Email Spoofing

Email spoofing is the malicious art of tricking an email recipient into believing that the message came from a person or an organization they can trust. Email spoofing is used extensively in phishing attacks to get the recipient to click on malware attachments, click on malicious links, provide sensitive data, and, perhaps, even transfer funds. Once the recipient believes the email is from a trusted party – they can be tricked into many follow-on activities that may compromise confidential data, authentication, and access to other valuable resources.

Email is an old communications system with weaknesses that allow threat actors to put the sender’s address within the client applications. In addition, the outgoing email servers cannot determine if the sender’s address is legitimate.

Most email clients enter the sender address automatically when the email is created. Therefore, messages can be created using scripts that provide any sender address required by the threat actor. 

Structurally, emails have three essential components: The sender address, the recipient address, and the body or the content of the email. Threat actors also take advantage of the reply-to field. Since the sender specifies this, it is a perfect technique to use to support a phishing attack. The reply-to field is there to tell the client exactly where replies should be sent. These reply-to addresses can be completely different than the sender’s address. Unfortunately, there is no automation in the email system to detect these fraudulent emails.

Email spoofing using phishing emails provides a persistent conduit through which malicious actors exploit vulnerabilities in the victim’s cybersecurity defenses. For example, attackers can readily spoof a domain to send a phishing email that appears to be legitimate. In addition, users transmitting data via unencrypted HTTP protocol are vulnerable to message interception, complete access to the message body and any attachments, and the modification of the data within the email. 

Anatomy of the email spoofing attack

A threat actor spoofs the domain of a reputable and respected organization. They send an email that appears to be a legitimate email from this reputable entity. The received organization receives the spoofed emails, believes them to be from a trusted and authoritative source, and then acts upon them. Employees often assume spoofed emails are legitimate and then choose to act upon them. If a threat actor is successfully spoofing a domain to send malicious emails, this can significantly harm the spoofed organization’s brand and reputation.

Detecting an email spoofing attack

One of the first items in a spoofed email is a suspicious sender’s address. The sender’s address will often imitate a legitimate business. Threat actors will structure an email address that resembles a reputable company by modifying a few characters. Sometimes lookalike characters are Cyrillic or from different font sets to provide the illusion of other characters.

Basic greetings and signatures accompanied by a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will likely use your name and provide their contact information. 

One good technique to detect a spoofed link is to mouse-over or hover your cursor over any links in the body of the email. If the exposed links do not match the text you are hovering over, the link may also be spoofed. It is often the case that malicious websites may look, upon first inspection, identical to a legitimate site. However, upon closer inspection, the URL may use a variation in spelling, a character or two from a different font set, or a different domain. Sometimes the difference can be subtle such as “.com” versus “.net” and easy to miss. URLs can also be shortened using a link service to camouflage the malicious content.

Another frequent giveaway is the use of poor grammar, misspellings, and the lack of correct or consistent formatting. Suspicious attachments are another warning.: Unsolicited email requesting that someone download and open an attachment is a common delivery mechanism for malware, especially when that attachment is a .zip file. However, a common .docx or .pdf can also be malicious.

Finally, the promise of money or the threat of penalty are also strong motivators.

New frameworks allow message authentication

Sender Policy Framework (SPF) validates if a specific IP is authorized to send mail from a given domain. SPF requires the receiving server to check an SPF record and validate the email sender. In addition, SPF defines how to validate an email message sent from an authorized mail server to detect email spoofing or spam. Simple Mail Transfer Protocol (SMTP) does not include any authentication mechanisms, so SPF provides that function.

Domain Key Identified Email (DKIM) uses a pair of cryptographic keys to sign outgoing messages and validate incoming messages. DKIM allows the email recipient to check that an email that appears to be from a specific domain was authorized by the owner or valid users of that domain. Replay attacks are possible with an email signed by DKIM. If the original recipient were to resend and forward it to you, the DKIM signature would still validate upon receipt. That original recipient could also forward the same email to a million of their closest friends, and the DKIM signature would validate at each of those million recipients’ ISPs. DKIM does not prevent replay attacks.

Domain-Based Message Authentication, Reporting, and Conformance (DMARC) provide the sender with an option to let the email recipient know if the email is protected by DKIM and/or SPF. DMARC also specifies actions to follow if that email fails authentication. DMARC fits into the existing inbound email authentication process. DMARC helps email recipients determine if the message is consistent (aligned) with what the receiver knows about the sender. If there is a problem, DMARC includes guidance on how to handle the messages. 

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.