Spoofing on Daily DMARC News

Inside the Direct Send Exploit: Attackers Are Using Microsoft 365 to Impersonate Your Own Employees

Tue, 09 Jun 2026 08:00:00 +0000

A phishing campaign uncovered by Varonis Threat Labs targeted more than 70 organizations – predominantly in the United States – by exploiting a legitimate Microsoft 365 feature in a way most security teams had not anticipated. The attack required no stolen credentials, no compromised account, and no software vulnerability in the traditional sense. It required a predictable endpoint, permissive mail routing, and an incomplete understanding of how Microsoft 365 processes mail that arrives through its own infrastructure.

A Crafted Email Is All It Takes: CVE-2026-42897 Puts Exchange OWA Under Active Attack

Fri, 05 Jun 2026 08:00:00 +0000

On May 14, 2026, Microsoft disclosed CVE-2026-42897, a spoofing vulnerability in on-premises Exchange Server affecting Outlook Web Access. Within 24 hours, CISA added it to the Known Exploited Vulnerabilities catalog. Within 15 days, the federal remediation deadline passed. As of today, there is still no permanent patch.

The attack vector is an email.

What CVE-2026-42897 Does

The vulnerability is a cross-site scripting flaw in Exchange Server’s OWA component. Its CVSS score is 8.1, placing it in the high-severity tier. The attack chain is direct: an attacker sends a specially crafted email to a target who uses Outlook Web Access to read their mail. When the target opens that email in OWA, the malicious content triggers an XSS payload that executes arbitrary JavaScript in the victim’s browser context.

One in Three University Domains Enforces DMARC. The Other Two-Thirds Are Wide Open.

Wed, 03 Jun 2026 08:00:00 +0000

Data from Valimail’s 2026 State of DMARC Report establishes higher education as the worst-performing sector for DMARC enforcement of any industry category measured. Universities, colleges, and schools sit at just 33.71% enforcement – a figure that places the sector behind retail, manufacturing, financial services, healthcare, and every other vertical tracked. The only sector that comes close is arts and recreation at 31.61%.

Proofpoint’s February 2026 analysis of the top 100 Australian universities reached a consistent finding: 66% of those institutions have not implemented DMARC at the p=reject level. Another 7% of the surveyed institutions publish no DMARC record at all. In the United States and Canada, research from dmarcian found that 60% of university domains are susceptible to phishing exploits because they either have no DMARC record, contain errors in their records, or are set to p=none.

One in Three FIFA World Cup 2026 Partners Leaves Fans Exposed to Email Fraud

Tue, 02 Jun 2026 08:00:00 +0000

Nine days before the FIFA World Cup 2026 kicks off across the United States, Canada, and Mexico, a Proofpoint analysis has found that more than one-third of the tournament’s official partners do not have the email security controls in place to stop criminals from sending fraudulent email that impersonates their brands.

The finding matters far beyond football. The brands associated with this World Cup span airlines, automotive groups, financial infrastructure, energy companies, consumer goods giants, and technology providers. Collectively they send billions of legitimate emails to hundreds of millions of consumers and business partners. Where those domains are not fully protected, every one of those recipients becomes a potential target for a spoofed message designed to look exactly like the real thing.