FBI Urges Companies to Update Email Security

May 15, 2024

The Federal Bureau of Investigation, National Security Agency and the U.S. Department of State have issued a joint cybersecurity advisory warning of state-sponsored email attacks that evade authentication security measures.

According to the advisory, the Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) Kimsuky cyber actors to exploit improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts.

Without properly configured DMARC policies, malicious cyber actors are able to send spoofed emails as if they came from a legitimate domain’s email exchange, the FBI said.

What Is DMARC?
  • DMARC is an email security protocol that authenticates whether an email message seemingly sent from an organization’s domain was legitimately sent from that organization’s domain.
  • A DMARC policy can be configured and applied to a domain to specify actions to be taken when email authentication fails.
  • When an organization securely configures a DMARC policy, it helps ensure malicious actors, like Kimsuky, are unable to spoof the organization’s legitimate email domain when sending spearphishing messages to a target.
  • A DMARC policy tells a receiving email server what to do with the email after checking a domain’s Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records.
  • Depending on if an email passes or fails SPF and DKIM, the email can be marked as spam, blocked, or delivered to an intended recipient’s inbox.
Mitigation Measures

Missing DMARC policies or DMARC policies with “p=none” indicate that the receiving email server should take no security action on emails that fail DMARC checks and allow the emails to be sent through to the recipient’s inbox.

In order for organizations to make their policy stricter and signal to email servers to consider unauthenticated emails as spam, the authoring agencies recommend mitigating this threat by updating your organization’s DMARC policy to one of these two configurations:

  • “v=DMARC1; p=quarantine;”
    • “p=quarantine” indicates that email servers should quarantine emails that fail DMARC, considering them to be probable spam.
  • “v=DMARC1; p=reject;”
    • “p=reject” instructs email servers to block emails that fail DMARC, considering them to be almost certainly spam.

In addition to setting the “p” field in DMARC policy, the authoring agencies recommend organizations set other DMARC policy fields, such as “rua” to receive aggregate reports about the DMARC results for email messages purportedly from the organization’s domain.

Red Flags

The following activity may be indications or behaviors of malicious North Korean cyber actors:

  • Innocuous initial communication with no malicious links/attachments, followed by communications containing malicious links/documents, potentially from a different, seemingly legitimate, email address
  • Email content that may include real text of messages recovered from previous victim engagement with other legitimate contacts
  • Emails in English that have awkward sentence structure and/or incorrect grammar
  • Emails or communications targeting victims with either direct or indirect knowledge of policy information, including U.S. and ROK government employees/officials working on North Korea, Asia, China, and/or Southeast Asia matters; U.S. and ROK government employees with high clearance levels; and members of the military
  • Email accounts that are spoofed with subtle incorrect misspellings of legitimate names and email addresses listed in a university directory or an official website
  • Malicious documents that require the user to click “Enable Macros” to view the document
  • Follow-up emails within 2-3 days of initial contact if the target does not respond to the initial spearphishing email
  • Emails purporting to be from official sources but sent using unofficial email services, identifiable through the email header information being a slightly incorrect version of an organization’s domain
Webinar

Employees continue to be the weakest link when it comes to cybersecurity. According to reports, nine out of 10 data breach incidents were caused by employee mistakes. Phishing email is one way criminals attempt to garner sensitive information or data. Employees need training and best-practice security controls to keep company data secure. Register for this Closinglock-sponsored ALTA Insights webinar to learn best practices to help identify phishing attempts when reviewing emails. 

The webinar will discuss:

  • What is phishing
  • Different forms of phishing
  • Recognizing red flags
  • What to do with a phishing email
  • What to do if click a bad link

Speakers

  • Trent Milliron | Chief Executive Officer | Koud9
  • Dickon Newman | Information System Security Officer | Kloud9

When

  • 1:00-2:00 p.m. ET, June 12

Register Today


Contact ALTA at 202-296-3671 or communications@alta.org.