A lot of organisations purchase multiple domain names relating to their business in order to protect their brand. They might ultimately find themselves with the .co.uk, .com, .net, .org versions of their domain, but what do they do with them? And do they implement the same controls with their domains that they might do with their primary domain?
In many cases, the organisation in question will redirect the alternative domain names at their primary website, but pay little attention to the email setup. And while their primary domain may have anti-spoofing measures such as SPF , DKIM , or DMARC configured, their alternative domains are often left without this protection, leaving them open to abuse.
An attacker can exploit this by forging what appears to be a legitimate email from a domain owned by the organisation. When the recipient checks the sender domain name, they are lulled into a false sense of security as the domain redirects to a legitimate website, making them more likely to fall for the scam within the phishing email.
Adding additional domains into your email ecosystem is usually free (certainly this is the case in Google Workspaces and Microsoft 365), and even if you don't create alias email addresses for each of your users, by onboarding the domains and creating the appropriate SPF records and setting up DKIM and DMARC for the domain can prevent phishing attacks claiming to be from your organisation.