email phishing dkim dmarc: Updated Sat, 09 Jul 2022 09:49:34 GMT

How did the email pass DKIM?

I am trying to figure out how this one phishing email (used our Company's domain as from) was able to bypass the O365 Spamfilter.

Looking at the Header it looks like they passed the DKIM even though the Domain that is used differs completely from the sender domain.

smtp.mailfrom=contoso.com; dkim=pass (signature was verified)
header.d=myprivategym.ae;dmarc=fail action=quarantine
header.from=noser.ch;compauth=fail reason=000
Received-SPF: Fail (protection.outlook.com: domain of contoso.com does not designate 162.240.0.182 as permitted sender) receiver=protection.outlook.com;
client-ip=162.240.0.182; helo=5264291.stepup.ae;

And here is the complete DKIM Signature:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
                d=myprivategym.ae; s=default; h=Content-Type:MIME-Version:Date:Subject:To:
                From:Reply-To:Message-ID:Sender:Cc:Content-Transfer-Encoding:Content-ID:
                Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
                :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
                List-Subscribe:List-Post:List-Owner:List-Archive;
                bh=suy1b+63b/U2RVJlwzBdnXUOlOuPf+shUSL9AwCk8Xw=; b=eUvt0Q7HjDXwECOgEc8cIWRMAEj8/0hQOvxyX8J2jZlVTwvupRc6x2v96MNDi8nuLw9/vPSenK20R5JoRFqoywTfycnpvIj0HBsfTwxihpJJlz98Y2YNYz1TEW/1OK1sIQ6tWUYore3TXFHFyin7hSbZKLCkiRdHT9UxGsd70WiFDTZH+hwubvNOytOMZHC0F9uxWaeaZc5AIp6ZB7rHcq4wdHmqWVQm04FCIrCyq/f7zUeCeKUhrRCgDKqFhGh/ZT/Ek5Yq5BL6E2p99X6LyCgGfDQ8IUvYHXLbVlUK1rllP1pnhzn/mBNvpo8fvXGAtS4K2+9TyrSKkZL8iPhy3A==;
Received: from [74.208.177.107] (port=49903 helo=74.208.177.107)
                by 5264291.stepup.ae with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
                (Exim 4.94.2)
                (envelope-from test@contoso.com)

My DMARC DNS Records look like this:

"v=DMARC1; p=quarantine"

Do I have to add a Domain Alignment checker for SPF and DKIM to prevent this? Or is there any other reason that I am missing why the DKIM passed in this case?

Solution

DMARC requires passing either SPF or DKIM. Passing requires domain alignment.

While this message does have valid DKIM (for d=myprivategym.ae), it does not align with your domain (contoso.com). Anybody can set up their own DKIM for their own domain, so this is not a useful signal unless it claims to be your domain, in which case they'd have to obtain a DNS entry to be valid. That's why DMARC Alignment is so important.

Since it doesn't pass SPF and doesn't have aligned DKIM, DMARC failed and your prescribed policy of quarantine triggered.

However, your mail server likely isn't configured to do anything useful with DMARC p=quarantine. That's probably a good thing, it's not a strong signal. Incorporating it as one of many features in a larger anti-spam system (like giving it some points in SpamAssassin) makes sense, as does actually quarantining it (assuming you have a useful quarantine system, say that rescans its content after some time delay).

Even in the best circumstances, it's easy for a quarantine action to be insufficient to block spoofed messages. When you've finished vetting the aggregate DMARC reports after some window of time, you can decide that it's safe to upgrade to p=reject, at which point you can configure your MX records to reject or delete such violations, but many admins have sadly concluded that even DMARC p=reject is not a strong enough signal, so it again must be combined with other threat indicators and a clever campaign can still sneak through.

Comments (2)

+0 – Thank you for the detailed answer. After reading through the link and everything you explained i have one remaining question about this part: dkim=pass (signature was verified) (So this part only checks if the Sender has a verified DKIM or not - it doesn't matter what Domain this DKIM represents.) header.d=myprivategym.ae;dmarc=fail action=quarantine (The dmarc entry checks for the domain alignment - if there was no dmarc record the DKIM message above would have no impact how the mails were marked. I will check with Microsoft how we can manage those kind of mails. — Jan 12, 2022 at 08:18
+0 – The DKIM signature was valid, but not for your domain, so it's irrelevant here. If there's no DMARC record, there's no DMARC policy to trigger. You have a DMARC record, thus the policy was triggered. See How Microsoft 365 handles inbound email that fails DMARC for more. — Jan 12, 2022 at 15:17

External Links

External links referenced by this document:

https://en.wikipedia.org/wiki/DMARC#Alignment

References

https://security.stackexchange.com/questions/258706