Email Spoofing

What is Email Spoofing

Email spoofing is when an attacker sends an email that appears to come from one person but actually comes from another.

The goal is to leverage the trust associated with the spoofed sender to commit fraud.

BEC (Business Email Compromise) attacks are a classic example of email spoofing.

The attacker sends an email which appears to come from the CEO asking to transfer funds to an account under the attackers control.

Although email spoofing and phishing are related, they function differently.

The primary goal of spoofing is to bypass initial trust barriers.

This increases the likelihood that the recipient will open the email and take its content seriously.

Phishing, on the other hand, has broader goals.

Phishing attacks often leverage spoofed emails, but that’s just one element of the attack.

The goal of phishing attacks are to manipulate the recipient into taking a specific actions.

Common tactics are to get the victim to click on a malicious link or downloading malware.

While spoofing focuses on appearing legitimate, phishing focuses on exploiting that perceived legitimacy.

Phishing attacks have a broader objective, such as data theft or financial fraud.

Here’s a typical sequence of an email spoofing attack:

Crafting the Email: The attackers choose their victim, which is often an employee or customer, to maximize impact. The email is written to mimic a trusted sender (e.g., an executive or service provider). The messaging usually includes a request.
Forging the Header: Attackers modify the “From” field to match a spoofed address, making the email appear legitimate. The email’s “Reply-To” header may also be changed to redirect replies to the attacker’s address.
Sending the Spoofed Email: Attackers may use compromised email servers to send the forged emails. They also mimick SMTP headers to help bypass spam filters.
Reaching the Recipient: Once received, the email looks like it’s from a trusted source. This usually prompts the victim to open it and potentially follow the attacker’s requests. This usually leads to credential theft, malware infections, or data leaks.

Here’s a list of several technical controls that help prevent spoofed emails from reaching employees:

SPF (Sender Policy Framework): Ensures that emails are sent from authorized mail servers. This allows receiving email servers to check the sender’s IP address against a list of approved IPs for the sending domain.
DKIM (DomainKeys Identified Mail): Adds a digital signature to the email header. This enables the receiving server to verify to ensure the email hasn’t been tampered with and is from the claimed domain.
DMARC (Domain-based Message Authentication, Reporting & Conformance): Uses SPF and DKIM to provide instructions to receiving mail servers on how to handle emails that fail authentication checks.
Email Gateways: Deploy email security gateways that filter incoming emails for spam, malware, and phishing emails.
Domain Registration: Register similar and misspelled versions of your domain to prevent attackers from using them for email spoofing.
Threat Intelligence: Use threat intelligence to receive alerts for your organization’s leaked credentials. Exposed credentials can be used to take over an email account and spoof messages. Early notifications enable security teams to reset the credentials before they’re exploited.