Loose DMARC Policy: A Prime Target for TA427

Introduction

In a recent analysis by Greg Lesnewich, Crista Giering, and the Proofpoint Threat Research Team, the spotlight was cast on TA427 (also known as Velvet Chollima, Black Banshee, Emerald Sleet, APT43, THALLIUM or Kimsuky), a North Korean-aligned threat group. The report dated April 16, 2024, details how TA427 is actively exploiting weak DMARC policies to mount sophisticated email spoofing and phishing campaigns. For organisations with insufficient or non-existent DMARC records, this should serve as a clarion call to bolster email security measures.

The Exploitation of DMARC by TA427

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is crucial for protecting email domains from being used for email spoofing, phishing attacks, and other cyber scams. TA427 has been exploiting organisations with loose DMARC policy on domains to their advantage. By using a permissive p=none DMARC policy, which does not enforce any action against emails failing DMARC checks, TA427 ensures their crafted emails reach their targets without being blocked.

Why Is DMARC Critical?

1. Prevents Email Spoofing: Properly configured DMARC records can significantly reduce the risk of your domain being impersonated in phishing attacks.
2. Protects Brand Reputation: It helps maintain the integrity of your communication, ensuring that only legitimate emails are seen as coming from your domain.
3. Enhances Email Deliverability: Emails that pass DMARC, SPF, and DKIM checks are more likely to be delivered successfully to the recipient's inbox rather than the spam folder.

Our take

We also think you are vulnerable if you use the sp=none tag on any domain, as this could allow an attacker to send email spoofing attacks from a subdomain. We cover DMARC and subdomains here.

You are vulnerable if any of these are true for any of your domains:

• No valid _dmarc TXT record
• _dmarc TXT record with p=none‍
• _dmarc TXT record with sp=none

VerifyDMARC: Your Shield Against DMARC Abuse

At VerifyDMARC, we are dedicated to ensuring that your domains are fortified against such nefarious activities. We understand that transitioning from p=none to more secure policies like p=quarantine or p=reject can seem daunting. It is just as critical to ensure enforcement policies remain in place.

That’s why we offer:

• Free DMARC Trial: Start with our no-cost trial to get a clear analysis of your mail sources and their compliance with DMARC. Then you can transition to p=quarantine with confidence.
• Affordable Plans: Unlike enterprise-focused services, our plans are designed to be affordable, allowing you to secure high volumes of domains without breaking the bank.
• Actionable Insights: Our dashboard shows a status for each domain, so you can see at a glance that each domain has a valid DMARC record and enforcement policy on both p= and optional sp= tag.
• Subdomain Detection: You may have set an sp=none tag if you are not confident in subdomain activity, VerifyDMARC automatically surfaces subdomain activity so you can review compliance before moving to sp=quarantine.
• CSV or API Import: Bulk load a master list of your domains so you can protect your brand and reputation efficiently. VerifyDMARC includes API access on all plans.

Conclusion

As the tactics of threat actors like TA427 evolve, so too must our defences. Implementing and maintaining robust DMARC policies is no longer optional but a necessity. We encourage you to take action today by signing up for a free trial at VerifyDMARC and moving towards a safer email environment.

Don’t wait for a breach before you act. Secure your email domain now and ensure that your communications and digital assets are well-protected against the sophisticated tactics employed by groups like TA427.