The Download
The National Security Agency (NSA) and FBI is warning businesses and NGOs that the North Korean threat actor tracked as APT43 is exploiting misconfigurations in DMARC to successfully spearphish its targets.
DMARC is a mail relay security system that stops spoofed email from reaching its targeted victim. It requires organizations to set up DMARC in the first place to prevent the spoofing and for organizations to take an action when a spoofed email is detected. DMARC is essential to protecting your domain from misuse and abuse. The attack works by exploiting organizations that either have not set up DMARC or when receiving have improperly set their DMARC policy to "p=none", which means take no action when spoofing is detected. The intended objective of the campaign is to compromise the networks of the victims and gather intelligence.
What You Can Do
First, you should set up DMARC to protect your domain from misuse. ThreatMate actively scans domain for whether DMARC is set up and will warn you if it is not. We often find legacy mail exchanges that companies are no longer using, but still available without DMARC protection, which poses a risk.
Next, you should ensure your policy is not "p=none" which means do nothing. Instead, you should set up your policy for quarantine, "v=DMARC1; p=quarantine;" or reject ""v=DMARC1; p=reject;".
To Learn More: