< back to blog

Update: North Korean Actors Exploit Weak DMARC Security

May 7, 2024
DMARC Protocol
Security

Introduction

In light of a May 2nd 2024 Cybersecurity Advisory (CSA) JCSA-20240502-001 from the FBI, State Department, and NSA, we are revisiting our previous blog post on the exploitation of DMARC policies by threat actors such as TA427. The joint advisory warns about North Korean cyber actors, specifically Kimsuky (aka Emerald Sleet, APT43, Velvet Chollima, and Black Banshee), who exploit improperly configured DMARC policies to mask their social engineering attacks.

“Spearphishing continues to be a mainstay of the DPRK cyber program and this CSA provides new insights and mitigations to counter their tradecraft,” said NSA Cybersecurity Director Dave Luber.

The Threat: Exploitation of DMARC by Kimsuky

The advisory underscores the critical importance of properly configuring DMARC policies to mitigate email spoofing and phishing risks. Kimsuky and other North Korean-aligned threat groups exploit weaknesses in DMARC configurations to send spoofed emails that appear legitimate, facilitating their spearphishing campaigns.

Actionable Steps

It is imperative that organisations to take proactive measures to secure their domains against such threats. Here are some actionable steps:

  1. Update DMARC Policies: Ensure that your organisation's DMARC policies are properly configured and enforce actions against emails failing DMARC checks. Transitioning from permissive policies like `p=none` to more secure policies like `p=quarantine` or `p=reject` is crucial in mitigating the risk of email spoofing.
  2. Protect Subdomains: Ensure your DMARC policies do not use the `sp=none` tag. VerifyDMARC detects subdomain activity automatically, ensuring nothing is overlooked. See our post on subdomains.
  3. Ensure Complete Coverage: Apply enforcement DMARC policies to all domains, even those not actively in use. See our posts on parked domains and onmicrosoft.com domains for more information.
  4. Enhance Monitoring: Regularly monitor DMARC policies and reports, investigating any suspicious activity. Prompt detection and response can prevent security breaches. Sign up for a VerifyDMARC trial today to get immediate insights.
  5. Employee Training: Educate employees about the dangers of phishing attacks and how to identify suspicious emails. Implementing robust security awareness training programs can significantly reduce the likelihood of successful phishing attempts.

Conclusion

As the tactics of threat actors continue to evolve, organisations must remain vigilant and proactive in safeguarding their email infrastructure. By prioritising the implementation of robust DMARC policies and investing in comprehensive email security solutions, organisations can effectively mitigate the risk of falling victim to sophisticated phishing campaigns orchestrated by groups like Kimsuky.

Don’t wait for a breach to occur before taking action. Secure all your domains today with a risk-free 30 day trial of VerifyDMARC and fortify your defenses against cyber attacks.

TRY VERIFYDMARC FREE
Comprehensive & Cost-Effective DMARC for MSPs

Comprehensive & Cost-Effective DMARC for MSPs

The challenge of managing DMARC across multiple client domains has traditionally been a complex and costly affair. VerifyDMARC addresses this head-on by offering a unified, cost-effective solution.

MSP
VerifyDMARC
Don't Forget About Your onmicrosoft.com Subdomain

Don't Forget About Your onmicrosoft.com Subdomain

Every Microsoft 365 tenancy includes an onmicrosoft.com subdomain, these are rarely used for business communications but need to be part of your DMARC strategy so they do not get exploited.

Mail Providers
Security
Loose DMARC Policy: A Prime Target for TA427

Loose DMARC Policy: A Prime Target for TA427

Discover how North Korea-backed TA427 exploits weak DMARC policies to conduct sophisticated phishing attacks, and learn why strong DMARC enforcement is essential to protect your organisation's reputation.

DMARC Protocol
Security