Latest news with #DMARC
Techday NZ
2 days ago
- Business
- Techday NZ
Most high-traffic email domains still vulnerable to phishing
New research from EasyDMARC has found that 92% of the world's top 1.8 million email domains lack adequate protection against phishing attacks. The EasyDMARC 2025 DMARC Adoption Report has revealed that only 7.7% of these domains are fully protected using the strictest DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy, known as 'p=reject'. This policy is designed to actively block malicious emails from being delivered to inboxes. DMARC is an email authentication protocol that builds on existing standards such as SPF and DKIM, allowing domain owners to specify how they want mail servers to handle emails that fail authentication checks. The protocol also enables domain owners to receive reports on emails sent under their domain name, providing vital records of authentication attempts and potential abuse. EasyDMARC's analysis demonstrates that although there has been a noticeable increase in DMARC adoption since 2023 — largely due to regulatory initiatives and mandates from major providers including Google, Yahoo, and Microsoft — most organisations opt for the weakest available configuration, 'p=none'. This setting only monitors for threats, rather than thwarting attacks by blocking illegitimate emails. The report, which reviewed security practices across the most-visited websites globally as well as Fortune 500 and Inc. 5000 companies, shows a continued gap between DMARC adoption and meaningful implementation. More than half (52.2%) of the surveyed domains have not implemented DMARC at any level, leaving them exposed to phishing and spoofing risks. Among domains that do have a DMARC record, most have not configured enforcement policies or reporting mechanisms necessary for full protection. The research also found that over 40% of the domains with a DMARC record did not include any reporting tags. This omission means these organisations have little to no visibility into authentication failures or an understanding of who might be sending emails on their behalf. Gerasim Hovhannisyan, Chief Executive Officer of EasyDMARC, addressed the misconception surrounding DMARC adoption: "There's a growing perception that simply publishing a DMARC record is enough. But adoption without enforcement creates a dangerous illusion of security. In reality, most organisations are leaving the door wide open to attacks targeting customers, partners, or even employees." Mandates have had a measurable effect. In the United States, where regulatory enforcement is strong, the proportion of phishing emails accepted dropped from 68.8% in 2023 to just 14.2% in 2025. Similar progress was noted in the UK and the Czech Republic, countries that also enforce DMARC usage. However, countries without strict requirements, such as the Netherlands and Qatar, showed minimal improvement in reducing phishing acceptance rates. Recent high-profile cyber attacks, including those targeting retailers such as M&S and Co-op, serve as a backdrop for the report's release. In these incidents, attackers exploited weaknesses in email security through social engineering, costing affected businesses hundreds of thousands in losses. According to EasyDMARC, the increasing sophistication of phishing, partly driven by the use of AI, magnifies the risks for organisations that are inadequately protected. Hovhannisyan further commented: "Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on. Phishing remains one of the oldest and most effective forms of cyberattack, and without proper enforcement, organisations are effectively handing attackers the keys to their business. As threats grow more sophisticated and compliance pressures mount, stopping halfway with DMARC enforcement is no longer an option." The report methodology combined public DNS data with proprietary data collected through EasyDMARC's platform. It involved the review of aggregate DMARC reports from major mailbox providers and included a survey of 980 IT professionals across the United States, United Kingdom, Canada, and the Netherlands. This allowed for insights into regional differences in phishing trends, adoption challenges, and the varying influence of regulatory mandates. The research concludes that while DMARC adoption has increased, genuine protection against phishing relies on both enforcement and visibility — elements still missing for the vast majority of high-traffic domains worldwide.
