Customers of the SEC received legitimate-looking email from SEC “senders,” clicked on attachments, ignored warnings, and infected their computers through a vulnerability in the Dynamic Data Exchange protocol. While the main news may focus on the vulnerability and if Microsoft considers it to be a bug, the SEC should have been using email spam filtering protocols that would have warned them of the attack that they were proliferating.
This attack underscores two points all organizations can learn from:
a) users should be warned that even if the sender is someone they know, if they’re not expecting the attachment, check with the sender first to verify in in fact they sent the message.
b) using DMARC and DKIM could’ve helped the SEC limit the spread of the attack, yet few organizations use such preventative measures.
The chain of events was set off when SEC account were used by an attacker to send messages from that account to multiple US businesses. When the recipients opened the email and the attachment, clicked through the warnings, command and control malware was installed on their computers and contacted a remote server (originally hosted by the attackers on a State of Louisiana machine). Using DNS, the infected PC and server began a command-and-control sequence. More about the attack itself and be found here, including a shot of the warning screen that recipients clicked through in the infected .doc.
The SEC could have employed measures in email servers to stop the attack from proliferating.
DMARC is the industry standard measure to prevent hackers from sending messages that appear as if they’re sent by someone else. DMARC would’ve instructed receiving ISPs to reject unauthenticated messages, so phishing emails wouldn’t have been sent from the SEC’s system.
Sounds good, right? So why don’t the SEC and most other organizations use it? Per an FTC report, fewer than 10 percent of businesses have implemented DMARC in a manner which would allow the businesses to receive intelligence on potential spoofing attempts and to instruct ISPs to automatically reject any unauthenticated messages that claimed to be from the businesses’ email addresses.
DMARC is a step up from more commonly deployed measures, SPF and DKIM.
SPF is the Senders Policy Framework, a widely distributed measure using DNS to list servers that should be considered allowed to send mail for a specific domain.
DKIM is an email authentication method that verifies that the messages' contents are trustworthy and weren’t changed from when they were sent from the original server. It prevents forgery of “from” addresses in emails.
The Department of Homeland Security sees DMARC as critical enough to federal agencies that it produced a directive on 10/16/17 that all agencies have one year before having to set p=reject.
You can learn more about enabling DMARC p=reject and DKIM in Exchange or Exchange Online, and their impacts by contacting Enabling. We can educate you to get protected without affecting your normal email operations, and set up alerts for your system administrators and security team to keep you from proliferating such attacks yourselves.