How are attackers sending spoofed emails?

Man grabbing an email from within a computer screen
Author Profile Photo
Sebastian Salla April 10, 2020
Follow:

In light of the recent increase of COVID-themed phishing campaigns, I'm looking to provide advice on what Security Practitioners and IT Professionals can do to help raise security awareness and protect themselves from the most sophisticated techniques being used to deliver spoofed emails and malicious content.

What is email spoofing?

"Email spoofing is when the sender of an email forges (spoofs) the email header's 'From' address, so the message appears to have been sent from a legitimate email address." - Wikipedia

The first thing to understand is that email spoofing comes in many forms - and may incorporate phishing techniques to 'trick' a user into thinking an email originates from a legitimate address. Considering this, malicious email campaigns typically use one or more of the below techniques (in order of sophistication, difficulty to execute and frequency of abuse):

  1. Spoofed email display name
  2. Phishing domain and/or use of lookalike sub-domains
  3. SPF-bypass through abuse of an inadequately configured DMARC record

While email spoofing is a highly discussed topic, I frequently only see pieces of the overall issue discussed. Because of this, I'm providing a detailed breakdown showing how each of these techniques are performed, what mitigations exist and how to spot the real from fake.

1. Spoofed email display name

Sophistication: Low - Difficulty: Low - Frequency: Widespread

How is this performed? Forging an emails 'From' display name is an inherit feature that anyone can take advantage of in modern email clients. This is typically used for a range of legitimate purposes, such as identifying yourself by title or the team you represent (e.g. Help Desk, Payroll, etc.) - however it's frequently also used for malicious intent.

When looking at Gmail we can see just how easy this type of attack is to execute, by going to 'Settings > Accounts and Import > Send mail as' and changing this to appear as "Desktop Support"

Gmail Email Display Name Change Screen

When delivered to an unsuspecting victim they may at first glance believe the mail to come from a legitimate source and click the link.

Email showing display name spoofing

What mitigations exist? User awareness training and spam filtering (to a limited degree). As this is a feature available on all major email clients with no applicable email authentication checks, there's minimal that can be done in terms of technical mitigation. Spam filtering engines can be trained to spot particular keywords but the most effective mitigation is to train users on how to spot the real from fake.

How to spot the real from fake? Never rely on the display name to identify a sender, it can display any name the sender wants without any form of authentication. Instead defer your attention to the actual 'From' email address and assess whether the email passes the 'sniff' test (i.e. were you expecting the email? is it from a known sender? is it asking you to click on any links? open a file? forfeit sensitive information? are there uncommon spelling mistakes? etc.).

2. Phishing domain with use of lookalike sub-domains

Sophistication: Moderate - Difficulty: Moderate - Frequency: Widespread

How is this performed? Purchasing lookalike domains for the sole purpose of tricking users into thinking they represent a legitimate service is a common mechanism used by threat actors (e.g. over 1200 vetted phishing sites have already been included in this COVID-19 blocklist).

If we use PayPal as a use-case, I can today identify and purchase any of the below domains through AWS by simply searching against the "paypal" keyword.

AWS Registrar Domain Purchase

Noting this, a mechanism to further obfuscate the purchased phishing domain is to include a sub-domain that replicates the service being phished. To demonstrate this scenario we'll create a McAfee themed phishing email following the below steps:

  1. Purchase an available 'phishing' domain (e.g. 'macnfee.com')
  2. Acquire a mail delivery service which has a trusted IP/SMTP server. This is the tricky part as most cloud-hosted mail delivery services work very hard to prevent malicious actors from utilising their service as their global reputation ratings take a hit. Because of this many threat actors end up using services in 'spammer' friendly countries (e.g. China, Russia, etc.)
  3. Setup the domains DNS record to include an SPF entry for the sub-domain you plan on using for the delivery of phishing emails (e.g. McAfee-outreach)
  4. Begin delivering phishing emails from the trusted IP/SMTP server that look alarmingly legitimate to an unsuspecting user
Note the below email is for demonstration purposes only.

Email showing the use of lookalike sub-domains with an obfuscated domain

What mitigations exist? To prevent these types of attacks, many major service providers will proactively purchase lookalike domains and park them to prevent malicious abuse. Obviously this is only a stop-gap and just means threat actors have to become more creative with the domains they register.

The more effective mitigation's are to train spam filters to perform keyword searches of sender sub-domains and to train users on how to spot the real from fake.

How to spot the real from fake? Never rely on the display name OR sub-domain to identify a sender. Instead defer your attention to the parent domain (e.g. macnfee.com) in the 'From' email address and assess whether the domain represents the service it appears to. This can be done by performing a WHOIS search of the domain to find the owner or by going to the service's website to locate the domain the service is run from.

In some cases a WHOIS search won't provide meaningful results as some buyers purchase these domains through a proxy service or simply enter fake details - considering this, the final safeguard is the 'sniff' test (i.e. were you expecting the email? is it from a known sender? is it asking you to click on any links? open a file? forfeit sensitive information? are there uncommon spelling mistakes? etc.).

3. SPF-bypass through abuse of an inadequately configured DMARC record

Sophistication: High - Difficulty: Moderate - Frequency: Common

How is this performed? Please see https://dmarc.org/wiki/FAQ for a detailed overview of each email authentication protocol (i.e. SPF, DKIM and DMARC). Summing these protocols into a single sentence, each attempts to provide a way for senders to authenticate themselves to receivers as legitimate - e.g. Senders Policy Framework (SPF) is essentially a list published within a domains DNS record which states, if you receive an email from any of these 10 or so IP addresses and it's from my domain, trust it as we authorise those addresses and discard any other emails purporting to be from us.

The issue here is that many domain owners only setup SPF meaning receivers can only rely on the one protocol for email authentication. Unfortunately there's an inherit weakness in the SPF protocol whereby threat actors can trick receivers and ultimately bypass the check - I won't delve deeper into this as it's an entire topic on it's own - click here for a demonstration. To fix this loop-hole the DMARC protocol was introduced which includes a security fix - unfortunately again, if we take a look at the 81 most used domains on the internet today, we can see that 31 of these still haven't implemented a locked-down DMARC policy (this is a consistent theme across many enterprises).

Some notable examples of these vulnerable domains include: baidu.com, wikipedia.org, weibo.com, bing.com, imdb.com, bbc.com and samsung.com.

Ultimately, the lack of a locked-down DMARC policy means threat actors can produce spoofed emails which provide no indication of malicious intent to end-users.

What mitigations exist? Domain owners need to at a minimum, implement a locked-down DMARC (quarantine or reject) policy for all domains under their ownership (including any parked domains).

How to spot the real from fake? Put simply - standard users have no way to spot the real from fake aside from the 'sniff' test. Technical professionals can look through the email delivery receipt to identify if a SPF-bypass attack took place but this is outside the realm of what non-technical users can be expected to perform.

Wrapping up

Email spoofing and phishing are one of the most prominent methods used in credential harvesting and endpoint compromise. My hope is that this article arms it's readers with the tools to effectively communicate email spoofing risks to users and management, so resourcing can be allocated to remediate any weaknesses.

If you're unsure on whether your email infrastructure is vulnerable, you can use the free Email Supply Chain Scan available within CanIPhish's Domain Tools to identify this for you.

CanIPhish Domain Supply Chain Scan Result

If you have any questions or need additional advice on how to detect or mitigate this security risk, please feel free to reach out to me directly via Email, LinkedIn or the CanIPhish Contact us page.

Author Profile Photo
Written by

Sebastian Salla

A Security Professional who loves all things related to Cloud and Email Security.