Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a specific and valuable solution in the fight to keep email safe and secure, helping organizations protect their domains from phishing, spoofing, and impersonation attacks.
The MITRE ATT&CK® Framework, created in 2013 by the non-profit MITRE Corporation, is a “globally accessible knowledge base of adversary tactics and techniques based on real-world observations” with a strong focus on cyber security. A well-organized directory of threats explains in detail the risks associated with each threat, how these threats are executed by bad actors, and provides suggestions for potential mitigation steps. This helps security professionals worldwide improve their efforts to protect against unwanted attacks, intrusion, data breaches, monetary losses, and much more.
Where DMARC and the MITRE ATT&CK framework intersect
In the MITRE ATT&CK Framework, there are a multitude of attacks that can relate to, or start with, email spoofing or phishing attacks. Starting from Initial Access (TA0001) – bad actors trying to gain access to your network and systems. And phishing attacks (T1566) are widely utilized. Specifically:
- Spearphishing attachment (T1566.001): A malicious file disguised as an invoice, resume, or even as an adjunct to a supposedly urgent memo.
- Spearphishing link (T1566.002): An innocent-looking link that sends users to a fake login page designed to steal credentials.
- Spearphishing via service (T1566.003): A fake email from what looks like a legitimate service. Think PayPal, Microsoft, or even a faked message from somebody important within the company.
DMARC can’t stop a bad actor from putting a fake link in a spearphishing email message to try to trick the user, but it will prevent that bad actor from using your well-protected email domain in that email message’s address once you’ve implemented DMARC at enforcement. DMARC’s ability to tell mailbox providers to reject mail purportedly from your domain when it fails authentication checks can be extremely helpful here.
Stopping impersonation with DMARC
Bad actors are a fan of Credential Access (TA0006), described in the MITRE ATT&CK Framework as stealing account names and passwords, getting them access to Valid Accounts (T1078) where they obtain and abuse existing, valid logins to further nefarious schemes.
DMARC also helps here by making impersonation significantly harder. If attackers can’t spoof your email domain, their phishing attempts become less convincing, making it harder for them to trick an unsuspecting user into handing over passwords or otherwise offering up access.
The MITRE ATT&CK Framework describes Collection (TA0009)—information gathering—specifically, Email Collection (T1114)—as a common means to an end. Bad actors could be looking for data to steal or intelligence to collect. A domain without proper DMARC protection is at risk. As we learned from North Korea targeting domains with weak DMARC policies to further their intelligence goals, threat actors actively utilize email impersonation to pursue their deceptive objectives.
DMARC: Mitigating MITRE ATT&CK framework risks
DMARC primarily mitigates Initial Access tactics by preventing domain spoofing in phishing attacks. It helps block attempts at Credential Access by limiting the effectiveness of phishing emails that harvest credentials. It supports malicious source monitoring and reporting, providing insights into unauthorized (and authorized) use of your email domain via Valimail Enforce.
DMARC fortifies the first line of defense in email security, cutting off a potential attack vector before phishing attempts reach the inbox.
Get started with Valimail Enforce
Defend your domains against phishing and spoofing with Valimail, the only fully automated DMARC solution that gets you to enforcement fast. Aligned with the MITRE ATT&CK framework, Valimail helps mitigate email-based tactics like Initial Access (T1566) by eliminating domain impersonation at scale.
Our one-click authorization for pre-configured senders ensures full visibility into your email ecosystem. You can instantly identify and manage every vendor, platform, and provider sending mail on your behalf.
Plus, Valimail Enforce is SOC 2, PCI, and GDPR compliant, ensuring security without complexity.
Lock down your domains today.
