Last summer a number of our M365 clients were hit with a "Direct Send" attack. This attack bypassed high-powered spam filters like Barracuda Email Protection and sent emails directly into M365 without any authentication!
The threat actor email actually came from a real person at the client! The email had a malicious attachment.
This email was a serious threat to those domains.
However, there was a simple, free defense that I have been talking/begging/whining about for at least five years or more.
That is SPF, DKIM, and DMARC.
In one example the email came from the email came from the Director of HR about an HR policy change. Since it really did come from the Director of HR, that made the email very believable.
However, this site implemented a DMARC policy of P=QUARANTINE.
That meant that the believable, fake email was tagged that the source email IP address was flagged because Serbia was not a permitted sender. That sent the email into quarantine.
We know that quarantine/spam is where emails go to die. All the emails, but one were relegated to the bit bucket. One user was curious about the email and released it. That wasn't what should have happened, but no harm came out of that email. The bad stuff was in the attachment, and those links were not clicked on.
What I have been begging you to do for a few years now is read your DMARC reports. Once your DMARC reports only show fake email, it is time to graduate from P=NONE (Report Only) to P=QUARANTINE.
From what I can see in my wanderings most of you are still at P=NONE.
In the words of my autistic nephew, "that is bad."
I need you to redouble your efforts to get out of P=NONE and at least get to P=QUARANTINE to give you some *free* email protection.
Regardless of whether you are Google Apps or M365, please step up to fixing this ASAP.
We need to have *EVERYTHING* sending in your name to be listed in your SPF record.
Once you have validated that by reading your DMARC reports, we need to immediately flip your DMARC to P=QUARANTINE to start blowing up the bad guys trying to use your domain name for nefarious purposes.
If you don't know or remember how to read DMARC reports and update SPF, DKIM and DMARC records, please reach out. I am happy to give you a refresher on this so we can improve your email security.
For the M365 users, once you have lived at P=QUARANTINE for a while and continue to see nothing but fake emails in your reports, it is time to move a DMARC of P=REJECT.
P=REJECT says to all the email servers in the world, that you are so confident that your SPF record represents 100% of the approved systems that send in your name that you are telling the world to outright REJECT any other email and not even give the end user the choice about looking at it.
It is the ultimate defense against bad guys doing bad things in your name. When I started down this journey, I got around 3,000 bad guys around the world using my domain name to send out their bad emails. After implementing these more stringent DMARC settings, I get about one bad guy every week or two try to use my domain (and fail).
This needs to be you.
I realize QUARANTINE is hard and REJECT is harder.
With both Microsoft and Google enforcing bulk email rules, you have to do this to ensure reliable delivery of your emails.
Acture can help. This isn't really a big deal to do and shouldn't take long if you focus on getting this done.
Whether you are Google or M365, Acture can help you push this over the top. Give us a call.