Security News > 2024 > May > NSA warns of North Korean hackers exploiting weak DMARC email policies

The NSA and FBI warned that the APT43 North Korea-linked hacking group exploits weak email Domain-based Message Authentication Reporting and Conformance policies to mask spearphishing attacks.

Together with the U.S. State Department, the two agencies cautioned that the attackers abuse misconfigured DMARC policies to send spoofed emails which appear to come from credible sources such as journalists, academics, and other experts in East Asian affairs.

"Kimsuky actors' primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts," the agencies added in a joint advisory [PDF] published this week.

In these attacks, they exploit missing DMARC policies or DMARC policies with "p=none" configurations, which tell the receiving email server to take no action on messages that fail DMARC checks.

The first instructs email servers to quarantine emails that fail DMARC and tag them as potential spam, while the second tells them to block all emails that fail DMARC checks.

"In addition to setting the 'p' field in DMARC policy, the authoring agencies recommend organizations set other DMARC policy fields, such as 'rua' to receive aggregate reports about the DMARC results for email messages purportedly from the organization's domain," the agencies added.

News URL

https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/