Missing DMARC Records Lead to Phishing

Email will proceed to be the dominant mode of digital communication for the foreseeable future. However, the e-mail framework was not designed with safety in thoughts. There nonetheless are safety flaws that unhealthy actors repeatedly exploit to their benefit.

Recently, researchers have found a business-email compromise scam in Russia. Known as Cosmic Lync, the cybercriminal group operating this rip-off has been related to greater than 200 safety incidents concentrating on senior-level executives globally since July 2019.

This group can ship phishing emails that look genuine, proper from the content material of the message to the sender’s deal with. Even an skilled consumer would discover it tough to determine a pretend e-mail with out taking a deep -dive.

How it really works 

First, the attacker wants to discover a weak web site by figuring out if the web site has a DMARC document, which is a TXT document seen within the DNS settings.

nslookup -kind=txt instance.com

If the web site has no DMARC document, it means the attacker can spoof any e-mail deal with with the web site area identify. For instance, the attacker can select to ship an e-mail with the deal with [email protected] with none authentication.

Next, the attacker wants to arrange an SMTP Open Relay Server, which is an everyday mail server with the Relay choice enabled. Sometimes, server directors overlook to flip off the Relay choice. These forms of servers are perfect for sending phishing emails, as they permit the attacker to ship from a focused phishing e-mail deal with utilizing the sufferer’s area with out having to authenticate.

The attacker can determine if the server is an Open Relay Server by operating the next telnet command which checks for a connection to the default SMTP port (25):

telnet mail.examplemailserver.com 25

If the connection is established, it means the server is accepting SMTP connections:


Connected to mail.examplemailserver.com

Escape character is '^]'.

220 mailserver.examplemailserver.com

The attacker can then test if Open Relay is enabled:

MAIL FROM: <[email protected].com>

250 OK <[email protected].com > Sender okay

If an OK is acquired, the server is accepting messages from e-mail accounts that aren’t hosted on this server.

Running the next instructions will then ship the e-mail to the goal:

RCPT TO: <[email protected].com>

250 OK <[email protected].com> Recipient okay

Finally, the contents of the message might be despatched with the next command:


354 Start mail enter; finish with <CRLF>.<CRLF>

take a look at e-mail


Pressing “.” sends the e-mail.

The e-mail may land into the inbox or the spam folder. But from the primary look, it appears real.

Email Headers Reveal Spoofed Email

Let’s examine the e-mail headers for nearer inspection:

Received: from MN2PR02MB5854.namprd02.prod.outlook.com (2603:10b6:a03:1d0::37)

by BY5PR02MB6802.namprd02.prod.outlook.com with HTTPS by way of

BY5PR04CA0027.NAMPRD04.PROD.OUTLOOK.COM; Tue, 4 Aug 2020 13:36:11 +0000

Received: from MWHPR21CA0069.namprd21.prod.outlook.com (2603:10b6:300:db::31)

by MN2PR02MB5854.namprd02.prod.outlook.com (2603:10b6:208:113::31) with

Microsoft SMTP Server (model=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16; Tue, 4 Aug

2020 13:36:10 +0000

Received: from MW2NAM10FT060.eop-nam10.prod.safety.outlook.com

(2603:10b6:300:db:cafe::a) by MWHPR21CA0069.outlook.office365.com

(2603:10b6:300:db::31) with Microsoft SMTP Server (model=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.0 by way of Frontend

Transport; Tue, 4 Aug 2020 13:36:09 +0000

Authentication-Results: spf=none (sender IP is

smtp.mailfrom=instance.com; instance.com; dkim=none (message not

signed) header.d=none;instance.com; dmarc=none motion=none

header.from=instance.com;compauth=fail cause=001

Received-SPF: None (safety.outlook.com: instance.com does not

designate permitted sender hosts)

Received: from mailserver.exampleserver.com ( by

MW2NAM10FT060.mail.safety.outlook.com ( with Microsoft SMTP

Server id 15.20.3239.17 by way of Frontend Transport; Tue, 4 Aug 2020 13:36:09


Received: from  (UnknownHost []) by mailserver.exampleserver.com with SMTP;

Tue, 4 Aug 2020 09:35:52 -0400



From: <ceo@instance.com>

To: Undisclosed recipients:;

Return-Path: ceo@instance.com

Date: Tue, 4 Aug 2020 13:36:09 +0000

X-MS-Exchange-Organization-ExpirationStartTime: 04 Aug 2020 13:36:09.6244


X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit

X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000

X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit



X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: d5f1622b-14a3-45a6-b069-003f8dc4851f:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-MS-Office365-Filtering-HT: Tenant

X-MS-PublicTrafficType: Email

MIME-Version: 1.0



X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Office365-Filtering-Correlation-Id: db4b44e2-faeb-4c5d-b1c1-08d8387b58e1

X-MS-VisitorsTypeDiagnostic: MN2PR02MB5854:

X-MS-Exchange-Organization-AVStamp-Service: 1.0

X-MS-Oob-TLC-OOBClassifiers: OLM:1728;

X-MS-Exchange-Organization-SCL: 5


As you’ll be able to see, the e-mail is shipped from the e-mail [email protected] The solely distinction is that the IP deal with of the sender’s e-mail server doesn’t match the IP deal with within the MX information of instance.com.

Hence, if we will confirm the sender’s IP deal with and correlate that with the MX information of the sender’s area, we might have the ability to detect a spoofed e-mail efficiently — that’s what DMARC is designed to do.


DMARC (Domain-based Message Authentication, Reporting & Conformance) works together with current safety mechanisms like SPF and DKIM to determine if the e-mail message comes from a reputable mail server or whether it is spoofed.

Figure: DMARC Workflow

A typical DMARC document is a TXT document with the format:

Type: TXT

Host/Name: _DMARC.instance.com

Value: v=DMARC1; p=quarantine; ruf=mailto:[email protected]

Explanation of parameters:

  • v=DMARC1 means the present model of DMARC
  • p=quarantine means in case of DMARC violation the mail is quarantined by receiving e-mail deal with listed by the subsequent parameter
  • ruf=mailto:[email protected] implies that the receiver will ship forensic details about the quarantined e-mail to [email protected]

The presence of a legitimate DMARC document ensures that the receiver’s e-mail server is not going to solely determine if the mail is spoofed.

Adding a DMARC document is important to stop spoofed e-mail.

According to a study made by Valimail, 79% of Fortune 500 firms and 25% of U.S. federal domains are nonetheless unprotected from DMARC-based spoofing assaults.   You will help enhance this statistic — and your web site’s safety — by organising and implementing DMARC information if you happen to haven’t but accomplished so.

Does your area have a DMARC document? Let us know by tweeting us @sucurisecurity.

Related Posts