquet for attackers. Attackers confront a rich potential harvest in the form of today’s free email services: Gmail, Outlook, Hotmail, Yahoo!, and others.

The cloud has been a game-changer for cybercriminals, creating a paradigm shift in the economics and logistics of phishing attacks. In the past, we note, “attackers used to have to take over and set up an email server. But with the rise of webmail, they can very quickly register an email address that says they’re ‘Bob Smith’ and launch that email to a Fortune 500 organization. At least one out of 100 recipients will respond. But why stop with 100? They can easily launch a thousand, ten thousand or a hundred thousand and ensure an even higher level of response. Attackers will stop at nothing.”

The real-time demonstration in the webinar show how a proficient threat actor can frustrate these protocols with relative ease. To prove that an attack needs only “ten dollars, twenty minutes, and a computer,” Javier walks through the process of side railing and outsmarting email authentication functions.

The demo also reinforces Gartner’s point: “Email is fundamentally unsecure.” Gartner further notes that “DMARC can be quite complex to configure and manage, as the reports are difficult to read and understand. There are also technical limits when implementing SPF…” This is one of the reasons protecting against phishing attacks requires an advanced email security service like Area 1.

Recognizing The Limits Of DMARC & Email Authentication

The drawbacks of secure email authentication illustrate why organizations today suffer such a relentless barrage of phishing attacks. Despite meticulously tuning email security and configuring authentication protocols, organizations still run a high risk of damage and loss as phishing campaigns prey on users’ technological and social vulnerabilities.

The fact is that SPF, DKIM and DMARC don’t offer the seamless anti-phishing defense needed to secure their data, funds, and assets. Truly effective phishing protection lies in preemptive technology that prevents phish from ever reaching an inbox. Once the phish lands, it can insinuate itself in a Type 3 BEC attack, for example, and compromise business partners in a “long con” while bypassing the secure email gateway (SEG), authentication protocols, and trained employee.

The “King Of Compromised Accounts”

SPF, DKIM and DMARC email security solutions cannot effectively protect Office 365 because of O365’s fundamental architecture. Office 365 is the “king of compromised accounts,” since it’s so often used to launch phishing attacks against customers and entities around the world In fact, most compromised tenants are unknowingly hosting phishing sites. There are thousands of malicious sites running on SharePoint and OneDrive at any given time.

Email authentication will never prevent a lookalike domain from being registered. Seventy percent of attacks use one-letter-off misspelled domains, and email authentication checks can’t stop those either. Plus, it’s very difficult for most Fortune 500 organizations to successfully deploy these secure email authentication standards and ensure that they’re functioning properly in the first place.

What Actually Works: Advanced Email Security Technologies

Staying ahead of modern phishing attacks and other targeted threats demands a more effective defense than email authentication can deliver. Office 365 phishing in particular calls for a new level of robust email security solutions.
Area 1’s preemptive technology employs proprietary ActiveSensors™ that crawl the web at massive scale to reveal emergent campaign infrastructure and aggregate attack data. Our technology examines every web page, URL, domain, and IP address for telltale patterns, indexing the entire web at 6+ billion pages and 220 million top-level domains (TLDs) every two weeks, on average. Methods like high-speed phish indexing; close monitoring of infrastructures; and analysis of live attack flow, payload, and delivery mechanisms offer the only defense capable of outmaneuvering attackers for true email protection.

Our Small Pattern Analytics Engine, SPARSE™, also identifies phishing attack infrastructure, patterns of attack formation and threats within datasets generated by the ActiveSensors network. The 8+ PB attack data warehouse includes 500 billion attack metadata records—the largest dataset in the industry.

In addition, our comprehensive email security employs AI and Machine Learning (ML) models, computer vision, Natural Language Understanding (NLU), intent analysis, human impersonation, content sandboxing and deconstruction, and neural network techniques, among other advances. As threat actor patterns evolve, our ML phishing detection models are continually enhanced, adding up to email security that far surpasses authentication in stopping phishing attacks.

To learn more about how SPF, DKIM, and DMARC fall short in stopping phishing attacks, watch Area 1’s latest webinar: Bypass DMARC in 60 minutes or less: Why email authentication doesn’t protect you against phish.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.