As malicious email has multiplied during the COVID pandemic (Google reported on April 16th receiving 18M daily COVID-related malware & phishing attacks), it’s more important than ever for organizations to protect their employees from identity deception. DMARC enforcement adds an identity check to inbound email, but not all organizations with email gateways take advantage of it out of concern for blocking legitimate activity. Proofpoint Researchers identified a list of high-priority domains eligible for DMARC enforcement around which we recommend immediate action.
Each of the domains on the list is:
1. Eligible for DMARC enforcement*
2. Actively being spoofed in malicious, COVID-related campaigns
3. Carries a very low risk of blocking legitimate email**
The domains, along with corresponding domain owners, are:
- @who.org (World Health Organization)***
- @cdc.gov (Center for Disease Control and Prevention)
- @hhs.gov (Department of Health and Human Services)
- @treasury.gov (US Dept. of the Treasury)
- @irs.gov (Internal Revenue Service)
Configuring DMARC enforcement on email gateways varies by vendor. Proofpoint Protection Server customers can view configuration instructions here or consult their account manager.
The acceleration in email identity deception brought about by COVID has reinforced the need for organizations to add an identity check (through DMARC enforcement) to their inbound email. Moving quickly to protect employees from domain-spoofing attempts involving the domains above is a great first step.
* They have DMARC policy of “Reject” – in other words, they’re requesting email receivers block spoofing attempts on their domains
** < 0.81% of legitimate email using them failed DMARC in email destined for Proofpoint customers between April 15th, 2019 and April 14th, 2020
***@who.it is the primary domain and does not qualify for enforcement