The diagram demonstrating the attack shows DMARC fails. All they have shown is that everyone should have DMARC configured properly, and use a reject or quarantine policy. This has been best practice for a long time now.
They use the example of state.gov. That domain's policy is currently set to Reject, which is what all Federal government services have been using for years now.
Microsoft also uses their own auth mechanism in addition to DMARC. It's called composite authentication. In my experience, comp-auth is more strict than DMARC alone.
After reading more of the paper, my conclusion is mentioned in a later reply:
"They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that. "
I completely agree. As an aside, for .gov domains, the DMARC offenders are primarily at the state, county, and local level. I would personally be in favor of extending CISA’s DMARC requirements to anyone with a .gov domain (and revoking domains that are non-compliant).
Another misconception among many CIO/CISOs is that securing your individual subdomain with DMARC is enough. For example, dmv.ca.gov might have DMARC on its subdomain but not on the root, allowing a scammer to make up their own subdomain like “vehicles.ca.gov” and scam people into paying for fake vehicle registration. Of course there are other mechanisms inbox providers use to protect recipients, but without a DMARC policy on the root domain the door is left open.
This is especially prevalent at the state level where no one wants to own DMARC centrally.
This works against domains that have DMARC configured properly. First attack works against any domain that is using O365, regardless of their DMARC settings.
Your domain may have a policy of reject or quarantine, but does the receiving host correctly act on that policy?
I can understand if free email providers are more permissive with narrow authentication scenarios. Users aren't usually able to contact support.
As someone suggested in this thread, this is a UX problem.
Policies need to appease a large number of users. A gov/corp org receiving these messages can be more strict. Even in these orgs, people complain about not receiving an email that was appropriately rejected.
The attack works for spoofing email from domains that have DMARC configured with reject policy against receiving servers that validate DMARC and act correctly according to policy. Only requirement is that the domain the attacker is spoofing is using O365.
This is not a UX problem. This is a Microsoft problem.
> Only requirement is that the domain the attacker is spoofing is using O365.
This is not true. The paper mentions multiple service providers using more relaxed validation.
Table 3, section 5 in the paper shows which policies need to be in place on the domain they are piggy-backing on.
They reference Postfix:
"Additionally, we note that mailing list software such as Listserv and Mailman require a backend MTA. In our experiments we used Postfix with DMARC turned on, a configuration which follows good security practice. However, in practice many organizations might not use this configuration because many MTAs (including Postfix) do not enforce DMARC by default. In these cases, the attacker can spoof email from any target domain, regard-
less of its DMARC policy, much like the attack against Gaggle."
I read this to mean that if you actually enable DMARC in Postfix, piggy-backing on another domain's policies results in rejection.
No mention of results for receiving at ProofPoint, Mimecast, Trellix, or Cisco's email appliance.
> This is not a UX problem.
They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that.
Yes, they mention that Fastmail, GMX, Inbox.lv, and Pobox also allow per-user DMARC overrides, including overriding reject policy. But Microsoft is the only one of these using MFEF forwarding which enables the attack to be successful.
I suppose similar attack to the one in 5.1 would work against Fastmail, but the victim would be able to see the original envelope from to detect that the mail is spoofed.
"The Render Network® Provides Near Unlimited Decentralized GPU Computing Power For Next Generation 3D Content Creation."
"Render Network's system can be broken down into 2 main roles: Creators and Node Operators. Here's a handy guide to figure out where you might fit in on the Render Network:
Maybe you're a hardware enthusiast with GPUs to spare, or maybe you're a cryptocurrency guru with a passing interest in VFX. If you've got GPUs that are sitting idle at any time, you're a potential Node Operator who can use that GPU downtime to earn RNDR."
AMD seem to be catching up quickly lately. I'm running Stable Diffusion, Llama-2, and Pytorch on a 7900XTX right now. Getting it up and running even on an unsupported Linux distro is relatively straightforward. Details for Arch are here: https://gitlab.com/-/snippets/2584462
The HIP interface even has almost exact interoperability with CUDA, so you don't have to rewrite your code.
No, I was talking about Ordinals. FTA, right after the parent's comment:
> However, we notice that by spending only 0.005% of the total Bitcoin supply on transaction fees, a single entity can significantly impact the entire Blockchain regime.
So far it's been mostly ads for other netflix shows, but they are everywhere. Full screen ads you have to click through to even get to the catalogue, a giant ad at the top you have to scroll past, ads taking up multiple rows as you scroll through their options, the ads that play in the middle of a show if you pause the screen for more than a few seconds, the ads that play as soon as the credits start rolling (even when there's still content), etc.
They use the example of state.gov. That domain's policy is currently set to Reject, which is what all Federal government services have been using for years now.
Here's CISA's requirements: https://www.cisa.gov/news-events/directives/bod-18-01-enhanc...
Microsoft also uses their own auth mechanism in addition to DMARC. It's called composite authentication. In my experience, comp-auth is more strict than DMARC alone.
https://learn.microsoft.com/en-us/microsoft-365/security/off...
What am I missing? Why is this noteworthy?
EDIT:
After reading more of the paper, my conclusion is mentioned in a later reply:
"They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that. "