Oregon roll-your-own-DMARC enforcement sucks
Oregon, the only state that actually has DMARC enforcement, got phished (see the ZDNet story here). "…nine DHS employees wee filled by phishing emails." For 20 days, hackers had free reign over 654,000 Oregonians' state benefits accounts.
Advice to Oregon.gov: Better find some pros to manage your DMARC.
PS: Adding to Mark's and Destroying Angel's comments below, since I don't know details of the spearphishing attack, I can only assume that Oregon isn't as sophisticated regarding phishing and DMARC as I'd hoped. If Mark could share the details on the actual phishing that snookered the 9 state employees, we would all be enlightened.
PPS: On June 26th "Unknown" suggested I look at other states' DMARC protection. Either "Unknown" is a complete moron who didn't see my April posting for all the states (check it out here), or some of the states have wised up. So check out MadCISO tomorrow. I'll update my Russian Phishing Hole document and post it. So far, nobody else has DMARC enforcement.
#oregon #phishing #dmarc