Oregon roll-your-own-DMARC enforcement sucks

Oregon, the only state that actually has DMARC enforcement, got phished (see the ZDNet story here). "…nine DHS employees wee filled by phishing emails." For 20 days, hackers had free reign over 654,000 Oregonians' state benefits accounts.

Advice to Oregon.gov: Better find some pros to manage your DMARC.

Mad Max

PS:  Adding to Mark's and Destroying Angel's comments below, since I don't know details of the spearphishing attack, I can only assume that Oregon isn't as sophisticated regarding phishing and DMARC as I'd hoped. If Mark could share the details on the actual phishing that snookered the 9 state employees, we would all be enlightened.

PPS:  On June 26th "Unknown" suggested I look at other states' DMARC protection. Either "Unknown" is a complete moron who didn't see my April posting for all the states (check it out here), or some of the states have wised up. So check out MadCISO tomorrow. I'll update my Russian Phishing Hole document and post it. So far, nobody else has DMARC enforcement.

#oregon #phishing #dmarc


  1. This comment has been removed by the author.

  2. Mark, I believe their SPF record is faulty, too. One of my clients, Valimail, does a large number of other things to mitigate phishihg besides DMARC. But DMARC is a good start. I think Mad Max is ahead of you on this.

    1. This comment has been removed by the author.

  3. You should check out other states DMARC. Pretty interesting results. Also, Oregon is not the only state with DMARC at enforcement.


Post a Comment

Leave your comment. The moderator will turn down no well-thought-out observations. We WILL turn down product plugs that are off target.

Popular Posts