In a recent analysis by Greg Lesnewich, Crista Giering, and the Proofpoint Threat Research Team, the spotlight was cast on TA427 (also known as Velvet Chollima, Black Banshee, Emerald Sleet, APT43, THALLIUM or Kimsuky), a North Korean-aligned threat group. The report from Proofpoint dated April 16, 2024, details how TA427 is actively exploiting weak DMARC policies to mount sophisticated email spoofing and phishing campaigns. For organisations with insufficient or non-existent DMARC records, this should serve as a clarion call to bolster email security measures.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is crucial for protecting email domains from being used for email spoofing, phishing attacks, and other cyber scams. TA427 has been exploiting organisations with loose DMARC policy on domains to their advantage. By using a permissive p=none
DMARC policy, which does not enforce any action against emails failing DMARC checks, TA427 ensures their crafted emails reach their targets without being blocked.
We also think you are vulnerable if you use the sp=none
tag on any domain, as this could allow an attacker to send email spoofing attacks from a subdomain. Learn more about securing subdomains with DMARC here.
You are vulnerable if any of these are true for any of your domains:
p=none
sp=none
At VerifyDMARC, we are dedicated to ensuring that your domains are fortified against such nefarious activities. We understand that transitioning from p=none
to more secure policies like p=quarantine
or p=reject
can seem daunting. It is just as critical to ensure enforcement policies remain in place.
That’s why we offer:
p=quarantine
with confidence.sp=none
tag if you are not confident in subdomain activity, VerifyDMARC automatically surfaces subdomain activity so you can review compliance before moving to sp=quarantine
.As the tactics of threat actors like TA427 evolve, so too must our defences. Implementing and maintaining robust DMARC policies is no longer optional but a necessity. We encourage you to take action today by signing up for a free trial at VerifyDMARC and moving towards a safer email environment.
Don’t wait for a breach before you act. Secure your email domain now and ensure that your communications and digital assets are well-protected against the sophisticated tactics employed by groups like TA427.
We discuss inbound email security options for SMEs, considering MTA-STS over DANE due to its simplicity and lower risk. We outline a step-by-step approach to upgrade email security using TLS reporting and MTA-STS.
The introduction of SMTP Transport Layer Security (TLS) Reporting allows customers to collect crucial insights on the performance of their MTA-STS and DANE policies.
In response to a recent FBI, State Department, and NSA advisory, we highlight risks of weak DMARC security and offer actionable steps to protect your organisation, customers, and suppliers.