Most MSPs in the audit have registered both TLDs but only protected one. The alternate has no DMARC enforcement - completely spoofable. Combine that with the fact most MSPs list their clients on their website and you've got a ready-made phishing target list.
1 comments