Email remains the preferred entry point for cybercriminals, both for malware distribution and for collecting credentials through phishing. Phishing attacks can take many forms. The most dangerous are those that impersonate the exact email address of your employees, customers and suppliers:
If you or your external contacts have not yet set DMARC to "reject" mode, it is relatively easy for cybercriminals to reach you through spoofed email addresses, using tools like this one:
In this article, for Exchange Online users, we will show you how to configure a "transport rule" or "mail flow rule" that allows you to notify your users when they receive an email that fails the DMARC compliance check.
What is a DMARC compliance check?
An email that fails SPF or DKIM authentication will not pass the DMARC compliance check. This email may then be viewed as suspicious by those receiving it, as there is no technical indication that it was sent by a system approved by the organisation that owns the domain name of the spoofed email address. Here is an example:
The email below was sent on behalf of "myFrenchStartup <firstname.lastname@example.org>", by mailchimp.
However, this email was not authenticated by the domain "myfrenchstartup.com" with the SPF & DKIM protocols.
- The email passes its SPF check with the domain mail114.suw231.rsgsv.net and not the domain myfrenchstartup.com
- The email passes its DKIM check with the domain mailchimpapp.net and not the domain myfrenchstartup.com
The myfrenchstartup.com domain does not tell its recipients which policy to apply (quarantine or reject) when they receive a failed DMARC email from myfrenchstartup.com.
Even if there is no evidence that this email was sent by myfrenchstartup.com, it may still be accepted in your users' mailbox.
By adding a warning message to emails you receive that fail their DMARC compliance checks, the Exchange Online transport rule below helps to mitigate your contacts' failure to protect their domains with the DMARC protocol.
Below, using this transport rule, we add the prefix "Spoofed email" in the subject of received emails that fail DMARC:
And here is the result:
This notice marker will indicate to your users that they should be careful before opening this email because it was sent by a person who may not be the person indicated in the sender's address.