Security researchers from Barracuda has uncovered that the North Korean (APT) group Kimsuky has been leveraging DMARC misconfigurations to run highly targeted spear-phishing campaigns, threatening both private and public sectors globally.
Kimsuky, has been notorious for targeting think tanks, academia, and media outlets to gather intelligence on foreign policy and nuclear matters. The latest campaign involves exploiting poorly configured DMARC policies to spoof legitimate domains and deceive email recipients.
DMARC helps in preventing email-based attacks by verifying the legitimacy of emails using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) protocols. Many organizations fall victim to incomplete or weak DMARC policies, where emails that fail SPF or DKIM checks are not properly quarantined or rejected.
In one such instance, Kimsuky sent a seemingly legitimate email, inviting a target to speak at a North Korean policy conference. The email passed SPF and DKIM checks, but due to improper DMARC configuration, the email was not blocked. This led to a successful spear-phishing attempt, showcasing the attackers’ ability to manipulate existing email systems.
What makes this scenario even more concerning is the prevalence of DMARC misconfigurations across industries. Either there is improper practice of managing DMARC or the solution itself not been implemented.
Cyber-espionage groups like Kimsuky are constantly looking for ways to exploit weak spots in email security. DMARC misconfigurations provide an easy in. But with the right tools, configurations, and training, you can close those gaps and keep your organization safe
