[dmarc-discuss] On Inbound DMARC Support

Terry Zink tzink at exchange.microsoft.com
Fri Jun 20 10:18:54 PDT 2014


>> Here's a simple use case for a spear-phisher where DMARC could be effective on the inbound:
>> 
>> 1. Phisher targets a specific exec at bigbank.com
>> 2. Phisher sends fake FedEx tracking email from fedex.com (p=reject) to exec's admin with a note from exec for admin to track a shipment that has been ordered  
>> 3. Assuming DMARC is not being checked on the inbound, Admin clicks malicious tracking number link, credentials are stolen, breach ensues 
>> 
>> The above does of course assume that the phisher is either not familiar with DMARC, or thinks that it won't be checked by a B2B entity like bigbank.com.
> 
> Right. Any approach that's predicated on the assumption that someone behind a spear-phishing 
>  (or other "APT"-esque) attack is stupid and/or unaware of generally known anti-phishing approaches 
> is probably flawed. 

Just to add on to Franck's response, the idea that DMARC doesn't stop (i.e., help reduce) spear-phishing totally contradicts the evidence that I have seen. The objection that "A company knows when email spoofing itself is legitimate or not" is not true. It may be true of people on this discussion list but it isn't true in general.

We have lots of customers that are large enterprises that have many different 3rd parties and internal teams that send email as them and don't have them all organized. It takes a long time to get them under control and there isn't a consistent heuristic to determine when a message from @yourcompany.com really is or is not from your company, and if it isn't, is it sent by an authorized 3rd party?

The example of FedEx is one thing, but the one I have seen that is more powerful is when exec at yourcompany.com sends to someone at yourcompany.com, and someone sees the domain and opens the message. DMARC can definitely help eliminate this vector of abuse.

--Terry




More information about the dmarc-discuss mailing list