--- id: security-phishing-defense title: Phishing Defense — DMARC / Phishing-resistant MFA / 교육 category: Coding status: draft source_trust_level: B verification_status: conceptual created_at: 2026-05-09 updated_at: 2026-05-09 tags: [security, phishing, vibe-coding] tech_stack: { language: "Process", applicable_to: ["Security"] } applied_in: [] aliases: [phishing, DMARC, SPF, DKIM, BIMI, phishing simulation, social engineering] --- # Phishing Defense > 가장 흔한 attack vector. **Email auth (SPF/DKIM/DMARC) + Phishing-resistant MFA + 교육 + simulation**. Tech 만으로 X — 사람 + process. ## 📖 핵심 개념 - Email spoofing: from address 위조. - Credential phishing: fake login page. - Spear phishing: target 특정 person. - Vishing / Smishing: phone / SMS. ## 💻 코드 패턴 ### SPF (Sender Policy Framework) ``` DNS TXT record: "v=spf1 include:_spf.google.com include:sendgrid.net ~all" → Authorized mail server list. ~all = soft fail. -all = hard fail. ``` ### DKIM (DomainKeys Identified Mail) ``` DNS TXT (selector._domainkey.example.com): "v=DKIM1; k=rsa; p=MIGfMA0G..." → Public key. Server 가 sign email. Receiver 가 verify. ``` ### DMARC (정책 + 보고) ``` DNS TXT (_dmarc.example.com): "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100" p: none — monitor only quarantine — spam folder reject — block → p=reject 가 강. Email server 가 spoofed email reject. ``` ### DMARC report ```xml google.com ... 1.2.3.4 1 reject fail fail ``` → Tools: dmarcian, Postmark, Valimail. ### BIMI (logo in inbox) ``` DMARC p=quarantine 또는 p=reject 필수. Verified Mark Certificate (VMC, paid). DNS TXT (default._bimi.example.com): "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem" → Inbox 안 logo 표시. Trust signal. ``` ### Phishing-resistant MFA ``` Phishable: - SMS OTP (SIM swap, MITM) - TOTP code (real-time MITM) - Push notification (fatigue attack) Phishing-resistant: - WebAuthn / Passkey - FIDO2 hardware key (YubiKey) - Smart card (PIV) → Origin verification 자동. ``` → [[Security_2FA_TOTP_WebAuthn]]. ### 사용자 교육 ``` Training (정기): - 매 분기 module - 새 employee onboarding - Real example (회사 의 사고 + 산업) Topics: - Email red flags (urgent, threat, link) - Sender check (full email address) - Hover over link - Don't input password from email - Suspicious attachment - Verify by phone (different channel) ``` ### Phishing simulation ``` 회사 가 자체 phishing email 보냄: - Click rate 측정 - 누가 click? - 추가 training Tools: - KnowBe4 - Microsoft Attack Simulator - Gophish (open source) ``` ``` Email examples: - "Urgent: Your password expires" - "HR: Updated benefits — review attached" - "CEO: Quick question, please reply" - "Your package delivery" - "Bank account suspended" ``` ### Click rate metric ``` Initial: 30-50% click (untrained) After training: 5-10% Goal: < 2% Repeat offender → mandatory training → manager 알림. ``` ### Email warning banner ``` External email = banner: "⚠️ This email originated outside your organization. Be cautious of links and attachments." ``` → Microsoft 365 / Google Workspace built-in. ### Anti-phishing toolbar ``` Browser extensions: - 1Password 가 fake login detect (URL match) - Password manager 가 password 안 fill (다른 도메인) → Password manager = phishing 방어. ``` ### Domain similar (typosquatting) ``` example.com → exarnple.com (rn = m) example.com → examp1e.com (1 = l) example.com → example.co (TLD) example.com → example-secure.com → 자체 monitoring: - DNS Twist tool - 등록 watch - 자체 register (defensive) ``` ### Url shortener ``` bit.ly / tinyurl — phishing 자주. 해결: - 회사 내부 URL 만 shortener - Link expansion (preview) - 외부 shortener block ``` ### Cloud (Microsoft Defender / Google) ``` - Inbound email scan (link, attachment) - Sandbox (safe link click) - Anomaly detect - Email tracking ``` ### Sender Authentication 체크 (받는 사람) ``` Email body 안 sender domain: - example@example-billing.com (가짜) - example@example.com (진짜) → Hover + read carefully. ``` ### Internal communication norms ``` - "We will never ask for your password by email" - "We will never request gift cards" - "Always verify wire transfers by phone (separate channel)" → Default norm 가 explicit. ``` ### Incident response (phishing 발견) ``` 1. User reports → security team (1-click "Report Phish") 2. Email pull (모든 mailbox 에서 같은 email 제거) 3. Sender block (domain block) 4. URL block (proxy block) 5. Notification (모든 user) 6. Investigation (누가 click? credential 입력?) 7. Password reset (compromised) 8. 