Nearly half of federal agency email domains have adopted policies to collect data on unauthorized emails, a move mandated by the Department of Homeland Security in October, according to a report by cybersecurity company Agari.
The new policies do not block malicious emails or prevent employees from receiving phishing emails, but instead allow email domain owners, such as CIOs, to receive reports on unauthorized messages sent through their domain.
The DHS mandate requires that all federal agencies adopt the Domain-based Message Authentication, Reporting and Conformance or DMARC monitoring policy at a level of “p=none” by Jan. 15. According to the DMARC.org frequently asked questions, a policy of “p=none” means that email domain owners receive reports on messages sent through their domain, but recipients still see the potentially malicious emails.
According to the Agari report, 151 domains established a DMARC policy for the first time between Nov. 18 and Dec. 18. This brings the total of agency domains meeting the DHS requirement to 47 percent.
The remaining 53 percent of domains, however, have less than two weeks to fulfill that requirement by the deadline. And even if adoption continues at the rate found by Agari, hundreds of federal domains will fail to meet the Jan. 2018 deadline.
“The analysis in this paper has shown that while federal agencies are making progress in the wake of the specific timelines set forth in [the DHS directive], most remain unprotected against phishing,” the Agari report said. “Almost 53% of federal agencies’ domains currently do not have a DMARC policy. For those that do, the majority still maintain a monitor-only ‘p=none’ policy that doesn’t protect their constituents. These agencies and their email recipients remain vulnerable to domain spoofing and phishing attacks.”
The (p=none) policy does nothing to block malicious emails, however, and agencies must implement a stricter policy to prevent employees from receiving phishing emails.
The DHS directives requires all agency domains to eventually move to a “p=reject” policy within a year of the mandate’s publication, which automatically rejects email messages that fail authentication. According to the Agari report, 15 percent of agency domains have already implemented this policy.
The mandate is designed to reduce the number of successful phishing campaigns conducted against federal employees — in which a malicious actor pretends to be a boss, coworker or other authority figure in order to steal money or information from their target — by preventing those emails from ever reaching the employee in the first place.
Recently, the IRS issued a warning to taxpayers and HR departments that phishing scams pretending to be from the agency or company executives were targeting W-2 forms to steal information and identities. Such phishing scams could be prevented or mitigated by DMARC implementation.
According to the Agari report, 8 percent of total federal email volume monitored by the company was malicious or failing authentication, and 90 percent of those email domains were targeted by domain abuse, meaning a domain registered for phishing, botnets or spam.
“Clearly, some agencies are aware of the threat of digital deception and have taken appropriate countermeasures,” the report read. “A few federal agencies, including the U.S. Department of Health and Human Services, have taken the initiative by enabling DMARC. Moreover, they have configured it in the most strict ‘reject’ mode so that email service providers can automatically reject phishing emails impersonating their agency. However, among other early adopters, a significant number of their deployments are ‘p=none,’ which does nothing to prevent these attacks. DMARC adoption is of little use unless organizations move to a Quarantine or Reject policy.”
Jessie Bur covers federal IT and management.