About half of federal agencies have complied with a DHS directive requiring certain security standards to strengthen their email and website security but even among them most remain vulnerable to attacks, says a report by the Agari security firm.

It said that as of mid-December, the rate of adoption of a security control called DMARC (Domain-based Message Authentication, Reporting and Conformance) had risen to 47 percent, but in many cases the control is not set at the highest level of security. “When the domains with no DMARC policy are added to those domains with a monitor-only policy, 84 percent of the domains are still unprotected from abuse,” it said.

“These agencies and their email recipients remain vulnerable to domain spoofing and phishing attacks . . . To fully protect against phishing threats against both the federal government and the public at large (and maintain strong email governance), federal agencies must ultimately move to quarantine and reject policies,” it said.

It added: “Phishing continues to be a pervasive threat in the United States and around the world. The impact of these threats has been felt specifically by government agencies. Beyond the high-profile targeted attacks that have made headlines, criminals are executing phishing attacks leveraging the brand name of agencies. From month to month, Agari continues to see spoofing attacks against our federal customers . . . Almost 90 percent of our federal domains were targeted by domain abuse.”