The Value (and Risk) of DMARC Quarantine

DMARC, phishing

Protect your paycheck!

Direct deposit make depositing your paycheck automatic and simple… Until something goes wrong. That’s what recently happened to several Wichita State University (WSU) employees. They received an email with a link prompting them to login using their MyWSU ID and password. As it turned out, that was a phishing email that stole their login credentials. The attackers then used those credentials to login and edit the direct deposit bank account information to send the employee’s entire paycheck to a different bank account. This is another example of a successful phishing scheme. It’s easy, simple, and effective.

Of course, this is somewhat embarrassing for the employees and for WSU. WSU has compensated the employees and has stated that they are taking steps to ensure this doesn’t happen again. It appears that they were actually working on this problem before the phishing attack took place. What’s more, the attack probably* could have been much worse with the preventative steps that WSU took. (the domain that WSU uses to send email) has a DMARC policy or Quarantine set to 25%. Quarantine is a “soft fail” as an intermediate step in the email security process . A 25% Quarantine DMARC policy means that 25% of the emails that are not authenticated will be sent to the recipient’s spam folder. The other 75% of the unauthenticated emails will be delivered to inboxes just the same as 100% of authenticated emails.

Why Use Quarantine?

If it’s not secure, why would a domain owner want to use it? As we can see, WSU still got phished despite its Quarantine policy. Actually, Quarantine is an incredibly useful tool. It allows businesses to begin enforcing DMARC on their domains without the risk of accidentally cutting off their email communication completely. When a business is not sure it is ready to implement DMARC, it can use Quarantine as a way to test the accuracy of it’s email authentication policies. If most of its legitimate email lands in spam, something is wrong with the email authentication policies. If most emails make it to inboxes, the domain is likely ready for a Reject policy (the secure one). The percentage allows business to minimize the risk even further by adjusting the amount of impacted emails.

Too Little, Too Late?

While Quarantine at 25% is not a strict enough policy to block spoofing attack, it reduces the number of spoofed messages that reach inboxes. Furthermore, WSU is on the way to email security, which is more than most of top ranked US Universities can say. In addition, WSU’s email security will continue to improve has it increases the percentage on Quarantine and moves to Reject.

Way to go, WSU!

Fraudmarc Can Help

In order to secure domains against spoofed messages, they need to have Reject policies. As seen in this example, getting to Reject as quickly is possible is imperative. It’s Fraudmarc’s mission to simplify and speed up the process of email security (so you can get back to work). We offer many tools and services, such as SPF compression and hosted plans, to help users navigate the complexities of setting up accurate email authentication policies (SPF, DKIM, and DMARC). For those more inclined to DYI projects, we offer Fraudmarc CE, our open source version of DMARC reporting. We also have advice about how to implement a Reject policy, how to verify an email sender, the benefits and limitations of DMARC, and more on our blog. Check our community page for answers to common DMARC questions

*based on the information available, it is likely that the phishing emails used against WSU were spoofed messages that would have been completely blocked by a DMARC Reject policy. However, we cannot verify this without access to the original phishing email. For more information about types of phishing attacks, check our info page, What is Phishing, or our blog posts, What DMARC Can & Can’t do for Domains, or Does DMARC Really Increase Email Security.