peterschreiber.media - stock.ado
Microsoft stopped sending any form of domain-based message authentication, reporting and conformance (Dmarc) protocol reports from any of its email platforms in late 2017, according to the latest report by the UK’s National Cyber Security Centre (NCSC).
Microsoft’s email platforms together form one of the biggest receivers of email. “As a result, this has had a massively negative effect on the community’s ability to draw conclusions about email security driven by Dmarc adoption, and it is almost impossible for us to compare meaningful statistics from this year with statistics from last year,” the NCSC said in latest annual report on its Active Cyber Defence (ACD) programme.
In the previous report, NCSC talked about the volume of emails it saw, both in total and the number of emails failing Dmarc, but said it was unable to do so for 2018 because of the lack of data from the one of the world’s biggest email providers.
“We, and many others, are in discussion with Microsoft about this. This chapter is therefore somewhat smaller than it could have been. Sorry,” the NSCS report said.
The NCSC’s Mail Check service is a key component of its ACD programme that monitors public sector for email anti-spoofing capabilities, including Dmarc.
According to the report, the number of public sector domains using Dmarc more than tripled from 412 at the end of December 2017 to 1, 369 by the end of December 2018.
The number of domains with a Dmarc policy of “quarantine” or “reject” to prevent suspicious emails being delivered to recipients’ inboxes also tripled from 192 to 572.
“This is obviously a significant uplift in the public sector adoption of email security protocols, but there remains more to do in driving adoption across public sector to prefer stronger Dmarc policies, and then encouraging wider industry in the UK (and more widely) to similarly adopt the protocols,” the report said.
Commenting on the NCSC report, Seth Blank, the co-chair of the collaboration committee at email industry group M3AAWG and secretary of the IETF (Internet Engineering Task Force) work group overseeing the Dmarc standard, said it underscores how important it is for all players in the email ecosystem to follow accepted standards and best practices consistently, especially in the light of the fact that email phishing is a “huge and growing” global problem.
“When some players reap the benefits of a standard like Dmarc, but don’t contribute to the ecosystem by providing reports, it damages email security for everyone. NCSC is correct when it calls this failure out as ‘a massively negative effect on the community’.
“Fortunately, the vast majority of email inboxes worldwide respect the Dmarc standard and its obligations. Eliminating phishing attacks and email fraud depends on the continued expansion and deepening of this support,” he said.
Approached for comment by Computer Weekly, a Microsoft spokesperson said: “Dmarc reporting for outlook.com was paused for internal engineering integration. We are working on restarting it post engineering work completion”.
The NCSC also used the report to call on all email providers to adhere to Dmarc policy requirements, pointing out that Dmarc relies on email providers to treat email as requested by the sending domain policy. This means that any emails that fail the authentication requirements that are received from a sending domain with a Dmarc policy of “reject” should never even reach the intended receiver’s account.
According to the report, the way email providers treat reject records varies, and not all of them completely reject emails when there is a “reject” policy in place.
This is problematic, the report said, because if a rejected email is still allowed into a spam folder, and it turns out to be a phishing email, the likelihood of the user digging out the mail and actioning it goes from zero to “greater than zero”.
According to the NCSC, it has seen a few actual incidents where someone actioning an email that ended up in their spam folder, was the way in for attackers.
“We need the industry to be more consistent in how they action a domain’s Dmarc policies and there is significant work to be done here,” the report said.
Read more about Dmarc
- Implementing Dmarc should be a top priority for UK firms, a Rapid 7 study reveals.
- Top UK traditional and challenger banks risk exposing customers to email fraud, a study reveals, with the Dmarc protocol the only sure-fire way to prevent email spoofing, says security firm Red Sift.
- There is a worldwide lack of Dmarc email validation to defend against fraud and phishing attacks, putting organisations and customers at risk, a study shows.
- Dmarc is a hugely important way to reduce email fraud – just ask HMRC – but it also makes email marketing campaigns far more effective.