Email Spoofing

​​Email spoofing is a type of cyberattack where the sender of an email forges the email headers to make it look like the message came from someone else. The primary goal is to mislead the recipient into thinking the email is from a person or entity they know and trust, such as a colleague, a bank, or a well-known company. This deception is possible because the core email protocols, like Simple Mail Transfer Protocol (SMTP), were not designed initially with built-in authentication methods to verify the sender's identity.

How It Works

Attackers manipulate fields in the email header that are not typically visible to the average recipient, such as the "From," "Reply-To," and "Return-Path" addresses. When the email reaches the recipient's inbox, their email program reads this forged information and displays the fake sender address. While the IP address of the actual sender can be found in the email header, most users don't inspect these details.

Why It's a Problem

Email spoofing is a common tactic in various cyberattacks:

• Phishing: Spoofed emails are frequently used to make phishing attacks more convincing. An attacker might impersonate a bank to trick a user into clicking a malicious link that leads to a fake website, where the user is then prompted to enter sensitive information like passwords or credit card numbers.

• Malware Distribution: The attacker can disguise a malicious attachment as a file from a trusted source, such as a shipping notification or an invoice. When the recipient opens the attachment, malware is installed on their computer.

• Business Email Compromise (BEC): A more sophisticated attack where the attacker spoofs an email from a high-level executive, like a CEO, to an employee in the finance department. The email might contain an urgent request for a wire transfer to a fraudulent account.

• Hiding Identity: It allows the attacker to conceal their true identity, making it difficult to trace the origin of the attack.

• Avoiding Spam Filters: By using a forged email address, attackers can bypass some email filters that might be configured to block known malicious senders or domains.

Common Signs of a Spoofed Email

Although attackers try to make their spoofed emails look legitimate, there are often telltale signs that something is wrong:

• Mismatched Addresses: The display name (e.g., "Customer Service") does not match the actual email address (e.g., customerservice@suspicious-domain.com).

• Urgent or Threatening Language: The email creates a sense of pressure or urgency, prompting the user to act without thinking.

• Requests for Sensitive Information: The message asks for personal or financial details that a legitimate sender would not request via email.

• Typos and Grammatical Errors: The email may contain spelling mistakes or poor grammar.

• Generic Greetings: Instead of a personalized greeting, the email starts with a generic phrase like "Dear Valued Customer."

ThreatNG helps with email spoofing by providing a solution that integrates External Attack Surface Management (EASM), Digital Risk Protection (DRP), and Security Ratings to fortify an organization's defenses from an external attacker's perspective. It identifies and mitigates potential vulnerabilities and spoofing risks on the external attack surface.

External Discovery and Assessment

ThreatNG's External Discovery can perform purely external, unauthenticated discovery to identify malicious domains. Its External Assessment capabilities help to assess an organization's susceptibility to email spoofing.

• BEC & Phishing Susceptibility: ThreatNG's BEC & Phishing Susceptibility score is derived in part from its Domain Intelligence module, which includes DNS Intelligence and Email Intelligence capabilities. Email Intelligence provides email security presence and can predict email formats. This allows ThreatNG to determine if an organization is vulnerable to business email compromise and phishing attempts.

• Data Leak Susceptibility: The Data Leak Susceptibility score considers Email Intelligence and its ability to predict email formats and provide security presence. This helps identify risks related to email exposure.

• Brand Damage Susceptibility: ThreatNG's Brand Damage Susceptibility score uses Domain Intelligence, which includes the ability to find domain name permutations, to identify external threats that could harm a brand's reputation.

For example, ThreatNG could assess a company's domain, mycompany.com, and find that it is vulnerable to email spoofing because its DMARC policy is not configured correctly. This would contribute to a low score for BEC & Phishing Susceptibility.

Investigation Modules

ThreatNG's Investigation Modules provide detailed analysis that is essential for combating email spoofing.

• Domain Intelligence: The Domain Intelligence module is a core component for investigating email spoofing threats.

  • DNS Intelligence: The Domain Name Permutations feature within DNS Intelligence can detect and group manipulations of a domain, providing associated mail records and IP addresses for both available and taken domains. This is crucial for identifying look-alike domains (e.g., mycompany.biz or mycompeny.com) that are created to launch phishing campaigns.

  • Email Intelligence: This module analyzes the email security presence by checking for DMARC, SPF, and DKIM records. It can also harvest emails and predict potential email formats, such as first.last@mycompany.com, which helps in understanding how an attacker might structure a spoofed email.

• Search Engine Exploitation: The Search Engine Exploitation module can find emails in publicly exposed robots.txt and security.txt files, which an attacker could use to gather targets for a spoofing attack.

• Archived Web Pages: This module discovers emails that have been archived on an organization's online presence, providing a historical record of potentially exposed email addresses.

• Dark Web Presence: ThreatNG can check for an organization's mentions on the dark web, including associated compromised credentials, which could be used to facilitate a BEC attack.

For instance, an investigation might start with ThreatNG's Domain Name Permutations feature identifying a newly registered domain, mycornpany.com, that uses a homoglyph to resemble a legitimate domain. The Email Intelligence module would then analyze this domain and confirm it has a weak SPF record, making it easy for an attacker to send emails that appear to come from it.

Intelligence Repositories

ThreatNG's Intelligence Repositories (DarCache) provide continuously updated data to support the detection and prevention of email spoofing.

• Compromised Credentials (DarCache Rupture): This repository tracks compromised credentials. Attackers can use stolen credentials to carry out a more convincing email spoofing attack or gain access to an email account to send fraudulent messages from a legitimate source.

• Ransomware Groups and Activities (DarCache Ransomware): This repository tracks ransomware gangs and their activities, which often use email spoofing as an initial access vector.

• Vulnerabilities (DarCache Vulnerability): The vulnerability repository contains information from sources like NVD, EPSS, and KEV. This helps identify vulnerabilities that could be exploited to launch phishing campaigns using email spoofing.

An example would be if the DarCache Rupture repository indicates that an executive's credentials have been compromised. ThreatNG can then use this information to alert the security team to a heightened risk of BEC attacks, where an attacker might spoof that executive's email address to send fraudulent requests to employees.

Reporting and Continuous Monitoring

ThreatNG provides reports like Prioritized (High, Medium, Low, and Informational) and Security Ratings (A through F) to help organizations understand and address their risks. The reports include risk levels, reasoning, and recommendations to guide an organization's response. Continuous Monitoring ensures that new threats, such as a recently registered look-alike domain, are detected promptly before they can be used in a widespread attack.

Complementary Solutions

ThreatNG's capabilities can be used with complementary security solutions to create a more layered defense against email spoofing.

• Email Security Gateways: ThreatNG's Email Intelligence can identify if a domain's email authentication records (DMARC, SPF, and DKIM) are correctly configured. The findings from ThreatNG can be used to inform an email security gateway, which can then block emails that fail these authentication checks, preventing spoofed messages from reaching user inboxes.

• Security Awareness Training: ThreatNG can provide real-world examples of detected spoofed domains and emails to a security awareness training platform. This helps train employees to recognize the signs of a spoofing attempt, such as a mismatched email address or an urgent request for a wire transfer.

• SOAR (Security Orchestration, Automation, and Response) Platforms: ThreatNG's continuous monitoring can detect a new typosquatted domain. This detection could trigger an automated playbook in a SOAR platform, which could then automatically send an alert to the security team, create an incident ticket, and even initiate a domain takedown request.