Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Email |
Detector Tags |
Spoofing |
ATT&CK Tactic |
Defense Evasion (TA0005) |
ATT&CK Technique |
Impersonation (T1656) |
Severity |
Informational |
Description
The email has a suspicious DMARC result of either fail or none, which may indicate a potential domain misconfiguration or spoofing.
Attacker's Goals
- Trick users into clicking on malicious links or attachments.
Investigative actions
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Check the reason DMARC didn't pass and the action.
- Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass.
- Verify whether the sender's IP address has appeared in different log sources before and its reputation.
- If the message contains attachments/links, scrutinize them for any suspicious indications.
- Monitor further actions taken, such as file downloads or access to potentially malicious links.
Variations
DMARC deviation from historically compliant domain
Synopsis
Description
- This deviation may indicate an attempt to spoof or impersonate a legitimate external sender.
- Such sudden DMARC outcome from a previously trusted external domain warrants further investigation.
Attacker's Goals
- Trick users into clicking on malicious links or attachments.
Investigative actions
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Check the reason DMARC didn't pass and the action.
- Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass.
- Verify whether the sender's IP address has appeared in different log sources before and its reputation.
- If the message contains attachments/links, scrutinize them for any suspicious indications.
- Monitor further actions taken, such as file downloads or access to potentially malicious links.
DMARC failure bypassed domain policy
Synopsis
Description
- This indicates the message should have been rejected according to the domain owner policy, but was instead accepted and delivered, potentially exposing the user to email spoofing or phishing.
- This suggests a potential policy bypass or misconfiguration in mail filtering.
Attacker's Goals
- Trick users into clicking on malicious links or attachments.
Investigative actions
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Check the reason DMARC didn't pass and the action.
- Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass.
- Verify whether the sender's IP address has appeared in different log sources before and its reputation.
- If the message contains attachments/links, scrutinize them for any suspicious indications.
- Monitor further actions taken, such as file downloads or access to potentially malicious links.
DMARC failed with non-enforcing policy
Synopsis
Description
- This may indicate an overly permissive DMARC configuration on the sender side and could allow unauthenticated messages to reach users' inboxes.
- Such configurations are often exploited in phishing or spoofing campaigns, and should be treated with caution.
Attacker's Goals
- Trick users into clicking on malicious links or attachments.
Investigative actions
- Check the email address for any unusual spellings.
- Check the email address for any missing letters.
- Check the reason DMARC didn't pass and the action.
- Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass.
- Verify whether the sender's IP address has appeared in different log sources before and its reputation.
- If the message contains attachments/links, scrutinize them for any suspicious indications.
- Monitor further actions taken, such as file downloads or access to potentially malicious links.