Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

After a cyberattack, don’t use a fishy domain to communicate

Author: Valimail
email-marriott-com-authentication-status

Last week, Marriott let the public know that it had suffered a data breach: Hackers stole the data on 500 million guest reservations from the hotel chain’s Starwood database.

As part of its outreach regarding this breach, Marriott sent out millions of emails to customers, warning them about the possible compromise of their information.

However, it sent these messages from a domain not obviously associated with the hotel chain, according to TechCrunch. Instead of using its well-known and trusted domain, marriott.com, the chain sent its communications from email-marriott.com. TechCrunch reports that domain is registered by a third-party service provider on behalf of Marriott.

In fact, email-marriott.com is a domain the hotel chain regularly uses to send ordinary communications with customers (such a reminder that they can check in online). So it’s to Marriott’s credit that it is using an existing domain and didn’t create a new one just for this crisis. Still, recipients of this email won’t necessarily know that it’s the normal domain used by Marriott.

Marriott’s website points visitors to https://answers.kroll.com/ for answers about the breach. There’s a paragraph on that site explaining what to look for:

“We want you to be confident that the email notification you may receive is from Marriott. The email will come from the following email address: starwoodhotels@email-marriott.com. … Please note that the email you may receive from us will not contain any attachments or request any information from you, and any links will only bring you back to this webpage.”

Unfortunately, while the hotel chain means well and is communicating lots of information to customers, Marriott’s spoofable email and this fishy-looking domain may put even more customers at risk.

Marriott spoofing ahead?

There are a few risks involved in this post-breach communications strategy.

  1. The domain that Marriott is using are using (email-marriott.com) has published a DMARC record, but it is not at enforcement. Phishers could use that exact domain in the From: field when sending their messages. Spoofed messages from email-marriott.com will be delivered just the same as legitimate ones.
  2. The company’s main domain, marriott.com, is also unprotected by DMARC, so that, too, is vulnerable to spoofing.
  3. It’s hard to spell “Marriott” correctly, so lookalike domains provide another easy way to fool people (email-mariott.com, email-marriot.com).
  4. There’s no website associated with email-marriott.com, so it’s hard for people to know if it’s a legitimate domain or not. You can use a whois lookup online (or open up a Terminal window in OS X and just type “whois email-marriott.com”) to verify that it’s owned by Marriott. But most people won’t know how to do that.
  5. Even if there was a website at that URL, it still wouldn’t be proof that Marriott actually owned it. Phishers use spoofed websites (complete with the HTTPS browser “padlock”) all the time, as Brian Krebs reported last month.
  6. Phishers frequently take advantage of news like this to send out fake breach notifications. We saw similar waves of phish in the wake of the 2013 Target breach and the 2017 Equifax breach, among others.

A common problem

Much like Equifax in 2017, the hotel chain, unfortunately, is not using effective email authentication to help ensure that its messages are validated. As a result, its own messages may not stand out among the likely flood of phish.

It’s a common problem — and it’s relatively easy to address. But all too often the crisis communications teams that are brought in to handle things in the wake of cyberattacks are focused on other priorities.

The better alternative: Set up authentication on your primary, most-trusted domains before a crisis happens. Lock down the domains you don’t use for email too, to prevent phishers from spoofing those. And have a plan in place so that when a crisis happens, you’re ready to get the word out via a trusted email channel, not a fishy-looking one.

Back to blog
Published December 4, 2018
  • breaches
  • Cybersecurity
  • Email Authentication
  • Hackers
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers