How the DMARC email security protocol can take down an entire company

In this article, you'll get familiar with DMARC, a less-known email security protocol that can help businesses prevent phishing campaigns. 

By the end of this article, you will know:

• What DMARC is and why it’s useful

• How an attacker can profit from a misconfigured DMARC policy

• How you can remediate a vulnerable instance.

Disclaimer

The content you are about to read is strictly for educational purposes. We do not condone using these learnings in illegal activities.

What is DMARC and why do you need it?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Simply put, it is a way to authenticate your outgoing email messages. It’s implemented via a DNS record that specifies the desired policy.

Given that most cyberattacks start with a phishing campaign, DMARC security is an important factor. If improperly configured, it can create a lot of damage.

DMARC allows organizations to protect their brand and reputation by preventing attackers from using their domain and subdomains names to conduct phishing attacks. This can help users from falling victim to such attacks, and also keep the organization from being associated with fraudulent activity. 

Email senders are verified using policies. DMARC tells receiving mail servers what to do when they get a message that appears to be from your organization but doesn't pass authentication checks.

DMARC is built on key authentication standards SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). It supplements SMTP, the basic protocol used to send emails because SMTP does not include any mechanisms for implementing or defining policies for email authentication.

SMTP (Simple Mail Transfer Protocol) started back in 1980 and, since then, it has been the go-to protocol when it comes to sending emails. Because it was not created with safety in mind, SMTP does not include any security mechanisms. That's why specialists had to create email security protocols like DMARC to help prevent spoofing and fraud.

Why is the DMARC protocol so important?

Email security is one of the least covered topics in cybersecurity, despite its impact. 

An organization can follow all the recommended guidelines when it comes to building a layered defense strategy. Still, all it takes is an inexperienced and unsuspecting user within your corporate environment to click on a link or download and run a malicious attachment to provide an attacker with a foothold into the network. And most of these attack chains start with email. 

Companies realized that cybercriminals are targeting employees to trick them into taking harmful actions, such as sending money to the attacker. That’s why the term BEC (Business Email Compromise) became so common.

More than 90% of successful cyber-attacks start with a phishing email, so it’s a no-brainer to make email security a priority in every organization.

Phishing tactics involve a lot of creative ways of tricking people into giving sensitive information, such as their passwords or credit card numbers, to someone who is pretending to be a trustworthy source. 

This is typically done through email or social media messages that include links to fake websites that look legitimate but are actually designed to steal the victim's information.

But phishing can also involve phone calls or text messages from someone who claims to be from a legitimate organization and asks for confidential information. 

Source: FBI.gov

The DMARC protocol is important because it helps protect email users from receiving spam and other forms of malicious email. It does this by allowing email domain owners to publish policies in their DNS records that specify which servers are authorized to send emails on their behalf. 

This makes it much more difficult for attackers to send an email that appears to come from a trusted domain, which helps protect the reputation of the domain and reduce the amount of spam and phishing emails that its users receive.

A little bit of history

DMARC is a security protocol developed in 2011 by a group of organizations including Google, Microsoft, Yahoo, and AOL. 

The goal of DMARC was to address the problem of email spoofing, in which attackers send fraudulent emails that appear to come from a legitimate domain to trick recipients into giving away sensitive information or clicking on malicious links.

Since its inception, DMARC has been widely adopted by organizations around the world as a way to protect their domains from email spoofing and phishing attacks. DMARC is currently supported by all major ISPs (such as Google, Microsoft, Yahoo! etc.).

Today, DMARC continues to be an important tool for organizations looking to improve their email security and protect their brand from abuse.

So how does knowing your way around DMARC improve your pentesting skills? Here’s the kicker.

How does DMARC work?

DMARC comes in to help when mail servers have an email that can’t pass authentication checks. Thus, each email that failed to pass authentication checks must be verified with the DMARC policy.

There are three DMARC policies that a company can implement:

• The “p=none” policy, sometimes referred to as the “monitor” policy, which tells the recipient’s email provider to not take any action if an email fails DMARC.

• The “p=quarantine” policy moves suspicious emails into a different folder, like your recipient’s spam folder, instead of the inbox.

• The “p=reject” policy tells the provider to block any email that fails DMARC, so the email never even makes it to your recipient.

Ok, but why can’t DMARC work without SFP and DKIM? Let’s break it down:

• SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.

• DKIM provides an encryption key and digital signature that verifies that an email message was not altered. 

• DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like an email from that domain to be handled if it fails an authorization test.
  

In cybersecurity, we use the CIA Triad as a foundation for everything. We can easily see how it applies to email security:

Confidentiality

The SFP protocol makes sure to only allow declared IPs from a domain to send emails.

Integrity

The DKIM protocol takes care of integrity by encrypting the emails and verifying them with digital signatures.

Availability

Just as it is important that unauthorized users are kept out of an organization’s data, data should be available to authorized users whenever they require it. This means keeping systems, networks, and devices up and running. For this reason, creating a DMARC policy plan in your organization is a way of ensuring availability. 

How to detect an improper DMARC configuration

It’s important to note that DMARC attacks are very effective for less-known mail service providers. This doesn’t mean that services such as Gmail, Yahoo Mail, or ProtonMail are completely protected. If an attacker wants to deliver a successful attack, they can gain domain reputation and thus bypass the security measures.

Here’s how you can provide this domain spoofing risk in your ethical hacking engagements.

You can easily check a domain’s DMARC policy with the following command:

dig _dmarc.domain txt +short

rua=mailto:bfbc74df8ea146039bcdcb4647760ef5@dmarc-reports.cloudflare.net"

This part tells the receiving server where to send aggregate reports of DMARC failures. Aggregate DMARC reports are sent daily to the administrator of the domain that the record belongs to.

As you can see, the Pentest-Tools.com domain has set the reject policy, meaning that it blocks any email that fails DMARC verification.

How to exploit a DMARC misconfiguration

The exploitation process is pretty straightforward. 

We’ll set up a VPS (Virtual Private Server) and a domain. We’ll download a tool on the VPS server and connect it to the new domain. Finally, we’ll send emails from the purchased domain.

Consider a scenario where we have a shop for ethical hackers with the following domain hacking-goodies.shop. (Please note that hacking-goodies.shop is owned by Pentest-Tools.com and we give you full permissions to test DMARC-related attacks on it).

First of all, we need to check what DMARC policy is set.

dig _dmarc.hacking-goodies.shop txt +short

As we previously said, the none policy will not do anything, meaning that it will allow the mail to go into the recipient’s inbox.

Great! We have the perfect scenario for the attack to work. Let’s continue by getting the domain and the VPS and building our attack.

Getting your domain

First of all, we’ll need a domain, so we can install mail-spoofer and send emails as hacking-goodies.shop. For that, our domain in this example will be bfdsubfuifdsfsd.today.

For the new domain we used GoDaddy for simplicity, but you can use any domain provider that fits your preferences. 

Setting up the domain

After purchasing the domain, you need to replace the nameservers with Cloudflare custom nameservers. 

In Cloudflare, you’ll add the domain and go to the DNS panel. Anything under “DNS management” has to be deleted for the attack to be successful.

Scroll down and replace the given nameservers in the dedicated panel of your domain service provider. 

Now you need to get an API key for the configuration file for the next step. 

Go to https://dash.cloudflare.com/profile/api-tokens and click on Create Token.

After you’ve been redirected, click on Use Template right next to Edit zone DNS.

Next up, go to Zone Resources and select your domain.

After you go through all the steps above, you should get your API key. Please save it and don’t share it with anyone else.

Setting up the VPS

Note: You might need to repeat this step because VPS IPs can have a bad reputation and thus, mail services will not deliver your emails.

For the VPS (Virtual Private Server) part, we used Vultr because they seemed to have the best IP blocks reputation out there. 

Luckily for us, the VPS doesn’t need a lot of resources, so we can use the cheapest one available and still get a properly running instance.

First of all, when you create the VPS, be careful to set the hostname exactly with your created domain name.

After you login into the VPS, type the following commands:

apt-get install git

apt-get update && apt-get install docker-compose

Next up, clone the GitHub repository on the instance:
git clone https://github.com/6point6/mail-spoofer

Go to the newly created directory.

cd mail-spoofer

Next up, you’ll need to edit the settings file and add your domain and the API key.

nano settings.env

Replace example.com with your domain name and add in the CLOUDFLAREAPIKEY parameter the API key you saved earlier.

After you’ve gone through all the above steps, type docker-compose up and wait patiently for about 7-10 mins to get your web server up.

Sending the phishing email

The last step you need to do is actually sending the email to the victim.

Navigate to your VPS IP at port 3333 in the browser and log in with the default credentials: 

• user: admin

• password: gophish

Go to the Sending Profiles tab and click on create a profile.

Replace the inputs given with the necessary information. In our scenario, we’ll fill them in as follows: 

Name: Test

From: <admin@hacking-goodies.shop>

Host: postfix:25

After all of these, fill in the receiver’s email and send it out. Be aware that emails will reach the target in about 5 minutes.

Preventing DMARC email security risks

Great! You learned how exploiting a DMARC misconfiguration works in practice and how easy it is to set up a server to do it. 

Now it’s imperative to understand the process of email analysis if you want to protect yourself and write compelling pentest reports for your colleagues or clients. 

The email headers include the technical details of the email such as sender, recipient, path, return address, and attachments. 

Usually, these details are enough to determine if there is something suspicious/abnormal in the email and decide on further actions on the email. This process can be done manually and with the help of tools.

How to analyze a potentially malicious email

Let’s switch perspectives and see how we can identify, as a victim, if we received a phishing email. 

The email appears to be from our hacking-shop domain, but is it really an email from the CEO telling us to reset the password?

This is a spoofed email, but, in reality, you can’t tell that because the email is sent as the legitimate owner would.

If we click on view raw message, we can check if it’s a phishing email by looking at the headers. Check the below image and try to understand how you can detect the leak.

It’s easy to see the domain where the email comes from by verifying the Received from section. This section tells us the email domain source.

If the domain name from the email doesn’t match with the one from the Received section you should ignore it (Or analyze it like a curious hacker).

Statistics that show why DMARC matters

• Globally, 96% of phishing attacks arrive by email [source]

• The finance sector is the most targeted by these types of attacks [source].
  

Our own research shows that:

• 44% of top 50  Fortune companies are vulnerable to the email spoofing described before

• 10 out of 13 banks in Romania are vulnerable to DMARC email spoofing caused by misconfigurations (76,92%).

Final thoughts

As a pentester, it’s important to report DMARC misconfigurations because it represents a big threat to an organization.

After reading the article you should now understand the risks of a misconfigured DMARC policy in the wild and why it’s important to use DMARC correctly. For example, an APT group can start with a phishing campaign to get into the internal network of a company and easily deploy ransomware or destroy their assets and reputation. 

By publishing a DMARC policy and monitoring its use, organizations can greatly reduce the risk of being targeted by email-based attacks and help protect their brand and reputation.

Overall, implementing DMARC is an important step for organizations to take if they’re serious about protecting themselves and their users from email spoofing attacks.