Ben Birchall/AFP/Getty Images
show image

NCSC calls out Microsoft for refusing to share DMARC security reports

Microsoft’s refusal to share data about email spoofing and phishing campaigns has had a “massively negative effect” on the security research community, British officials have claimed.

In the National Cyber Security Centre’s latest annual report, officials revealed that the US tech giant’s decision to withhold the data meant they were unable to carry out a full assessment of the impact of new email security measures.

Over the last two years, NCSC has been rolling out a “Mail Check” service to help government organisations improve email security and crack down on the use of their domains for spoofing campaigns. NCSC officials said in the report: “One of the primary goals is to support and encourage adoption of DMARC, which, along with the SPF and DKIM protocols, is a powerful tool against spoofing and phishing.”

Microsoft, one of the world’s largest providers of consumer and enterprise email platforms, has adopted DMARC (Domain-based Message Authentication, Reporting and Conformance) as a security standard. The company also encourages clients to use the standard to provide “additional protection against spoofing and phishing email”.

But in late 2017, it stopped sharing DMARC reports, according to Ian Levy, NCSC’s technical director. “This has had a massively negative effect on the community’s ability to draw conclusions about email security driven by DMARC adoption and it is almost impossible for us to compare meaningful statistics from this year with statistics from last year,” Levy wrote.

The policy also appears to have frustrated some of Microsoft’s clients. “We are getting reporting from all other large email providers that produce it, however we have a massive blind spot for all [Office 365] email traffic – both to our tenant but also anyone else using O365,” one customer wrote on a Microsoft community page. “Given the prevalence of large corps using O365 – I can’t quite wrap my head around why this isn’t a bigger thing.”

Levy said “we, and many others, are in discussion with Microsoft about [its reporting procedures”.  A Microsoft spokesperson said in an email: “DMARC reporting for was paused for internal engineering integration. We are working on restarting it post engineering work completion.”

Seth Blank, secretary of the IETF group overseeing DMARC and a director of industry initiatives at Valimail, another email security provider, said: “When some players reap the benefits of a standard like DMARC, but don’t contribute to the ecosystem by providing reports, it damages email security for everyone. NCSC is correct when it calls this failure out as ‘a massively negative effect on the community.”

NCSC’s annual report revealed that more than 6,000 domains are now monitored by Mail Check and that around 20 per cent of those had DMARC in place. But Levy explained that there “remains more to do in driving adoption across public sector to prefer stronger DMARC policies”.

He also noted that the way email providers reject suspicious emails varies, with some refusing delivery and others sending suspicious mail to spam folders. “Believe it or not, we have a few actual incidents where someone actioning an email that ended up in their spam folder was the way in. We need the industry to be more consistent in how they action a domain’s DMARC policies and there is significant work to be done here.”