Morocco is one of the most vulnerable African countries to email-based cyberattacks, according to a report by PowerDMARC.
The country’s weak adoption of essential security protocols such as DMARC, MTA-STS, and DNSSEC has left businesses and government agencies highly susceptible to phishing, domain spoofing, and data theft.
These security gaps, combined with Morocco’s position as one of the most affected African countries by banking trojans and stealer malware, underscore the urgent need for stronger cybersecurity measures.
Read also: Morocco moves to regulate video surveillance and safeguard user privacy
Email security weaknesses leave Morocco open to cyber attacks
The 2025 Morocco DMARC & MTA-STS Adoption Report analysed 307 domains across key sectors, including banking, government, healthcare, and education. It found that only 36.48 percent of domains had correctly implemented DMARC (Domain-based Message Authentication, Reporting & Conformance)—a protocol that prevents cybercriminals from sending fraudulent emails using a company’s domain. Even more concerning, only 7.49 percent of these domains use the strongest “reject” policy, which blocks fake emails entirely. Meanwhile, over 62 percent of domains have no DMARC security at all, making it easy for hackers to conduct phishing scams and impersonation attacks.
The banking sector, which handles massive amounts of sensitive financial data, remains highly vulnerable. Despite phishing being one of the leading causes of financial fraud, many Moroccan banks still lack strict email security policies.
This is particularly alarming because Morocco has been identified as the most targeted country in Africa for banking trojans and stealer malware—dangerous programs that steal personal and banking information. Cybercriminals use phishing emails and fake websites to trick victims into entering their credentials, leading to financial losses and identity theft.
MTA-STS and DNSSEC: Morocco’s overlooked cyber defenses
One of the biggest red flags in the report is Morocco’s zero percent adoption rate of MTA-STS (Mail Transfer Agent Strict Transport Security). This protocol ensures that emails are transmitted securely over encrypted connections, protecting them from being intercepted and altered by hackers. Without MTA-STS, Moroccan organisations are exposed to email eavesdropping, data leaks, and sophisticated cyberattacks that could compromise national security.
Another critical issue is the near-total absence of DNSSEC (Domain Name System Security Extensions), a security measure designed to prevent DNS spoofing—a tactic hackers use to redirect users to fake websites that steal personal data. A staggering 98.70 percent of Moroccan domains have not enabled DNSSEC, making it easier for cybercriminals to execute large-scale fraud campaigns.
This lack of basic cybersecurity protections has led to real-world attacks. In previous years, Moroccan businesses, government websites, and media platforms have suffered from DDoS attacks (Distributed Denial of Service), which flood servers with fake traffic to take websites offline. Additionally, data leaks and ransomware incidents have affected both the private and public sectors, exposing sensitive user information.
Read also: Binance suspends employee for insider trading, awards whistleblowers $100,000
Urgent need for stronger cybersecurity measures
While Morocco’s insurance sector has taken the lead in DMARC adoption (66.67 percent), other industries, such as pharmaceuticals (12.50 percent), are severely lagging. The real estate and automotive sectors also have poor security postures, with SPF adoption rates at 54.55 percent and 55.56 percent, respectively. Without stronger adoption of DMARC, SPF, MTA-STS, and DNSSEC, Moroccan organisations will remain prime targets for cybercriminals.
Cybersecurity experts warn that urgent action is needed to improve email security, strengthen financial data protection, and educate businesses on cybersecurity best practices. If these vulnerabilities are not addressed, Morocco’s growing digital economy could suffer, with businesses facing major financial and reputational damage.