How DMARC Can Protect Against Phishing & Ransomware

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Organizations adopting the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard enable the validation and authentication of emails sent from their domain. Servers and security tools receiving email can perform DMARC checks and quickly detect spoofed emails trying to impersonate the organization. Eliminating these spoofed emails can drastically reduce both phishing emails and ransomware attacks.

This article will explore how this works in more detail:

Ransomware & Phishing — a Toxic Combination

Ransomware attacks accounted for approximately one out of every five cyber crimes in 2022 even as the number of ransomware attacks dropped by 23% compared to 2021. However, the impact of ransomware continues to grow as ransoms increase and attackers increase the magnitude of their overall threat with the addition of data exfiltration, extortion, and distributed denial of service (DDoS) attacks.

The costs of ransomware attacks can be massive, including downtime, data loss, business reputation damage, recovery expenses, forensic investigation expenses, and significant psychological damages for the teams. Ransomware depends upon phishing for the majority of ransomware attacks, yet phishing also delivers other types of attacks. Phishing, in turn, often depends upon email spoofing to trick users into falling for the phishing attack.

Ransomware Depends on Phishing

A ransomware attack can spring from a single email, and phishing provides the most common entry point for ransomware. However, in most cases, clicking on a bad phishing link does not launch ransomware. Attacks that do launch immediately can usually only encrypt the computer for the phishing victim, which limits the ransom-earning potential. More insidious, news-worthy, and revenue generating ransomware attacks need widespread access to the organization for maximum impact.

To achieve the broader goal, 63% of phishing attacks seek to compromise credentials. By stealing credentials, the ransomware gang can then infiltrate the network, expand access, and attack the organization as a whole.

Other Phishing-Delivered Attacks

Although ransomware makes headlines because of their highly disruptive and obvious impact, phishing attacks can deliver a number of other highly harmful attacks such as business email compromise (BEC), credentials harvesting, keyloggers, remote access trojans (RATs), cryptojacking malware, and other spyware. RATs tend to be the malware of choice because they offer the flexibility of future attack options and the hackers can also resell their access to ransomware-as-a-service providers, cryptocurrency mining groups, bot farms, and more.

Phishing Depends on Spoofing

Spammers send an estimated 3.4 billion emails every day, and Google blocks around 100 million phishing emails daily. Attackers use phishing to perform 47% of the attacks against North and South American organizations, 43% of the attacks against Asian organizations, and 42% of the attacks against European organizations. Microsoft even estimates that 94% of cyberattacks begin with a malicious email.

Yet no one clicks on an unconvincing email. Most people will be tricked by emails that appear to be legitimate and sent by a familiar brand. LinkedIn, Microsoft, Adobe, and Google are top brands used in broad phishing attacks, but smaller brands will also be used in more targeted attacks.

It’s not so difficult to fake an email. Attackers forge the “From” address to target victims with a fraudulent, “spoofed” email that appears to be from a legitimate sender.

For example, perhaps an administrator at the law firm of GenericContracts.com clicks on a phishing link and the attackers scope out the firm. The attackers may find the firm too small to be worth a ransom attack but also realize that the firm does local work for dozens of larger corporations.

The ransomware attackers may choose to spoof the GenericContracts.com domain and send phishing emails to the stolen contact names for those larger corporations with “Overdue Invoice” PDF files laden with malware. With an existing working relationship with GenericContractors.com, the corporate clients are more likely to click on the phishing emails and enable future ransomware attacks.

How DMARC Works to Stop Ransomware

Fortunately, DMARC provides a way to stop email using fake “From” addresses and reduce spoofing email attacks. DMARC provides email authentication not only to validate official emails but also to invalidate imposter emails by enhancing other email authentication standards.

How Email Authentication Works

DMARC is published with an organization’s Domain Name Service (DNS) and depends on the prior establishment of two other email authentication standards. The Sender Policy Framework (SPF) lists all domains authorized to send emails on behalf of the organization. The DomainKeys Identified Mail (DKIM) standard enables an organization to digitally sign emails from their domain using public key cryptography to verify that an email is delivered unaltered.

DMARC builds on SPF and DKIM to:

  • Check for alignment, or consistency, between the “from” field in the body of the email and the SPF and DKIM domains
  • Instruct the email server how to handle (ignore, quarantine, or discard) emails that fail SPF, DKIM, or DMARC checks

DMARC Alignment Example

Extending the example above, hackers may forge a fake email spoofing the accounts payable department of GenericContracts.com in the “From” field of the text the reader can see. However, the email itself will be sent from their own domain of SpammyPhishing.com, which shows up only in the header of the email (normally hidden from the reader).

However, if GenericContract.com deployed an effective DMARC policy, their clients’ email server would perform a DMARC check. The DMARC check would fail the email for being sent from a non-authorized domain and for having misalignment (or non-matching) header and email “From” fields. The receiving email server would be notified that the spoofed emails are fraudulent and likely send the impersonating email to the SPAM folder or even discard them.

Additionally, GenericContracts.com would receive a report from their clients’ emails servers that detail the campaign of phishing emails from SpammyPhishing.com. GenericContracts can then proactively warn customers about the phishing attack, search for their data breach, and report SpammyPhishing.com as a malicious URL.

How to Use DMARC

Security specialists recommend using DMARC to help protect against ransomware attacks as an essential email security tool. While DMARC primarily protects other organizations receiving emails attempting to impersonate the organization, DMARC makes the task of spoofing emails significantly more complicated for hackers and helps preserve the organization’s brand image.

Of course, it’s not the ultimate protection, as there are many other techniques hackers can deploy. Additionally, organizations need to enforce DMARC on their email receiving servers to perform the DMARC check. However, every protection deployed adds an additional layer of defense, and deploying DMARC also adds other benefits to the organization, such as improving the delivery of marketing emails.

Bottom Line: Adopt DMARC as an Essential Part of Email Security

DMARC can be challenging to configure correctly; however, it provides powerful email protection against spoofing, phishing, and related attacks such as ransomware. Organizations need to adopt DMARC to protect themselves and others against spoofing attacks and to help erode the threat of spam, which accounted for 48% of all emails sent in 2022.

For further reading on tools to secure email:

This article was originally written and published by Julien Maury on September 21, 2021 and updated by Chad Kime on June 6, 2023.

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required