Jet Mariano

Tag: DMARC

  • DMARC (Domain-based Message Authentication, Reporting & Conformance)

    Introduction

    DMARC (Domain-based Message Authentication, Reporting & Conformance) is the control system that tells receiving email servers what to do when a message fails SPF or DKIM. Without DMARC, attackers can spoof your domain freely.

    Section 1 — What DMARC Does

    DMARC:

    • Protects your domain from spoofing
    • Defines how mail servers should handle failures
    • Provides visibility into fraud attempts
    • Supports brand protection
    • Enables full enforcement (“p=reject”)

    Section 2 — DMARC Tags and Their Meaning

    1️⃣ v=DMARC1

    Protocol version. Always DMARC1.

    2️⃣ p= (Policy)

    Tells receiving servers what to do:

    • p=none → Monitor only
    • p=quarantine → Send failures to spam
    • p=reject → Block failures entirely (best practice for banks)

    3️⃣ rua= (Aggregate Reports)

    Where daily XML reports are delivered.
    Example:
    rua=mailto:[email protected]

    4️⃣ ruf= (Forensic Reports)

    Receives detailed failure samples (PII-sensitive).
    Example:
    ruf=mailto:[email protected]

    5️⃣ fo= (Failure Options)

    Controls what triggers forensic reporting.
    Common:
    fo=1 → Send forensic report on any SPF/DKIM failure.

    Section 3 — Example of a DMARC Record

    v=DMARC1;
p=reject;
rua=mailto:[email protected];
ruf=mailto:[email protected];
fo=1;
adkim=s;
aspf=s;

    adkim=s and aspf=s enforce strict alignment — critical for banks and regulated industries.

    Section 4 — Why DMARC Matters

    • Blocks domain impersonation
    • Reduces malware/phishing impact
    • Protects customers from fraud
    • Shields executives from spoofing
    • Enables brand trust
    • Essential for financial institutions

    Conclusion

    A strong DMARC policy (“reject”) is one of the strongest defenses against email spoofing — but only when SPF and DKIM are configured properly and regularly monitored.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Email Spoofing Explained: How Attackers Do It and How DMARC Blocks Them

    Introduction

    Email is built on trust — and the original SMTP protocol (from 1982) was never designed with modern threat actors in mind. Attackers now exploit loose RFC rules, misconfigured servers, and public DNS to spoof legitimate senders and bypass basic filtering.

    This blog explains how spoofing actually works, why SPF/DKIM alone are not enough, and why DMARC alignment + Proofpoint is essential for stopping real-world business email compromise (BEC) attacks.

    1. Email Spoofing 101 — Why SMTP Allows It

    SMTP does not validate who the sender truly is.
    An attacker can control:

    a) The SMTP Envelope (“MAIL FROM”)

    Used for return-path, bounce messages, and SPF checks.

    b) The Email Header (“From:”)

    What the human sees in Outlook, Gmail, iPhone Mail.

    Both can be forged.
    That means an attacker can send:

    MAIL FROM: <[email protected]>
From: Jane Doe <[email protected]>

    …even though they do not own that domain.

    2. Step-by-Step: How Attackers Use SMTP to Forge Email

    (Everything below uses neutral demonstration domains to avoid referencing any real organization.)

    S: 220 mail.fake-sender.net SMTP Ready
C: HELO mail.fake-sender.net
S: 250 Hello
C: MAIL FROM:<[email protected]>
S: 250 OK
C: RCPT TO:<[email protected]>
S: 250 Accepted
C: DATA
S: 354 Start mail input
C: Subject: Urgent – Please Review
C: From: [email protected]
C: To: [email protected]

Hi Bob,
Please review this document:
https://malicious-link-example.net/file

Thanks,
Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Goodbye

    Important:
    This is exactly how attackers craft spoofed email — the same RFC-compliant commands a normal email client uses.

    3. How Attackers “Harvest” SPF and DKIM Using DNS

    Attackers don’t guess your DNS settings.
    They simply query them publicly, like anyone else on the internet.

    Example: Retrieving DKIM Keys

    nslookup -type=txt selector1._domainkey.victim-of-spoofing.com

    This returns the DKIM public key, which attackers use to craft more believable spoofing attempts (not to break DKIM, but to mimic structure).