Techday NZ
6 days ago
- Business
- Techday NZ
Phishing attacks exploit AppSheet to mimic Meta & evade defences
KnowBe4 Threat Labs is monitoring a growing phishing campaign that exploits Google's AppSheet platform to impersonate Meta and bypass conventional email security measures. Since March 2025, KnowBe4 Threat Labs has recorded a marked increase in attacks using AppSheet as a conduit for phishing campaigns. Data collected by the organisation indicates that on April 20, 10.88% of all global phishing emails blocked by KnowBe4 Defend were sent via AppSheet, with 98% of those attempts impersonating Meta. The remaining 2% targeted users by mimicking PayPal. The current wave of phishing leverages trusted platforms to avoid standard security protocols. AppSheet, a platform owned by Google, is being manipulated to distribute phishing emails at scale, utilising the legitimate domain noreply@ as the sender. This tactic allows emails to evade Microsoft and Secure Email Gateway (SEG) detection that typically rely on domain reputation and authentication checks such as SPF, DKIM and DMARC. Attackers send phishing emails purporting to originate from the "Facebook Support Team", complete with copied Meta branding and non-functional footer links. The emails employ urgent language and social engineering tactics, including warnings of imminent account deletion and a 24-hour deadline to respond. Such emotionally charged messaging seeks to drive recipients to click on a prominent "Submit an Appeal" button, which leads to a credential harvesting site. "The phishing email mimics Meta's branding, including a convincing email signature, to appear authentic—despite all footer links being non-functional," KnowBe4's analysis states. "In addition, the campaign relies heavily on social engineering tactics to trick recipients into clicking a malicious link, presented as a 'Submit an Appeal' button." Each phishing message incorporates unique 'Case IDs' generated by AppSheet, making use of polymorphic identifiers to vary individual messages. This complicates detection and filtering as the emails lack consistent, static indicators that traditional security systems rely upon. Should a recipient click the embedded link, they are directed to a phishing site hosted on the Vercel platform. This site is crafted to mirror Meta's interface, displaying an animated logo and a replica design to increase perceived authenticity. The page notifies users of an alleged account risk and offers a single opportunity to appeal the impending deletion. The phishing website deploys several advanced strategies to maximise success. One method involves prompting users to enter their credentials and two-factor authentication (2FA) codes twice, claiming the initial entry was incorrect. This approach increases the probability of obtaining valid information and introduces confusion and urgency, making it more difficult for users to assess the legitimacy of the site. "One such method is the double prompt for credentials. After the user enters their password and 2FA code, the site falsely claims that the first attempt was incorrect, prompting the user to try again. This serves multiple purposes: it increases the likelihood of capturing accurate information by encouraging users to re-enter data they believe was mistyped; it introduces confusion and urgency, reducing the victim's ability to think critically; and it provides data redundancy, allowing the attacker to compare entries and confirm the validity of the credentials before using them," states the KnowBe4 team. The phishing site appears to function as a man-in-the-middle proxy. When users submit their login data and 2FA codes, the site relays this information in real time to the legitimate service to obtain a valid session token, thus gaining immediate access to the account. "In addition, the phishing site appears to operate as a man-in-the-middle proxy. When the user submits their login information and 2FA code, the site immediately relays this data to the legitimate service—such as Facebook—in real time. This enables the attacker to hijack the session and obtain a valid session token, effectively bypassing two-factor authentication and granting them immediate access to the user's account," the report highlights. The exploitation of AppSheet for these attacks is part of a wider pattern observed by KnowBe4 Threat Labs, where legitimate services are increasingly used to circumvent traditional email defences. The team has identified similar campaigns making use of platforms operated by Microsoft, Google, QuickBooks, and Telegram. This approach, combined with realistic impersonation, sophisticated proxy techniques, and social engineering, allows such phishing campaigns to bypass detection in environments secured by products such as Microsoft 365 and SEGs. Ashley Stephens, Account Manager at Hotwire Australia, commented, "This campaign shows how threat actors continue to evolve their tactics, using trusted services and social engineering to bypass traditional controls. Organisations need to think beyond technical defenses and prioritise human risk management supported by AI-driven detection." KnowBe4 notes that an increasing number of organisations are deploying Integrated Cloud Email Security products that use artificial intelligence to identify advanced phishing attempts and prevent users from engaging with malicious content. The report also points to the importance of ongoing security awareness training that converts real phishing incidents into training scenarios as a means of equipping employees to recognise similar attacks in future. KnowBe4 Threat Labs continues to monitor phishing campaigns and urges organisations to consider a layered defence approach that includes technical controls, user education, and AI-enabled monitoring to mitigate shifting cyber threats.
