top | item 37440295

(no title)

tric | 2 years ago

The diagram demonstrating the attack shows DMARC fails. All they have shown is that everyone should have DMARC configured properly, and use a reject or quarantine policy. This has been best practice for a long time now.

They use the example of state.gov. That domain's policy is currently set to Reject, which is what all Federal government services have been using for years now.

Here's CISA's requirements: https://www.cisa.gov/news-events/directives/bod-18-01-enhanc...

Microsoft also uses their own auth mechanism in addition to DMARC. It's called composite authentication. In my experience, comp-auth is more strict than DMARC alone.

https://learn.microsoft.com/en-us/microsoft-365/security/off...

What am I missing? Why is this noteworthy?

EDIT:

After reading more of the paper, my conclusion is mentioned in a later reply:

"They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that. "

discuss

csharpminor|2 years ago

I completely agree. As an aside, for .gov domains, the DMARC offenders are primarily at the state, county, and local level. I would personally be in favor of extending CISA’s DMARC requirements to anyone with a .gov domain (and revoking domains that are non-compliant).

Another misconception among many CIO/CISOs is that securing your individual subdomain with DMARC is enough. For example, dmv.ca.gov might have DMARC on its subdomain but not on the root, allowing a scammer to make up their own subdomain like “vehicles.ca.gov” and scam people into paying for fake vehicle registration. Of course there are other mechanisms inbox providers use to protect recipients, but without a DMARC policy on the root domain the door is left open.

This is especially prevalent at the state level where no one wants to own DMARC centrally.

tric|2 years ago

> the DMARC offenders are primarily at the state, county, and local level.

This has been my experience as well. Likely due to their systems being managed by lowest-bidder MSPs.

Someone once shared their own analysis of each state's configuration a few years ago:

https://old.reddit.com/r/sysadmin/comments/cawch1/united_sta...

I wonder how it looks today.

Symbiote|2 years ago

The British government has specific advice (applicable to everyone) for securing domains that aren't used for email.

https://www.gov.uk/guidance/protect-domains-that-dont-send-e...

peanut-walrus|2 years ago

This works against domains that have DMARC configured properly. First attack works against any domain that is using O365, regardless of their DMARC settings.

tric|2 years ago

Your domain may have a policy of reject or quarantine, but does the receiving host correctly act on that policy?

I can understand if free email providers are more permissive with narrow authentication scenarios. Users aren't usually able to contact support.

As someone suggested in this thread, this is a UX problem.

Policies need to appease a large number of users. A gov/corp org receiving these messages can be more strict. Even in these orgs, people complain about not receiving an email that was appropriately rejected.