Ecosystem News
Our EU Director Dermot Harnett and Deployment Representative Matia Boldrini joined Dublin City University’s Information Systems Services (ISS) Team on April 9, 2024, to discuss the lessons learned and challenges overcome during DCU’s journey to DMARC compliance. The presenters take a straightforward, candid look at the DCU DMARC project, stressing the importance of building relationships and support among university departments and the coworkers that lead them. As you’ll learn in the presentation, DCU ISS was motivated by the NCSC’s email security guidance, and began their DMARC discovery phase, including advocacy among the university leadership and an initial trial with dmarcian. The ISS team shares their challenges for prioritizing this project and how they informed university stakeholders through meetings and internal communications. With the visibility gained through DMARC, they also talk about how they discovered redundant IT resources and were able to gain efficiency. If you weren’t able to join us
The FBI’s Internet Crime Complaint Center (IC3) has released the 2023 Internet Crime Report, which is based on internet crimes reported to the IC3. In 2023, as in 2022, phishing/spoofing was the top crime reported, and investment scams were the most financially damaging. The IC3 received a record 880,418 complaints with associated record losses of more than $12.5 billion, up 10% and 22% respectively from 2022. Keep in mind that these are only reported numbers and just from the American public. 2023 Internet Crime Overview Business Email Compromise: There were 21,489 BEC reports with over $2.9 billion in losses. The IC3 notes a trend of criminals using financial custodial accounts for crypto exchanges, third-party processors and phishing. Investment Fraud: The losses from investment scams increased from $3.31 billion in 2022 to $4.57 billion in 2023. With this 38% increase, investment fraud became the crime with the heaviest reported losses. Cryptocurrency
Ash Morin, our Director of Deployment, joined Mailgun’s Email’s Not Dead podcast crew to discuss Google and Yahoo’s DMARC sender requirements, which they began enforcing on February 1, 2024. Ash was a guest on Email’s Not Dead S2 E7—Spoofing, Phishing and for the Love of DMARC and on S3 E5—Implementing DMARC. In S5 E4, faithful hosts Jonathan Torres and Eric Trinidad asked Ash to join them and provide an overview of what he’s seen and what he predicts with the new email authentication standards update from Yahoo and Google. “Immediately after the announcement we started getting a lot of questions coming in. Not only questions from our existing customer base, but also in ecosystems,” Ash said. “There’s been a lot of ‘what does that mean?’ And almost immediately following, they were asking, ‘does that change anything about the standards? If not, what’s my current state? Am I actually good?’ Even
In February 2024, Google and Yahoo started implementing a series of gradual enforcements for organisations that send over 5000 emails daily, also defined as bulk email senders. These enforcements are especially relevant to Domain-based Message Authentication, Reporting & Conformance (DMARC). With this initiative, Google and Yahoo intend to reduce the overall amount of spam and spoofed content sent across the internet, especially focusing on the authentication of an organisation’s email infrastructure. This move, aimed at combating spam and improving email security, involves using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC standards. This article covers the Google and Yahoo requirement specifications and focuses on the potential impacts on European businesses. In particular, it addresses the complications of implementing DMARC across the European email ecosystem and the necessary steps to comply with the enforcement. Impact on European Email Senders: A Closer Look Popular Email Providers in Europe Challenges of
UPDATES: December 26, 2023: The Department of Defense published for comment a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. December 7, 2022: DMARC and other specs dropped from CMMC 1.0 have been sent to NIST to be included in future revisions of NIST SP 800-171, which CMMC is based upon. For more recent updates, you can visit the Department of Defense Chief Information Officer webpage. The following was published September 20, 2021. The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework being developed by the Department of Defense (DoD) to protect defense contractors from cyber threats. CMMC measures cybersecurity maturity with five levels consisting of security controls, practices and continual improvement to stop the theft of intellectual property, proprietary information and credentials that threaten economic and national security. When an organization sets out to achieve a particular CMMC level, it must also meet the preceding
Recent discussions in the email security ecosystem have highlighted a security loophole concerning Google’s handling of emails sent to a Google Group. This issue arises particularly when the emails come from a domain with a DMARC policy set to p=quarantine or p=reject. Google Groups functions similarly to a mailing list. When a group address receives an email, Google forwards a copy to each group member, retaining the original From: header. This From: header is crucial, as it’s what recipient systems use to determine which domain to check against for DMARC compliance. In essence, when Google forwards these emails, it’s as if Google is spoofing the domain being forwarded. This becomes problematic with domains like AOL or Yahoo, where the receiving system will reject the email, recognizing that Google isn’t authorized to send on their behalf. How scammers exploit Google Groups’ email forwarding Domain Acquisition: Scammers start by acquiring a new
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Phishing Guidance—Stopping the Attack Cycle at Phase One to provide guidance in the ever-waging battle against phishing exploits. The guidance is relevant to all organizations, though it may pose challenges for those with limited resources. To address this, the guide incorporates a section with customized suggestions tailored for small- and medium-sized businesses that may lack the resources for a dedicated IT staff to consistently combat phishing threats. For software manufacturers, the emphasis is on adopting secure-by-design and default strategies. The guidance encourages software companies to create and deliver software that is resistant to common phishing threats, ultimately enhancing the cybersecurity resilience of their customers. In the phishing mitigation guidance for all organizations, CISA, NSA, FBI, and MS-ISAC recommend organizations implement DMARC and other controls
Starting February, 2024, long established email authentication best practices will become a requirement. It’s as simple as that, folks. This news may be alarming to you for a variety of reasons; you may have previously interpreted these guidelines as being optional or didn’t understand the related technical complexities. Or maybe you trusted that your email service provider, or IT Department was taking care of this for you. Whichever camp you may be in, the responsibility is yours to ensure you are compliant and have the proper visibility to maintain that favorable status from that point forward. As abuse continues to mature, so must the controls that have been implemented to secure the email channel. We applaud Google and Yahoo for ushering this new reality in much of the same way that dmarcian has always taken a standards and best practices approach. Our mission has been to spread DMARC across the
Ransomware, Act I The first documented ransomware attack was delivered by the postal service in 1989 when 20,000 floppy discs loaded with malware were sent to AIDS researchers across the globe with the promise of advancing research. When loaded in computers, the discs installed malware and displayed a ransomware message demanding payment to restore data and systems. The attacker, an AIDS researcher himself, took advantage of other researchers to capitalize on the urgency and uncertainty of the AIDS epidemic. Cybercriminals continue to employ similar scare tactics today, using coercion, matters of necessity and social engineering to dupe unsuspecting people. Instead of using snail mail, cybercriminals use unprotected domains to send spoofed emails for deploying ransomware. What is Ransomware? The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as a type of malware “cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data
Here’s some long-time-coming news from Microsoft, one of the world’s largest mailbox providers: they have started rolling out changes to honor DMARC policies as published in a domain’s DNS. Microsoft will now be treating the p=reject policy as intended; email failing DMARC authentication will not be delivered. Microsoft had been treating the DMARC policies of p=quarantine and p=reject the same way; email failing DMARC with a p=reject policy was delivered to the spam folder. Microsoft said they had operated this way “because some legitimate email may fail DMARC. For example, a message might fail DMARC if it’s sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they’ll be marked as spam and not rejected.” Microsoft signaled the change to