Kimsuky used weak or misconfigured DMARC policies to support spear phishing against think tank, media and academic targets, according to the Barracuda writeup and the FBI/NSA advisory it cites. The campaign spoofed credible domains such as universities or research institutes, sometimes sending an initial trust-building email before a follow-up carrying a malicious attachment or link. One example involved an invitation to speak at a North Korea policy conference that passed SPF and DKIM because the attackers had access to a legitimate system, while DMARC policy failed to block delivery. The report recommends moving DMARC from monitor-only mode to quarantine or reject, adding behavioral email defenses and training users to catch spoofed lures.