Phishing evolves beyond DMARC
The phishing attack against Sendgrid is still going on. Most of the mail and the websites are being hosted on Linode. I’ve still not gotten to see what one of the sites looks like, as Linode is getting the sites down before I click on the links.
Everyone here is doing the Right Things(tm) in order to address the problem. Sendgrid has a p=reject message in their DMARC record, Linode seems to be reasonably competent at getting the phishing sites down quickly enough.
I did notice in today’s round of emails the phishers have evolved. Sometime between midnight GMT and 4pm GMT they stopped forging @sendgrid.com in the from address. Now they’re just forging random domains. Any protection SendGrid was getting from their DMARC record is now gone.
This is a prime example of why I roll my eyes whenever anyone tells me DMARC stops phishing. DMARC stops one very specific kind of phishing that is trivial to work around. Even if every company on the planet went p=reject there is absolutely nothing to stop the phishers from registering their own domains and publishing their own DMARC records.
I’m pretty sure that many of these emails are being blocked and filtered, but if even a few get through and are clicked on it can cause major pain for the victim companies.
Be careful out there.