WhoisXML API Blog

The SPF Onion: Enter the World of SPF Chaos

Authors:
Ed Gibbs, Field CTO, WHOIS API Inc.
Jeff Vogelpohl

Introduction

It was late in the evening on September 25, 2024, when I received a suspicious email in my personal inbox. It was cleverly disguised as a message from an insurance company I currently do business with, but something felt off—the usual company icon didn’t look quite right. Normally, I verify the sender by clicking on the icon to check the email address, but this time it wouldn’t pop up. Sensing something was amiss, I decided to dig deeper.

What Are the Priorities for the U.S. Administration Cybersecurity Spending in 2026?

The White House has laid out a road map on how executive departments and agencies should plan to spend their cybersecurity dollars in the coming years. On 10 July 2024, the Office of Management and Budget (OMB) released a memorandum outlining the administration’s cybersecurity investment priorities. The memo intends to guide relevant government entities as they prepare their 2026 budget submissions to the OMB.

The U.S. government is taking a page out of its own National Cybersecurity Strategy (NCS) playbook, wrapping its investment priorities around five pillars to improve the country’s cybersecurity posture, namely:

Making Email Security Smarter with Domain Intelligence

More than 4 billion people checking their emails daily represents a goldmine for attackers. No wonder phishing remains one of the biggest threats today, pushing email security to the top of organizations' cyber priorities.

But here's the kicker—90% of malicious emails can slip through email security standards, such as the Sender Policy Framework (SPF); the DomainKeys Identified Mail (DKIM); or Domain-Based Message Authentication, Reporting, and Conformance (DMARC).

While many email security providers are out there, those offering a multilayered approach can offer more.

Name Server Concentration: Who Controls the Domain Name System?

Name servers (NSs) play a crucial role in how the Internet works, directing traffic to the correct destinations. Specifically, NS records tell recursive resolver servers which authoritative NS is responsible for a specific domain name. The resolver would then contact the authoritative NS to obtain the domain's corresponding IP address.

While having a small number of entities control a large portion of the DNS can increase efficiency, it could also result in choke points, where a single disruption could significantly impact a large portion of Internet traffic.

Exploring IoCs and Their DNS Narratives

No matter how stealthy attackers try to be, they almost always leave a trail behind—digital breadcrumbs known as “indicators of compromise (IoCs)” after a cyber attack or an attempted intrusion.

Let's take the Black Basta ransomware attacks as an example. Cybersecurity authorities like the Cybersecurity and Infrastructure Security Agency (CISA) identified hundreds of IoCs associated with this ransomware-as-a-service (RaaS) variant. These IoCs include cyber resources like file hashes, domain names, and IP addresses, and serve as digital footprints pertaining to the attackers’ activities. They provide invaluable clues for cybersecurity professionals, helping them understand what happened and prevent similar attacks in the future.

Who Runs Email Communications? A Look at the Prevalence of MX Records

Email remains a vital part of modern communication, with 347.3 billion emails sent and received daily worldwide in 2023. For each email to reach its intended recipient, mail exchange (MX) records direct it to the correct mail server.

While individual email users can create their own mail servers, most people use email services from established email service providers (ESPs) to avoid the complexity of running their own servers. These services typically provide storage, security features, and user-friendly interfaces, all without burdening users with maintenance.

However, some experts are concerned about the concentration of power within a limited number of companies controlling MX records. They warn of potential vulnerabilities if email routing relies heavily on just a handful of providers.

Leveraging IP Data to Enable Extensive Asset Discovery and Contextualization

Mirroring Sun Tzu’s wisdom, “To know your enemy, you must become your enemy,” today’s cybersecurity landscape demands that security teams see their IT infrastructure through attackers’ eyes. This proactive approach is vital, notably considering the Data Breach Investigations Report (DBIR) finding that 65% of data breaches stem from external sources.

Adopting an attacker mindset enables security teams to identify and address attack vectors early and continuously manage their attack surfaces. This strategy entails asking questions like, “What assets can threat actors see and use as entry points?” and “How can compromising these assets impact other assets?”

External attack surface management (EASM) solutions, especially when supplemented with IP intelligence, can help answer these and other related questions.

Multilayered Fraud Detection with Cyber Intelligence

For centuries, fraudsters have devised cunning schemes to steal from unsuspecting victims. Though fraud methods have evolved, their impact remains devastating. In 2023 alone, victims worldwide lost more than US$1 trillion to fraud.

The latest INTERPOL assessment of financial fraud reveals that technology significantly enables cybercriminal groups to launch large-scale and sophisticated campaigns. This trend calls for a similar technology-empowered cybersecurity approach. Organizations need to respond in kind and utilize modern technology to detect and prevent fraud.