2-factor authentication has become more vulnerable to attacks, making DMARC even more important.

Recently, a researcher in named Piotr Duszyński released an open source project that allows attackers to automate a phishing attack that bypasses 2-factor authentication.

The new tool, named Modlishka, allows attacker to bypass all types of 2-factor authentication except hardware security keys (such as these). It also makes detection of the hack more challenging since the phishing website displays information from the victim’s compromised account in real time. So, the victim logs in, see their account as anticipated and leave the site with no concerns. Meanwhile the attacker has bypassed their 2-factor authentication and has their login credentials.


What does this have to do with DMARC? In order for this- or any web-based phishing attack- to work, the attacker must somehow get the victim on the phishing website. The simplest way to do this is through a phishing email.

An official-looking phishing emails (one that spoofs the actual email domain of the company) that links to this new type of phishing website could allow more attackers to compromise more accounts in less time. This math is bad for everyone except the attackers.

This is where DMARC comes in as another line of defense against web-based phishing. If the target company uses DMARC, the attacker will not be able to send that official-looking email to the victims, and the whole plan becomes much more detectable and way less effective. The attacker could still send a semi-official looking email to get the plan started, but the end user has a better shot at noticing compared the spoofed email.

Fraudmarc Can Help

Suggestion #1: get yourself (and all of your employees) a hardware security key and use it on all your accounts that support that type of 2-factor authentication (that’s what google has done).

Suggestion #2: To add additional protection for yourself, your employees, and your customers, implement a DMARC reject policy as quickly as possible for every domain that you control, especially your email sending domains. If need help with DMARC, we have advice for how to implement DMARC, and we offer tools, plans, and services that help companies move more quickly to a Reject policy. We even have an open source version of our DMARC reports available on GitHub and a DMARC community support forum at community.fraudmarc.com.