    Example: Retrieving SPF Records

    nslookup -type=txt victim-of-spoofing.com

    Result:

    "v=spf1 include:_spf.example-email.net -all"

    Attackers now know:

    • what legitimate sending systems you use
    • how strict your SPF policy is
    • which vendors to impersonate

    SPF & DKIM are public, and attackers rely on that.

    4. Why SPF and DKIM Alone Are Not Enough

    SPF checks the envelope (MAIL FROM).
    DKIM checks the message integrity.

    But both fail in these common scenarios:

    SPF Fails When:

    • A scammer spoofs only the header From
    • Email is forwarded
    • Attackers use free SMTP servers with permissive policies

    DKIM Fails When:

    • Sender uses a domain with no DKIM at all
    • Attackers spoof domains they do own
    • Emails pass through weak relays

    This is why companies get spoofed even with “perfect” SPF/DKIM.

    5. DMARC Alignment — The Real Line of Defense

    DMARC requires:

    ✔ SPF Alignment

    Envelope domain must match header From domain.

    ✔ DKIM Alignment

    DKIM signature domain must match the header From.

    If neither aligns, DMARC instructs receivers to:

    • none — monitor only
    • quarantine — send to spam
    • reject — block outright

    Reject is where spoofing finally dies.

    6. Two Ways Attackers Deliver Spoofed Email

    This is critical for interview-level mastery:

    1️⃣ Using Their Own SMTP Server

    Attackers set up a server where:

    • they control all DNS
    • they can configure any RFC behavior
    • they can impersonate any domain

    This allows highly believable spoofing.

    2️⃣ Using Vulnerable Third-Party SMTP Servers

    Attackers often search for:

    • misconfigured mail relays
    • open SMTP relays
    • free spoofing services

    Both methods work unless DMARC reject + Proofpoint is in place.

    7. Why Proofpoint Completes the Protection

    Even with DMARC reject, attackers still spoof:

    • VIP names (“Display Name Spoofing”)
    • Lookalike domains (e.g., companny-secure.com)
    • Legitimate cloud providers that DMARC trusts
    • OAuth-compromised accounts (EAC)

    Proofpoint adds:

    • Identity threat intelligence
    • Imposter protection (BEC Defense)
    • Lookalike domain analysis
    • Behavioral anomaly detection
    • URL rewriting + sandboxing
    • Real-time classification

    Without Proofpoint, DMARC is only half of the defense.

    Conclusion

    Attackers rely on the weaknesses of SMTP’s original design, public DNS records, and domains they control. That’s why spoofing is still one of the most common and dangerous forms of cyberattack worldwide.

    The only way to fully protect executives, employees, and customers is:

    ✔ SPF
    ✔ DKIM
    ✔ DMARC (reject)
    ✔ PLUS Proofpoint’s identity + behavioral controls

    This is the combination that stops real-world BEC/EAC attacks.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • How BEC (Business Email Compromise) and EAC (Email Account Compromise) Work, and How Proofpoint + EAC Controls Stop Them

    Introduction

    BEC (Business Email Compromise) and EAC (Email Account Compromise) are the two most financially damaging email-based attacks today.
    They bypass traditional spam filters, they target humans—not firewalls—and they abuse trust instead of malware.

    Microsoft 365 alone cannot fully protect against these attacks.
    That’s why organizations use Proofpoint, DMARC alignment, and strict authentication controls—to verify identity, stop impostors, and prevent fraudulent requests from reaching inboxes.

    This blog explains:

    • How BEC works
    • How EAC happens
    • What attackers exploit
    • Why RFC email standards make impersonation easy
    • How Proofpoint + EAC controls shut these attacks down

    Perfect material for any advanced interview panel.

    What Is Business Email Compromise (BEC)?

    BEC is when attackers pretend to be:

    • your CEO,
    • your CFO,
    • your HR director,
    • a vendor,
    • or someone with financial authority

    …with the goal of manipulating employees into:

    • wiring money
    • changing direct deposit info
    • sending W-2s
    • releasing confidential documents
    • approving purchases

    🔸 The key point:

    BEC uses identity deception, not malware.
    No attachments.
    No links.
    Just social engineering in a clean email.

    How BEC Works (Step-By-Step)

    1. Reconnaissance

    Attackers scrape:

    • LinkedIn
    • Company directory leaks
    • Press releases
    • Vendor invoices
    • Social media

    They map who communicates with whom.

