Email spoofing – also known as a domain spoof or direct spoof – is a type of phishing attack in which an attacker sends an email that appears to be from a legitimate source. These emails are sent with the intention of tricking the target into following a link, downloading an attachment, or performing some other kind of action that will result in the attacker capturing login details or other sensitive information like their banking or credit card information.
While some spoofed emails may be flagged by inbound security solutions, they’re often mistaken for legitimate emails, which can lead to serious consequences for both individuals and businesses.
This blog explores how and why email spoofing works, how to identify spoofed emails, and what you can do to protect yourself and your organization from such attacks.
While email impersonation attacks often rely on imperceptible misspellings, spoofed emails appear to be sent from the real domain, look genuine to most users, and can bypass spam filters and security tools.
For example, a bad actor might craft an email that appears to be “from” a well-known courier service, which for the purposes of this example doesn’t have DMARC set-up. The email will claim there was a problem with your delivery and that you must follow a link to log in and confirm your details. Savvy people may look for Display Name impersonations, but, because it’s a domain spoof, they won’t notice any inconsistencies.
And, if such an email is sent to many thousands of users (which is one of the techniques hackers use when sending phishing emails) this increases the chance that at least one recipient will be expecting a delivery from the spoofed courier, and, because of that, the target may do what the email instructs.
Email spoofing is on the rise.
The FBI’s 2019 Internet Crime Report states that the agency received complaints of spoofing attacks from over 25,000 victims last year alone, making it the fifth most popular form of cybercrime. The total loss reported from these victims was over $300,000,000.
Email spoofing attacks can be successful simply because people assume that the information in email headers – specifically about where the email comes from – is trustworthy. The reality is that the original protocols that still underpin email, such as the Simple Mail Transfer Protocol (SMTP), were never designed to authenticate the sender information.
In other words, there is no inherent way to confirm that an email comes from the email address specified in the Sender parameter in the email header.
When an email is sent, the initial connection to the receiving mail server contains two parameters, MAIL FROM and RCPT TO, which specify the address the email is sent from and to, respectively. These parameters are commonly known as the “envelope” of the email.
However, there are no default checks on the MAIL FROM parameter to ensure that the connecting mail server is authorized to send emails on behalf of that domain. Therefore, if the RCPT TO parameter is correct, the receiving server indicates it will accept the email and the sending server proceeds with the rest of the email, including the From, Reply to, and Sender header items, which are similarly not checked by default.
Therefore, an attacker with the right tools at their disposal can easily create and send emails as if they were someone else. This is not hard to achieve, and there are many tools available for them to do this. They can also create a legitimate seeming link in the email that, if followed, will take the recipient to a server under the attacker’s control.
The easiest way to explain how an attack might unfold is to explain it from the attacker’s perspective.
Example scenario: An attacker of moderate skill decides to launch a phishing attack on a company. The attack takes the form of an email asking the recipient to read and indicate acceptance of a company security policy update; this will be a document attached to the email. The file itself will contain malicious code, which will give the attacker a foothold on the machine of anyone who opens it.
Target: Copper Duck, a finance company. Copper Duck hasn’t configured DMARC, nor does it have other protections in place.
Objective: The attacker’s aim is to run malicious code on Copper Duck machines, in an attempt to gain information on the company network that will uncover further vulnerabilities and also capture usernames and passwords. The ultimate goal is to gain access to Copper Duck’s sensitive financial and personal data.
Research: The attacker researches Copper Duck, and from publicly available information discovers that it has not registered its domain – @copperduck.com – with DMARC.
They also search for Copper Duck email addresses in public repositories so they can copy the header and footer information. Additionally, they’ll look for any other information, such as employee names and job titles on LinkedIn, which could help them target the attack and create a believable email.
Attack preparation: The attacker can obtain phishing kits and code suited to their purpose on the dark web. There are many such kits, and while it only takes moderate skill for an attacker to launch a phishing attack, these make it even easier.
They compile a list of email addresses to target, sometimes from addresses discovered in the public domain, or by making informed guesses. For example, if the attacker has a number of addresses in the form [email protected], it’s likely that other employee addresses follow the same format.
Once they have the list, the attacker creates the phishing email and the attachment file containing the malicious code. Because Copper Duck has not implemented a method to protect their domain from spoofing, the attacker can easily forge the Sender and other information in the email header.
The attack: The emails are sent early in the morning on a weekday, to arrive shortly before employees begin working their way through their inboxes.
Every employee who clicks the link and opens the document will activate the malicious code it contains. It runs on their machine, and sends any sensitive data it can find back to the attacker.
Even if not every employee clicks through, there is a good chance that at least one will. One is all it takes for an attacker to gain a foothold in the network.
Bonus: The time of day an email is sent is one of many important factors that attackers may consider; there are several instances where an employee’s ability to make the right cybersecurity decision may be impaired. Read the full report here.
What if there are protections in place? If Copper Duck used DMARC or a mail application that scanned attachments for malicious code, this would make life more difficult for the attacker, but not impossible. As previously mentioned, they could register a domain almost identical to that of Copper Duck (for example, copper-duck.com or coppperduck.com), and prompt the user to follow a link to a server under their control instead.
However, protections like DMARC only stop spoofs of your domain; it won’t protect against all spoofs you might receive (for example, a spoof of one of your suppliers). This means you have to be vigilant both as a consumer and an employee when it comes to protecting yourself from these types of attacks.
Phishing attacks employing spoofed emails are inevitable. So how can you spot them, what should you do when you’re targeted, and how can a business protect itself against the threat they pose?
Unfortunately, though, DMARC, training, and a positive security culture simply aren’t enough. Cybersecurity strategies have to account for the fact that DMARC doesn’t stop bad actors from domain lookalike impersonations, training is ineffective long-term, and people won’t do the right thing 100% of the time.
To combat the threat of email spoofing, security teams should also deploy enterprise-level security applications to identify and block phishing attacks, such as Tessian Defender.
Tessian Defender is powered by machine learning (ML).
By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of advanced phishing scams, including email spoofing attacks.
To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts.