3 Real-World Examples of Why Companies Need Better Email Authentication

62% of phishing emails bypassed DMARC email authentication checks in the first half of 2024. Explore why and how your email authentication strategy game needs to move beyond these basic checks and face these new challenges head-on.

According to Acronis, email-based attacks in the first half of 2024 skyrocketed 293% year-over-year. Microsoft's October 2023 report shows that 90% of phishing attacks involve social engineering, which primarily involves phony and malicious emails.

To fight this surge of email-related security incidents, organizations have implemented email authentication methods such as:

• Sender Policy Framework (SPF),
• DomainKeys Identified Mail (DKIM),
• Domain-based Message Authentication, Reporting, and Conformance (DMARC), and
• Brand Indicators for Message Identification (BIMI)

But are these tools the magic formula that’ll prevent cybercriminals from stealing sensitive information? Will they protect your business against impersonation phishing attacks, spam, and data breaches? Spoiler alert: Nope. We’ll explore a few real-world situations that demonstrate why companies of all sizes need better email authentication and share a few actionable tips for how you can secure your communications.

4 Examples of Vital Email Authentication Methods

DMARC, SPF, DKIM, and BIMI email authentication methods help organizations secure their communications by shielding both the sender and the recipient from threats like email phishing and spoofing.

1. Sender policy framework (SPF): It’s a domain name system (DNS) text record that enables you to list all email servers and domains allowed to send messages on your behalf. This helps to prevent unauthorized email servers from sending emails with your domain in the MAIL FROM field, giving the impression that the messages originate from your domain.
2. Domainkeys identified mail (DKIM): This email protocol is based on public key infrastructure (PKI) and enables the sending server to add a cryptographic digital signature to the message. The recipient’s server retrieves the public key via DNS and then uses it to verify the DKIM signature, thus confirming that the sender is legitimate and that the email hasn't been modified in transit.
3. Domain-based message authentication, reporting, and conformance (DMARC): A DMARC policy enables the sender to indicate that his emails are protected by SPF and/or DKIM. It tells the recipient's server how to handle emails that didn’t pass SPF/DKIM checks (e.g., send the email to the junk folder or reject it) and lets the recipient send feedback to the sender about passed or failed DMARC evaluations.
4. Brand indicators for message identification (BIMI): This email protocol is another DNS record that helps you display your brand’s authenticated logo in your customers’ inboxes when used in combination with a special type of digital certificate (e.g., a verified mark certificate or a common mark certificate). BIMI enables you to display it next to your email as an additional layer of security that protects recipients from phishing and spoofing.

These authenticators act like digital ID cards for emails. They prove to recipients that a message is legit and isn't coming from some shady guy with criminal intentions.

However, these methods alone aren’t foolproof. Cloudflare’s 2023 Phishing Threats report shows that a whopping 89% of unwanted messages successfully passed SPF, DKIM, or DMARC authentication checks. How do these con artists do it? Let’s have a look at three examples.

3 Real-World Examples of Why Companies Need Better Email Authentication

1. The Kimsuky Spear-Phishing Attack

You’ve probably heard this name before: Kimsuky. This hacker group has been wreaking havoc around the world for more than a decade. They use phishing emails to trick people into giving away their credentials and sensitive personal information.

In 2024, they took it to the next level, targeting organizations that had the DMARC policy set to “none.” This policy setting simply tells the system to do nothing when the victim receives a message that fails the authentication checks. While monitoring emails and checking for authentication failures might be enough in certain aspects, it doesn’t protect you from phishing and spoofed emails that inevitably end up in the recipient's inbox.

The DMARC policy-using attack was so dangerous that the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) issued a joint warning. According to the advisory: “Without properly configured DMARC policies, malicious cyber actors are able to send spoofed emails as if they came from a legitimate domain’s email exchange.”

2. The SubdoMailing Phishing Campaign

At the end of February 2024, BleepingComputer warned that 21,000+ legitimate internet domains and subdomains owned by trusted domains from major brands (e.g., PWC, McAfee, MSN, Symantec, and eBay) were exploited by a single cybercriminal to send up to five million phishing emails per day.

The threat actor capitalized on the fact that, as the domains belonged to trusted companies, the phishing emails could bypass spam filters and SPF, DKIM, and DMARC email authentication policies.

One of the perpetrator’s tactics targeted the SPF records of domains no longer registered and available for purchase configured with the “include:” policy. This setting allows listed email senders from external domains to pass SPF checks successfully.

The hacker bought these external domains and changed their SPF records to authorize their own email servers. Presto! The attacker’s phishing emails appeared to come from a trusted domain.

3. Simple Mail Transfer Protocol (SMTP) Servers Vulnerabilities

The SMTP email protocol is a standard foundation for email communications that can utilize SPF, DKIM, and DMARC to prevent email spoofing and tampering. It does this by verifying that the messages are sent from the allowed networks list and checking other specific email information (e.g., DKIM signature, DNS record, and return-path address data).

Two vulnerabilities in SMTP-hosted email services (i.e., CVE-2024-7208 and CVE-2024-7209) enable attackers to smuggle phishing emails through SPF, DKIM, and DMARC email authentication checks and send them impersonating anyone in the affected hosted domains (i.e., email spoofing).

Sounds far-fetched? This issue has recently impacted big-name brands such as Proofpoint, and according to SEC Consult (which put together a website dedicated to the vulnerability), it could put millions of domains at risk.

So, are you still convinced you don't need to improve your email authentication security? I guess you aren't.

How Can You Strengthen Your Email Authentication Strategy?

Did the email you've just received pass all email authentication checks? That's great. Nevertheless, it doesn't mean the message is safe. Cybercriminals are getting more clever thanks to the support of new technology tools like artificial intelligence (AI) and large language models.

Here we’ve listed a few aces you can add to your email authentication security sleeve against these threats.

1. Verify Your SPF, DKIM, and DMARC Records Are Properly Set

Ensure your emails are correctly authenticated using reliable checker tools such as DMARCLY and MxToolbox. You haven’t set them up yet? There are plenty of wizards and record generators that’ll let you create them in a breeze.

2. Implement Multi-Layered Security

Install strong firewalls and keep your antivirus tools up to date. Consider enabling certificate-based mutual TLS and mutual TLS passwordless authentication. This way, the bad guys won’t have any usernames and passwords to steal or phish. (This approach also can help to prevent password spraying attacks from succeeding.)

3. Shield Your Communications From Phishing, Malware and Advanced Threats with Next-Gen Tools

Protect your organization’s inboxes from inside and outside threats with next-generation spam and malware filters. They use real-time threat intelligence, behavioral analytics, and machine learning (ML) to help you spot, block, log, and analyze even the most sophisticated email-based threats in a breeze, including zero-day attacks.

4. Protect Your Network

Implement a secure email gateway (SEG) to scan your email traffic, identify potentially dangerous messages, and ensure they’re blocked or end up in your users' spam folders. Basically, an SEG stands as a sentinel between your email infrastructure and the traffic flowing to and from it.

5. Train Your Employees to Identify and React Responsibly to Email-Based Threats

Continuously educate your staff, ideally using real-world email examples and phishing tests. Teach them to recognize the warning signs of phishing and spoofed emails and how to avoid falling for such attacks.

6. Bring Other Authentication Verifiers into the Fold

Add a visual identity to your emails and secure them against phishing and spoofing by adding BIMI and mark certificates to your outbound messages. You can generate your BIMI record in a couple of clicks using a free BIMI generator tool.

Final Thoughts About 3 Real-World Examples of Why Companies Need Better Email Authentication

These real-world examples we’ve just analyzed clearly show the importance of enhanced email authentication and strong security measures. DKIM, SPF, and DMARC are valid and vital tools that help you protect your brand, reputation, data, and customers from the bad guys. But as recent industry data shows us, they’re not always enough to keep attackers at bay.

The truth is that AI has raised the need for a higher security bar. Keeping your organization safe from hard-to-spot phishing emails, evolving cyber threats, and sophisticated attacks will require more than these solutions.

Proactively protecting your network, using robust firewalls and advanced email authentication (i.e., certificate-based authentication), can help you significantly minimize the risk of new email-based attacks from emerging technology. Give it a try. Safeguard your brand, identity, and reputation now and help your customers and other email recipients distinguish your legitimate emails from phishing messages more easily.