    2. Identity Impersonation

    They spoof:

    • Display names
    • Envelope sender
    • Reply-To address
    • SPF-valid lookalike domains

    Example:
    [email protected]
    [email protected]

    3. Thread Hijacking

    They do this by compromising a vendor mailbox and replying inside an existing email chain.

    4. Social Engineering

    The attacker sends a “clean” request:

    • “Are you available?”
    • “I need this wire sent ASAP.”
    • “Can you update this banking information?”

    5. Financial Fraud

    Once the attacker has the employee’s trust — the money is gone.

    What Is Email Account Compromise (EAC)?

    EAC is when the attacker actually logs in to a real mailbox.

    Not spoofing.
    Not faking.
    Real access.

    How they gain access:

    • MFA fatigue
    • Password reuse
    • Legacy protocol with no MFA
    • OAuth token theft
    • Malware stealing credentials
    • Phishing pages identical to Microsoft login

    Once inside, attackers:

    • Set up hidden forwarding rules
    • Delete MFA alerts
    • Change mailbox rules
    • Hijack vendor threads
    • Sit silently and wait for financial conversations

    EAC is dangerous because the attacker uses your real domain, your real mailbox reputation, your real account.

    This is why simply having SPF, DKIM, and DMARC does not stop EAC.

    Why Proofpoint Is Needed (Beyond RFC Email Standards)

    RFC email standards allow spoofing by design.

    Attackers can:

    • abuse SMTP commands
    • spoof the “MAIL FROM”
    • spoof the “From:” header
    • use free SMTP servers
    • harvest SPF/DKIM values via nslookup
    • build near-perfect domain clones

    Example:

    nslookup -type=txt _dmarc.victim-domain.com
nslookup -type=txt selector._domainkey.victim-domain.com

    Attackers see your exact SPF/DKIM configuration.
    They spoof accordingly.

    This is why relying on RFC standards alone is not enough.

    How Proofpoint Stops BEC and EAC

    1. Identity Protection

    Proofpoint checks:

    • display name anomalies
    • domain lookalikes
    • impossible travel
    • VIP impersonation attempts
    • internal vs external identity mapping
    • “Reply-To mismatch”
    • “Header vs Envelope mismatch”

    Microsoft EOP can do part of this,
    Proofpoint does it with far more accuracy.

    2. Vendor Fraud Protection

    Proofpoint fingerprints:

    • vendor sending behavior
    • previous conversation style
    • writing style
    • IP reputation

    If a vendor mailbox is compromised, Proofpoint detects the “change in sending personality.”

    This is one of the strongest EAC protections in the industry.

    3. DMARC Enforcement + Lookalike Domain Defense

    Proofpoint enforces:

    • Domain alignment
    • Display name behavior
    • Header-from authentication
    • Cross-identity matching

    Lookalike domains” examples (generic only):

    • company-secure.com
    • companny.com
    • c0mpany-support.com
    • company-mailservice.com

    These would pass traditional email filters.

    4. URL and Payload Isolation

    Even if links look clean, Proofpoint re-writes and detonates them.

    Although BEC rarely has links, EAC-based phishing almost always does.

    5. Machine Learning on Human Behavior

    Proofpoint analyzes:

    • who talks to whom
    • frequency
    • direction
    • urgency phrases
    • tone manipulation

    If the CEO normally never emails accounting at 10:30 PM on a Friday — the message gets flagged.

    Real-World Example (Anonymized)

    A vendor’s mailbox was compromised.
    The attacker replied inside an existing thread asking to update bank account numbers.

    Microsoft EOP didn’t block it — it came from a legitimate vendor domain.

    Proofpoint flagged:

    • anomalous IP
    • unusual writing style
    • “conversation thread hijacking detected”
    • vendor identity risk score

    Proofpoint blocked the message before it reached the user’s mailbox.

    This is exactly why companies invest in Proofpoint.

    Conclusion

    BEC and EAC are no longer “IT problems.”
    They are financial crimes, costing billions worldwide.

    Microsoft 365 gives strong baseline protection,
    but attackers today use identity manipulation, social engineering, and thread hijacking that bypass traditional signals.

    Proofpoint closes those gaps with:

    • identity defense
    • behavioral AI
    • vendor fraud detection
    • DMARC enforcement
    • mailbox compromise detection
    • impersonation protection

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!