2FA 강제 9. Forensic (다른 device 로 access?) ``` ### Tools ``` Email: Microsoft Defender, Google Advanced Protection, Proofpoint, Mimecast Simulation: KnowBe4, Microsoft Attack Sim, Gophish DMARC: dmarcian, Valimail, Postmark Domain monitor: DNSTwist, dnstwist.it, BrandShield ``` ### Vishing / Smishing ``` Vishing (voice phishing): - Caller ID spoof - 은행 사칭 - IT support 사칭 Defense: - 회사 가 절대 password 묻지 X - Suspicious call → hang up + call back (verified number) - Internal directory Smishing (SMS): - Bank, package delivery - Click link → fake site Defense: - 회사 SMS gateway 일관 - "Verify URL" rule ``` ### Business Email Compromise (BEC) ``` Attacker 가 CEO 가짜 email: "Quick task: send wire transfer to ..." Most expensive phishing. Defense: - 큰 transfer = phone verify - Dual control (2 명 approve) - Vendor change verify (out-of-band) ``` ### CEO fraud / impersonation ``` "From: CEO " (real domain != gmail.com) → DMARC + banner. ``` ### Spear phishing (정밀 target) ``` Target research (LinkedIn, public): - Name, role - Project - Coworkers - Vacation plan Email 가 매우 personal: "Hi John, about the Project X meeting tomorrow..." → Generic phishing 보다 위험 — 일반 training 못 잡음. ``` ### Consumer-facing phishing (회사 brand) ``` Attacker 가 회사 사칭 → 사용자 phish: - Fake login site - Credential 입력 - Account takeover Defense: - DMARC reject (email) - Domain monitor - BIMI (logo in inbox) - Brand monitoring - Customer education ``` ### Customer education ``` 공식 channel: "We will never ask for your password. Verify URL is exactly example.com. Report suspicious emails to phishing@example.com." Email signature 안 하단 banner. ``` ### Reporting (사용자 → 회사) ```ts // "Report phishing" button (Outlook / Gmail extension) async function reportPhish(emailRaw: string) { await db.phishingReports.create({ raw: emailRaw, reporterId: user.id, reportedAt: new Date(), }); // Auto-process if (isObviouslyPhishing(emailRaw)) { await blockSender(emailRaw); await pullFromAllInboxes(emailRaw); } await notifySecurityTeam(emailRaw); } ``` ### Education content ``` Quarterly: - 5 min video - 3 quiz questions - Real example (anonymized) Topics: - Recognize phishing - Password manager use - Passkey adoption - Social engineering - Reporting ``` ### Risk-based authentication ``` Login from new device / location: - Email confirm - 2FA strong (Passkey) - Session limited - Notify user → Phishing 가 credential 만 — device 다름. ``` ### Industry intel (Threat Intelligence) ``` 새 phishing campaign: - VirusTotal - AlienVault OTX - IBM X-Force - ThreatFox → Block lists update. ``` ### Domain reputation ``` 회사 domain 의 reputation: - MXToolbox - Senderbase - Talos → Spam folder 안 됨. ``` ### Continuous monitoring ``` - DMARC reports daily - Phishing simulation quarterly - Click rate monthly trend - Reported phishing weekly - New similar domain detected ``` ## 🤔 의사결정 기준 | 영역 | 우선 | |---|---| | Email auth | DMARC reject ASAP | | MFA | Passkey 강제 | | Education | 분기마다 | | Simulation | 분기마다 | | Customer | DMARC + warning + report | | Incident | 명시 process | ## ❌ 안티패턴 - **DMARC p=none 영원**: enforce 안 함. - **SMS 만 MFA**: phishable. - **Education 한 번 + 영원**: 잊혀짐. - **Click rate 무 metric**: 발전 X. - **Repeat offender 무 action**: 같은 사람 반복. - **External warning 무**: 사용자 안 신호. - **Reporting 어려움**: 사용자 안 report. ## 🤖 LLM 활용 힌트 - DMARC reject + Passkey + 분기 simulation = baseline. - 1-click report 가 friction 작음. - Customer 도 educate. - Incident response process 명시. ## 🔗 관련 문서 - [[Security_2FA_TOTP_WebAuthn]] - [[Security_OWASP_Top_10_Practical]] - [[Security_Login_Flows]]