International cybersecurity agencies including the FBI and NSA have warned that North Korean cyber actors are exploiting weak DMARC policies to conduct highly targeted phishing campaigns.
While the advisory originates in the United States, the lesson applies directly to South African businesses: if your domain is not properly protected, it can be used against your clients, partners, or supply chain — regardless of where the attacker is based.
Unfortunately, many organizations either do not have DMARC policies in place or have them set to “none,” meaning no action is taken…
Why This Matters for Cybersecurity in South Africa
South African organisations are not immune to state-linked cyber operations. Email spoofing and domain impersonation are routinely used in local phishing, business email compromise, and supply-chain fraud.
Many South African domains still operate with:
- No DMARC policy
- A policy set to p=none
- Misaligned SPF and DKIM records
In practice, this means attackers do not need to breach your systems – they only need to impersonate you.
Understanding DMARC and Its Importance
DMARC is an email security protocol that helps authenticate whether an email message comes from the domain it claims to be from. It works in conjunction with other email authentication methods such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). When properly configured, DMARC can prevent malicious actors from sending emails that appear to come from legitimate domains.
Unfortunately, many organizations either do not have DMARC policies in place or have them set to “none,” meaning no action is taken on emails that fail authentication checks. This oversight allows cyber actors like those from North Korea to spoof email domains and carry out phishing attacks.
North Korean Cyber Operations
North Korea’s cyber program is a crucial part of the regime’s intelligence and espionage efforts. The primary group involved in these activities is known as Kimsuky, which has been active since around 2012. This group operates under North Korea’s Reconnaissance General Bureau (RGB), targeting policy analysts and experts to gather intelligence on geopolitical events, foreign policies, and other areas critical to North Korean interests.
Kimsuky actors typically start with thorough research to identify high-value targets. They then use social engineering techniques to craft spear phishing emails that appear to come from trusted sources like journalists, academics, or think tanks. These emails often contain malicious links or attachments designed to compromise and gain access to the recipient’s device and networks.
Examples of Kimsuky’s Tactics
Kimsuky’s emails are meticulously crafted to appear legitimate. They often use real email addresses and domains from compromised accounts to bypass initial scrutiny. For instance, they might send an email inviting a target to speak at a conference or respond to media queries. These emails can look authentic because they may contain content lifted from previous legitimate communications.
In one example, a Kimsuky email invited a target to speak at a workshop hosted by a legitimate think tank, offering a speaker fee to entice participation. The email was sent using a legitimate university’s email domain but failed DMARC checks because the actual sender’s domain did not match the spoofed think tank’s domain.
Mitigation Measures and Actions to Take
The advisory makes one thing clear: a monitoring-only DMARC policy (p=none) is no longer sufficient.
Organisations should progressively move toward enforcement by implementing either:
– Quarantine: “v=DMARC1; p=quarantine;”
This setting treats unauthenticated emails as probable spam, moving them to a quarantine folder.
– Reject: “v=DMARC1; p=reject;”
This setting blocks unauthorised emails entirely, preventing them from reaching recipients and eliminating successful domain spoofing.
Additionally, organizations should configure DMARC to send aggregate reports on authentication results, enabling better monitoring and response to potential spoofing attempts.
Indicators of Malicious Activity
Here are some red flags to watch out for that might indicate a spear phishing attempt by North Korean actors:
- Initial communication without malicious links, followed by messages containing harmful links or attachments.
- Poor grammar or awkward sentence structure in emails.
- Use of content from previous legitimate communications to add credibility.
- Emails requesting enabling macros to view documents.
- Persistent follow-up emails if the initial message goes unanswered.
- Emails that appear to come from official government employees or members of the military
Reporting and Further Information
Individuals and organizations targeted by these spear phishing campaigns are urged to report incidents to the FBI’s Internet Crime Complaint Center (IC3) and include specific details about the incident. We are sharing this report for informational purposes only. All references in this report are from the official document released by the joint advisory.
Additional Security Recommendations
- Review and update email security policies regularly.
- Educate employees on how to spot signs of phishing and social engineering attacks.
- Implement multi-factor authentication for extra security and run regular external exposure assessments to understand what attackers can already see about your organisation.
Domains without an enforced DMARC policy (p=quarantine or p=reject) remain vulnerable to impersonation and fraudulent email activity.
State-sponsored actors do not discriminate by geography. If your domain can be spoofed, it can be weaponised – whether by an intelligence unit, organised crime group, or local fraudster.
Enforcing DMARC is not an advanced security strategy. It is now baseline cyber hygiene.
Check your domain’s current DMARC posture and ensure you are not the weakest link in someone else’s attack chain.
If you want to understand how domain impersonation affects your wider ecosystem, read our article on Supply Chain Cyber Risk.