Press Release
White House E-Mail Domains Lack Basic Phishing and Spoofing Security
Only One of 26 Email Addresses Managed by Executive Office of the President Uses DMARC Security Protocol to Block Phishing
WASHINGTON, April 4, 2018 – More than 95 percent of email domains managed by the Executive Office of the President (EOP) are in danger of being used in a large-scale phishing attack. Only the Max.gov email domain has fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). Seven of the domains have implemented the Domain Message Authentication Reporting & Conformance (DMARC) protocol at the lowest level “none” which monitors email but does not prevent delivery of spoofed emails. Further, GCA found that 18 of the 26 email domains under management haven’t started the deployment of DMARC.
Without DMARC implemented, scammers and criminals can easily “hijack” an email domain to steal money, trade secrets or even jeopardize national security. DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the 2017 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed. The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward. The EOP domains that have recently deployed DMARC at its lowest setting includes WhiteHouse.gov and EOP.gov, two of the most significant government domains. I hope that the government will move rapidly to block phishing attempts across all EOP domains.”
Domains under the control of the EOP include Budget.gov, OMB.gov, WhiteHouse.gov, USTR.gov, OSTP.gov and EOP.gov – all well-known email domains that are valuable for phishers looking to trick government employees, government contractors, and U.S. citizens.
The weak DMARC deployment by the EOP is surprising after the U.S. Department of Homeland Security mandated that all federal agencies implement DMARC last year. Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC, for pushing government agencies to quickly implement DMARC at the highest level possible.
Using GCA’s DMARC tools, the researchers scanned the 26 EOP email domains:
DMARC Count | Effect at this level of implementation | |
Domains Tested | 26 | (The email domains of the Executive Office of the President) |
Reject | 1 | The highest level of DMARC protection. If reject is in place, incoming messages that fail authentication get blocked. |
Quarantine | 0 | The second highest level of DMARC protection. With quarantine in place, emails that don’t meet the policy are sent to the spam or junk folder. |
None | 7 | None means that the DMARC policy is in place, but the only thing that’s happening is monitoring. No action is being taken to block spoofed emails. |
No Policy | 18 | No policy means that DMARC is not in place. |
GCA has published five reviews of DMARC implementation – two looking at organizations in cybersecurity, one looking at banks, one examining public and private hospitals, and most recently a look at the top tax software providers. When Agari looked at Fortune 500 companies last August, they found 8 percent protected their companies’ domains with DMARC.
For more details about DMARC or to check if an organization is using DMARC, visit: dmarcguide.globalcyberalliance.org.
About the Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by to uniting global communities, implementing concrete solutions, and measuring the effect. GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org