Last summer a number of our M365 clients were hit with a "Direct Send" attack. This attack bypassed high-powered spam filters like Barracuda Email Protection and sent emails directly into M365 without any authentication!
The threat actor email actually came from a real person at the client! The email had a malicious attachment.
This email was a serious threat to those domains.
However, there was a simple, free defense that I have been talking/begging/whining about for at least five years or more.
That is SPF, DKIM, and DMARC.
In one example the email came from the email came from the Director of HR about an HR policy change. Since it really did come from the Director of HR, the email seemed very believable.
However, this site implemented a DMARC policy of P=QUARANTINE.
That meant that the believable, fake email was tagged, and the source email IP address was flagged because Serbia was not a permitted sender. That sent the email into quarantine.
We know that quarantine/spam is where emails go to die. All the emails, but one, were relegated to the bit bucket. One user was curious about the email and released it. That wasn't what should have happened, but no harm came out of that email. The bad stuff was in the attachment, and those links weren't clicked.
What I have been begging you to do for a few years now is read your DMARC reports. Once your DMARC reports only show fake email, it is time to graduate from P=NONE (Report Only) to P=QUARANTINE.
From what I can see in my wanderings, most of you are still at P=NONE.
In the words of my autistic nephew, "That is bad."
I need you to redouble your efforts to get out of P=NONE and at least get to P=QUARANTINE to give you some *free* email protection.
Regardless of whether you are using Google Apps or M365, please step up to fixing this ASAP.
We need to have *EVERYTHING* sent in your name to be listed in your SPF record.
Once you have validated this by reviewing your DMARC reports, we need to flip your DMARC to P=QUARANTINE immediately to start blowing up the bad guys trying to use your domain name for nefarious purposes.
If you don't know or remember how to read DMARC reports and update SPF, DKIM, and DMARC records, please reach out. I am happy to give you a refresher on this to improve your email security.
For M365 users, once you have been at P=QUARANTINE for a while and continue to see only fake emails in your reports, it is time to move to DMARC P=REJECT.
P=REJECT says to all the email servers in the world that you are so confident that your SPF record represents 100% of the approved systems that send in your name that you are telling the world to outright REJECT any other email and not even give the end user the choice about looking at it.
It is the ultimate defense against bad guys doing bad things in your name. When I started down this journey, I found about 3,000 bad guys worldwide using my domain name to send out their bad emails. After implementing these more stringent DMARC settings, I get about one bad guy every week or two who tries to use my domain (and fails).
This needs to be you.
I realize QUARANTINE is hard and REJECTION is harder.
With both Microsoft and Google enforcing bulk email rules, you have to do this to ensure your emails are reliably delivered.
Acture can help. This isn't really a big deal and shouldn't take long if you focus on getting it done.
Whether you are Google or M365, Acture can help you push this over the top. Give us a call.
Scott F. Quimby
Senior Technical Advisor, CISSP, vCISO
Acture Solutions, Inc.
You must be logged in to post a comment.