Yahoo
10-05-2025
- General
- Yahoo
Stamp Out Hunger Drive underway in Des Moines Metro
DES MOINES, Iowa — The Stamp Out Hunger Food Drive on Saturday will mobilize thousands of Iowans to help combat food insecurity. The annual food drive is organized by the National Association of Letter Carriers and takes place every year on the second Saturday in May. People can participate by leaving a bag of food next to their mailbox on Saturday. Residents are encouraged to donate healthy, non-perishable food items that are unopened and in-date. Then, postal workers will pick up the donations and bring them to local food pantries, like the Des Moines Area Religious Council (DMARC). This is the largest single-day food drive in the nation, and DMARC says this is an important drive for them. Last year, 30,000 pounds of food were collected through the drive and brought to DMARC. 'When we have 30,000 pounds of food come in just one single day that makes a huge difference in what's available,' said Blake Willadsen, the DMARC's marketing and communications manager. Willadsen says this drive helps contribute to DMARC's ability to help around 75,000 community members annually. About 80% of the people using DMARC's services are either young people under age 17, seniors, or are actively employed, according to Willadsen. 'The food that you're donating for this drive makes a huge impact for a lot of those people who you might not expect,' he said. 'This food pantry just helps serve as kind of a step up for oftentimes a bump in the road.' This comes after 2024 was a historic year for DMARC's Food Pantry Network. Around 150 volunteers will help sort through the donations at DMARC's warehouse throughout next week. For more information on how to volunteer at DMARC, click here. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Economic Times
10-05-2025
- Economic Times
Gmail fraud: A new cyber fraud email which bypasses Google's security protocols; Know how it works and safeguard your money
Fraudsters bypassed Gmail's security using a DKIM replay attack, sending authentic-looking security alerts. These emails, seemingly from Google, directed users to phishing sites via ' threatening data submission to the government. Experts advise caution with links, enabling multi-factor authentication, and reporting suspicious emails to enhance protection against such scams. Read below to know more about this fraud. Tired of too many ads? Remove Ads How does this psychological Gmail fraud work? Tired of too many ads? Remove Ads How did this fraud email bypass Google's Gmail protection system? Legitimate Sender and DKIM Signature: The email was genuinely sent from Google's infrastructure (specifically from no-reply@ as shown in the message header screenshot. DKIM is a cryptographic signature that verifies the email's authenticity by ensuring it was sent from the claimed domain and wasn't tampered with during transit. Since this email was sent by Google itself, it passed the DKIM check with flying colors, showing "pass with domain Gmail's spam filters trust emails that pass DKIM, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks, as these are strong indicators of legitimacy. The email was genuinely sent from Google's infrastructure (specifically from no-reply@ as shown in the message header screenshot. DKIM is a cryptographic signature that verifies the email's authenticity by ensuring it was sent from the claimed domain and wasn't tampered with during transit. Since this email was sent by Google itself, it passed the DKIM check with flying colors, showing "pass with domain Gmail's spam filters trust emails that pass DKIM, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks, as these are strong indicators of legitimacy. DKIM Replay Attack: The attackers used a clever technique known as a DKIM replay attack. They created a Google Account and an OAuth application with a name that mimics a phishing message. When they granted their OAuth app access to their account, Google automatically sent a "Security Alert" email to the account, which is a legitimate email signed with Google's DKIM key. The attackers then forwarded this email to the victim using a custom SMTP relay (Jellyfish) and Namecheap's PrivateEmail infrastructure. Because the email retained its valid DKIM signature from Google, Gmail saw it as a legitimate message and didn't flag it as spam. The attackers used a clever technique known as a DKIM replay attack. They created a Google Account and an OAuth application with a name that mimics a phishing message. When they granted their OAuth app access to their account, Google automatically sent a "Security Alert" email to the account, which is a legitimate email signed with Google's DKIM key. The attackers then forwarded this email to the victim using a custom SMTP relay (Jellyfish) and Namecheap's PrivateEmail infrastructure. Because the email retained its valid DKIM signature from Google, Gmail saw it as a legitimate message and didn't flag it as spam. Lack of Contextual Analysis: While Gmail's spam filters are advanced, they often rely heavily on authentication signals like DKIM, SPF, and DMARC rather than deep contextual analysis of the email's content or intent. In this case, the email appeared to be a standard Google security alert, which Gmail is programmed to treat as high-priority and trustworthy. The content itself didn't raise red flags because it was a real Google email—just repurposed maliciously. While Gmail's spam filters are advanced, they often rely heavily on authentication signals like DKIM, SPF, and DMARC rather than deep contextual analysis of the email's content or intent. In this case, the email appeared to be a standard Google security alert, which Gmail is programmed to treat as high-priority and trustworthy. The content itself didn't raise red flags because it was a real Google email—just repurposed maliciously. Bypassing Behavioral Filters: Gmail's spam filters also look for suspicious patterns, such as emails from unknown senders or those with malicious links. However, since this email came from Google's own domain and didn't contain overtly malicious content (the phishing link likely appeared in a follow-up step after