How DMARC Can Protect Against Phishing Ransomware

We Keep you Connected

How DMARC Can Protect Against Phishing Ransomware

Organizations adopting the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard enable the validation and authentication of emails sent from their domain. Servers and security tools receiving email can perform DMARC checks and quickly detect spoofed emails trying to impersonate the organization. Eliminating these spoofed emails can drastically reduce both phishing emails and ransomware attacks.
This article will explore how this works in more detail:
Ransomware attacks accounted for approximately one out of every five cyber crimes in 2022 even as the number of ransomware attacks dropped by 23% compared to 2021. However, the impact of ransomware continues to grow as ransoms increase and attackers increase the magnitude of their overall threat with the addition of data exfiltration, extortion, and distributed denial of service (DDoS) attacks.
The costs of ransomware attacks can be massive, including downtime, data loss, business reputation damage, recovery expenses, forensic investigation expenses, and significant psychological damages for the teams. Ransomware depends upon phishing for the majority of ransomware attacks, yet phishing also delivers other types of attacks. Phishing, in turn, often depends upon email spoofing to trick users into falling for the phishing attack.
A ransomware attack can spring from a single email, and phishing provides the most common entry point for ransomware. However, in most cases, clicking on a bad phishing link does not launch ransomware. Attacks that do launch immediately can usually only encrypt the computer for the phishing victim, which limits the ransom-earning potential. More insidious, news-worthy, and revenue generating ransomware attacks need widespread access to the organization for maximum impact.
To achieve the broader goal, 63% of phishing attacks seek to compromise credentials. By stealing credentials, the ransomware gang can then infiltrate the network, expand access, and attack the organization as a whole.
Although ransomware makes headlines because of their highly disruptive and obvious impact, phishing attacks can deliver a number of other highly harmful attacks such as business email compromise (BEC), credentials harvesting, keyloggers, remote access trojans (RATs), cryptojacking malware, and other spyware. RATs tend to be the malware of choice because they offer the flexibility of future attack options and the hackers can also resell their access to ransomware-as-a-service providers, cryptocurrency mining groups, bot farms, and more.
Spammers send an estimated 3.4 billion emails every day, and Google blocks around 100 million phishing emails daily. Attackers use phishing to perform 47% of the attacks against North and South American organizations, 43% of the attacks against Asian organizations, and 42% of the attacks against European organizations. Microsoft even estimates that 94% of cyberattacks begin with a malicious email.
Yet no one clicks on an unconvincing email. Most people will be tricked by emails that appear to be legitimate and sent by a familiar brand. LinkedIn, Microsoft, Adobe, and Google are top brands used in broad phishing attacks, but smaller brands will also be used in more targeted attacks.
It’s not so difficult to fake an email. Attackers forge the “From” address to target victims with a fraudulent, “spoofed” email that appears to be from a legitimate sender.
For example, perhaps an administrator at the law firm of clicks on a phishing link and the attackers scope out the firm. The attackers may find the firm too small to be worth a ransom attack but also realize that the firm does local work for dozens of larger corporations.
The ransomware attackers may choose to spoof the domain and send phishing emails to the stolen contact names for those larger corporations with “Overdue Invoice” PDF files laden with malware. With an existing working relationship with, the corporate clients are more likely to click on the phishing emails and enable future ransomware attacks.
Fortunately, DMARC provides a way to stop email using fake “From” addresses and reduce spoofing email attacks. DMARC provides email authentication not only to validate official emails but also to invalidate imposter emails by enhancing other email authentication standards.
DMARC is published with an organization’s Domain Name Service (DNS) and depends on the prior establishment of two other email authentication standards. The Sender Policy Framework (SPF) lists all domains authorized to send emails on behalf of the organization. The DomainKeys Identified Mail (DKIM) standard enables an organization to digitally sign emails from their domain using public key cryptography to verify that an email is delivered unaltered.
DMARC builds on SPF and DKIM to:
Extending the example above, hackers may forge a fake email spoofing the accounts payable department of in the “From” field of the text the reader can see. However, the email itself will be sent from their own domain of, which shows up only in the header of the email (normally hidden from the reader).
However, if deployed an effective DMARC policy, their clients’ email server would perform a DMARC check. The DMARC check would fail the email for being sent from a non-authorized domain and for having misalignment (or non-matching) header and email “From” fields. The receiving email server would be notified that the spoofed emails are fraudulent and likely send the impersonating email to the SPAM folder or even discard them.
Additionally, would receive a report from their clients’ emails servers that detail the campaign of phishing emails from GenericContracts can then proactively warn customers about the phishing attack, search for their data breach, and report as a malicious URL.
Security specialists recommend using DMARC to help protect against ransomware attacks as an essential email security tool. While DMARC primarily protects other organizations receiving emails attempting to impersonate the organization, DMARC makes the task of spoofing emails significantly more complicated for hackers and helps preserve the organization’s brand image.
Of course, it’s not the ultimate protection, as there are many other techniques hackers can deploy. Additionally, organizations need to enforce DMARC on their email receiving servers to perform the DMARC check. However, every protection deployed adds an additional layer of defense, and deploying DMARC also adds other benefits to the organization, such as improving the delivery of marketing emails.
DMARC can be challenging to configure correctly; however, it provides powerful email protection against spoofing, phishing, and related attacks such as ransomware. Organizations need to adopt DMARC to protect themselves and others against spoofing attacks and to help erode the threat of spam, which accounted for 48% of all emails sent in 2022.
For further reading on tools to secure email:
This article was originally written and published by Julien Maury on September 21, 2021 and updated by Chad Kime on June 6, 2023.
Latest articles
Top Cybersecurity Companies
See full list
Related articles
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertise with TechnologyAdvice on eSecurity Planet and our other IT-focused platforms.
Property of TechnologyAdvice.
© 2023 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.