Introduction
Attackers don't randomly spoof domains; they target. Unprotected domains — those without DMARC at enforcement — are systematically identified and abused. This article walks through what attackers actually do.
Why this topic matters
Knowing the attacker playbook makes the rollout case concrete. The threat isn't abstract; it's a series of specific techniques used by industrialized phishing operations.
How attackers identify unprotected domains
The process is automated:
- Crawl target lists. Industry directories, customer lists from breaches, public domain registries.
- Check DMARC posture.
dig +short TXT _dmarc.<domain>per target. - Filter for
p=noneor unconfigured. Sortable target list. - Prioritize by brand recognition. Banking, healthcare, government, e-commerce sit at the top.
A medium-sophisticated phishing crew scans thousands of domains daily.
The attack patterns
Pattern 1: Brand-impersonation campaign
Generic phishing emails using a recognized brand's exact domain in the From header. "Your Bank: account verification needed." Mass-targeted; small response rate but high volume produces meaningful conversion.
Pattern 2: Wire-fraud BEC
Targeted attack against finance teams using the CEO's exact domain. "Please wire $X to this account by EOD." Personal, urgent, exact-domain spoofed.
Pattern 3: Vendor-invoice fraud
Fake invoice from a recognized vendor using their exact domain. "Updated payment instructions for invoice #X." Goes to the AP team who's expecting a real invoice from that vendor.
Pattern 4: Credential harvesting
Fake password-reset email from a SaaS product. "Reset your account." Sends user to attacker-controlled site.
All four require exact-domain spoofing to work at scale. All four are stopped by DMARC at p=reject.
Why these work
Three reasons:
- Trust transfer. Recipients trust mail from recognized brands.
- Urgency framing. Most phishing creates time pressure that suppresses verification.
- No DMARC at the targeted brand. Receivers have no policy basis to filter.
What DMARC does to each pattern
- Pattern 1: Bounced at SMTP. Recipients never receive it.
- Pattern 2: Same outcome. The CEO's domain at
p=rejectmeans the spoofed mail doesn't arrive. - Pattern 3: Vendor at
p=rejectprotects their domain; pairs with AP-verification training. - Pattern 4: SaaS at
p=rejectprotects the credential vector.
Step-by-step approach to closing each vector
- Roll out DMARC to enforcement on every domain.
- Pair with BIMI for visible signaling.
- Implement wire-verification protocols for residual BEC.
- Train users on adjacent vectors (look-alikes, display names).
- Monitor reports for ongoing spoofing attempts.
Best practices
- Treat the threat as constant. Attackers continuously scan for unprotected domains.
- Don't rely on obscurity. Small brands get targeted too.
- Pair DMARC with brand-monitoring for look-alike detection.
- Communicate to customers what authenticated mail looks like.
- Document the attack model for board education.
Recommended next step
If your domain is at p=none, you're on the attackers' target list. Closing the gap is the action.
FAQ
Do attackers really scan for DMARC posture?
Yes. Automated tools do this at scale.
Are small brands targeted?
Yes. Volume-based attacks don't discriminate on brand size; targeted attacks pick recognized brands.
Why doesn't every brand have DMARC by now?
Organizational inertia, not technical difficulty. The opportunity for attackers persists.
What's the most lucrative attack pattern?
BEC against finance teams. Single successful incident can be six- or seven-figure loss.
Will the threat decline?
Yes, slowly, as DMARC adoption rises. Meanwhile, individual domains close their own window.
Final thoughts
Attackers have a playbook. The defense is making your domain not worth their effort — p=reject is the line.
Roll out; close the window. The threat is concrete; the defense is well-defined.