redirection), it didn't trigger Gmail's behavioral or content-based filters. How should you protect yourself from this type of fraud? Be cautious with all links—even if the sender appears trusted. DKIM only verifies that the message came from the domain—not that it's safe. Hover over links before clicking. Check for odd domains, typos, or links that don't match the sender's domain. Watch for urgency or emotional manipulation. Messages saying 'your account is suspended' or 'urgent action needed' are red flags. Use Gmail's 'Report Phishing' feature. This helps Google improve detection and also alerts others. Enable multi-factor authentication (MFA) on financial and email accounts. Even if credentials are stolen, MFA can stop unauthorized access. It seems that fraud sters managed to bypass security checks and trick Google's servers to send Gmail users authentic looking security alert emails. The worst part is on plain reading of the email it looks legitimate and even the domain name from where the fake email was sent looks close to the real one. This fraud works on the assumption that you will not fact-check the email and in fear of legal action, you will give all access to your money and photos, etc to the below to know the details of this fraud and what measures to take to save your money and Google account image below shows what the fake email says. It says that a legal subpoena has been served by the government to Google LLC and as per this legal subpoena your entire Google account contents like photos, emails, maps data, etc needs to be submitted to the government. Do notice that the fake email does not say anything about the government taking legal action on you, rather the fake email says the government wants Google to give them your contents, data. This is the until this part of the email, if you took the hook then comes the baitthe bait comes. The next paragraph of the email says you need to go to an ' website to either examine what data will be shared with the government or protest i.e. try to stop this. In reality this supposed website is not at all a genuine Google website, it's a phishing fraud website hosted on Google's website domain which anybody can create with basic computer knowledge. So, this fact check is the only thing which stands between you losing complete control over your financial accounts over to the you notice closely, it looks like a real email from Google and notice how the email asks you to go to 'Google Support Case website" to take measures or protest. These big words are said in the email to make it look lead developer of ENS and Ethereum Foundation alum on X (formerly Twitter)Also, if you read this fraud email again, you will notice that there is a lot of unnecessary fake information like Google Account ID, support reference ID, etc and it says that the legal subpoena has been served on Google LLC and not directly on you. So physiologically this creates a safe assurance in your mind that the legal action is not on you but actually on Google, who in turn was ordered to hand over your data and contents to the has acknowledged that this fraud has happened and said it has rolled out protections for this abuse of its systems and also encouraged users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing fraud campaigns, as per a TOI Wig, Co- Founder and CEO, Innefu Labs, says: 'The primary reason Gmail didn't flag the phishing email lies in the exploitation of a loophole in the DomainKeys Identified Mail (DKIM) system through a technique known as a DKIM replay attack. In this scenario, attackers captured a legitimate email originally generated by Google, complete with a valid DKIM signature, and replayed it to new adds: 'Because DKIM only validates that the content of the message and headers haven't been tampered with — not the actual source or intention of the sender — Gmail's filters interpreted the email as legitimate. Moreover, the email was sent from 'no-reply@ passed SPF, DKIM, and DMARC checks, and even appeared in the same thread as genuine Google security alerts, further reinforcing its apparent authenticity. This underscores a critical challenge in email security: authentication mechanisms like DKIM can verify the integrity of a message, but not always its trustworthiness.'Sheetal R Bhardwaj, executive member of Association of Certified Financial Crime Specialists (ACFCS) explains the primary reason Gmail did not flag this phishing email as spam lies in the way the attack exploits Gmail's own infrastructure and authentication mechanisms, specifically DKIM (DomainKeys Identified Mail).Bhardwaj shares how even if Gmail's filters missed it, users can still protect themselves by-
Channel Post MEA
06-05-2025
- Business
- Channel Post MEA
PowerDMARC Exhibits At GISEC Global 2025
PowerDMARC, a provider of email authentication and DMARC management solutions, is participating in GISEC 2025 from May 6–8 at the Dubai World Trade Centre, UAE. You can find PowerDMARC at booth SP107, where their team will be showcasing how they are transforming email security for organizations across the Middle East and Africa. PowerDMARC will demonstrate its advanced solutions for protecting domains against phishing, spoofing, and impersonation attacks, empowering managed security service providers (MSSPs) and enterprises to enhance their cybersecurity posture. GISEC 2025 brings together over 25,000 information security professionals, global industry leaders, government officials, and technology innovators from more than 160 countries. PowerDMARC joins this dynamic ecosystem to highlight the critical role of DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS-RPT in improving email deliverability, strengthening domain security, and building digital trust for organizations of all sizes. 'Our mission is to equip organizations and partners across the Middle East and Africa with robust, user-friendly email authentication solutions that address today's most pressing cyber threats,' said Zainab Al Lawati, Business Development Manager (MEA) at PowerDMARC. 'GISEC provides an exceptional platform to engage with cybersecurity leaders, share knowledge, and work together toward a more secure digital future.' 0 0
