Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

Spear phishers use fake email threads, fake SPF authentication

Author: Steve Whittle
fish on a spear
Spear phishing has gotten a lot more sophisticated since this photo was taken. Photo credit: Gerry Lauzon/Flickr

I work with people who are trying to prevent others from impersonating their domains. Usually this is preventative, but unfortunately, sometimes my work is reactive — ensuring that impersonation does not happen again.

One of the most common impersonation attacks is phishing, where hackers send emails to people hoping to get them to reveal a password, grant access to an account, turn over personal information, or even transfer money. It’s not surprising that companies are starting to see more examples of successful phishing and its more targeted variant, spear phishing. We’re seeing more and more press coverage of prominent spear phishing attacks and almost daily examples where it has been successful. As a result, some companies are starting to become more vigilant and scrutinize emails more closely. This, of course, means that the scammers are becoming more creative and are putting more effort into making their emails seem legitimate. It’s a classic security arms race.

I spoke with a company that had recently been the victim of a spear phishing attack, to the tune of tens of thousands of dollars. The phishing email was very believable and the scammers had clearly done their homework. Here is what appears to have happened:

Step One: Infiltration

The scammers were able to compromise the corporate email account of an employee of the company. That seems to have been done using a fake G Suite link.

Step Two: Studying the Target

Once they had compromised that account, the scammers examined the history of emails between this user and the CEO to get a feel for the way the CEO wrote and the tone of his emails.

Step Three: The Fake Email Thread

With this information, they crafted an email that appeared like it was part of an existing email thread in which people were already discussing some money to be wired to an account. In other words, the fraudsters faked an entire thread where actual people in the company appeared to be discussing a wire transfer. The person to whom it was addressed saw what looked like a string of emails discussing the wire transfer, followed by the request (to the recipient) to transfer the money. The faked thread made the request much more believable, since it did not seem to be an out of the blue request (although out-of-the-blue wire transfer requests can work too, sadly).

Step Four: Fake Authentication

The scammers did not stop there, however. They also made sure that the email passed SPF authentication. They did this by registering a domain that looked like the legitimate domain and set up an SPF record for the look-alike domain. They then used this new (fake) domain in the email’s Return-path header (which is what SPF checks), while using the company’s actual domain in the From: address that appears to the recipient. This ensured that even if the recipient were to look at the email headers, the message would appear legitimate thanks to the presence of SPF authentication there.

Step Five: The Heist

This was a lot of preparation on behalf of the scammers, but their efforts paid off. The targeted person received the email, believed it was legitimate, and transferred a large sum of money to the fraudulent account.

If the domain had been protected by DMARC enforcement, the scammers might still have been able to compromise the first employee’s email account, but they would not have been able to send the ultimate phishing email, because a DMARC check would have noted the mismatch between the From and Return-path headers, causing it to fail DMARC. As a result, the email would have been flagged as spam (or rejected outright, depending on the company’s DMARC policy), and the customer would not be out tens of thousands of dollars.

Back to blog
Published March 14, 2017
  • Cybersecurity
  • Email
  • Fraud
  • Phishing
  • security
Author: Steve Whittle
Steve Whittle runs customer success at Valimail. He has helped Valimail customers get thousands of domains to DMARC enforcement. He also has worked with hundreds of third-party senders. Prior to joining Valimail, he spent more than 15 years designing and deploying DNS for Enterprises and Service Providers worldwide.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers