Missing DMARC Record

  • CategoryEmail Security
  • Control ID SMTP-003
  • Control NameSMTP DMARC Record
  • Shared Assessments Taxanomy Vulnerabilities > Email Security > VN.2.1 Missing Email Address Spoofing Controls

Description

DMARC allows email sending domain owners to specify policy on how receivers can verify the authenticity of their email, how the receiver can handle email that fails to verify, and the frequency and types of report that receivers should send back.It adds a link between the domain of the sender with the authentication results for SPF and DKIM.

Remediation

DMARC records are published in DNS with a subdomain label _dmarc, for example _dmarc.example.com. The content of the TXT resource record consists of name=value tags, separated by semicolons, similar to SPF and DKIM.

References

https://dmarc.org/

https://en.wikipedia.org/wiki/DMARC

Common Weakness Enumeration Type

[CWE-353] Missing Support for Integrity Check: The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
If integrity check values or checksums are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality in a protocol removes the first application-level check of data that can be used. The end-to-end philosophy of checks states that integrity checks should be performed at the lowest level that they can be completely implemented. Excluding further sanity checks and input validation performed by applications, the protocol's checksum is the most important level of checksum, since it can be performed more completely than at any previous level and takes into account entire messages, as opposed to single packets.

CWSS Score Medium (4.7)

Base Finding
  • Technical Impact (TI)Medium (M)(0.6)
  • Acquired Privilege (AP)None (N)(0.1)
  • Acquired Privilege Layer (AL)Not Applicable (NA)(1)
  • Internal Control Effectiveness (IC)None (N)(1)
  • Finding Confidence (FC)Proven True (T)(1)
Attack Surface
  • Required Privilege (RP)None (N)(1)
  • Required Privilege Layer (RL)Not Applicable (NA)(1)
  • Access Vector (AV)Internet (I)(1)
  • Authentication Strength (AS)None (N)(1)
  • Level of Interaction (IN)Automated (A)(1)
  • Deployment Scope (SC)All (A)(1)
Environmental
  • Business Impact (BI)Medium (M)(0.6)
  • Likelihood of Discovery (DI)High (H)(1)
  • Likelihood of Exploit (EX)Medium (M)(0.6)
  • External Control Effectiveness (EC)None (N)(1)
  • Prevalence (P)High (H)(0.9)

CWSS Vector

TI:M,0.6/AP:N,0.1/AL:NA,1.0/IC:N,1.0/FC:T,1.0/
RP:N,1.0/RL:NA,1.0/AV:I,1.0/AS:N,1.0/IN:A,1.0/SC:A,1.0/
BI:M,0.6/DI:H,1.0/EX:M,0.6/EC:N,1.0/P:H,0.9
The Common Weakness Scoring System (CWSS) provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry. CWSS is distinct from - but not a competitor to - the Common Vulnerability Scoring System (CVSS).

Mechanisms of Attack

[ATT&CK - T1566] Phishing: Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.

[ATT&CK - T1598] Phishing for Information: Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns. Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

[CAPEC- 163] Spear Phishing: An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.

[CAPEC- 98] Phishing: Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or fishing for information.

CWSS ScoreMedium (4.7)
MITRE Classification CWE-353 CAPEC-163 CAPEC-98 ATT&CK T1566 ATT&CK T1598 DEF3ND D3-NTA
FIPS 199 Impact Level
  • ConfidentialityNone (0)
  • IntegrityModerate (2)
  • AvailabilityModerate (2)
FISMA Cybersecurity Framework
  • AreaProtect
  • Min Maturity ModelLevel 3: Consistently Implemented
NIST 800-53 Control RA-3 RISK ASSESSMENT
  • Control FamilyRA - Risk Assessment
  • PriorityP1
  • Baseline AllocationLow