1. Home
  2. Techniques
  3. Enterprise
  4. Email Spoofing

Email Spoofing

Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.[1] In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.

This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).[2][3][4] Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as v=DMARC1; p=none; fo=1;. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.[1][5]

Adversaries may abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts[5] such as Phishing. They may also leverage email spoofing for Impersonation of legitimate external individuals and organizations, such as journalists and academics.[5]

ID: T1672
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Linux, Office Suite, Windows, macOS
Version: 1.0
Created: 24 March 2025
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1054 Software Configuration

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[6][7]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[6][7]

Analytic 1 - Detect Spoofed Emails Using SPF/DKIM/DMARC Failures

sourcetype="o365:messageTrace"| search AuthenticationDetails="fail" OR SPF="fail" OR DKIM="fail" OR DMARC="fail"| eval spoof_score=if(SPF="fail", 1, 0) + if(DKIM="fail", 1, 0) + if(DMARC="fail", 1, 0)| where spoof_score >= 2| table _time, SenderFromAddress, RecipientAddress, Subject, AuthenticationDetails, spoof_score

Analytic 2 - Domain Mismatch Detection (Generic SMTP/Proxy Logs)

index=email_logs sourcetype=mail| eval from_domain=lower(substr(Sender, strpos(Sender, "@")+1))| eval return_path_domain=lower(substr(ReturnPath, strpos(ReturnPath, "@")+1))| where from_domain!=return_path_domain AND isnotnull(ReturnPath)| stats count by from_domain, return_path_domain, Subject, _time

References

  1. Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
  2. Cloudflare. (n.d.). What are DMARC, DKIM, and SPF?. Retrieved April 8, 2025.
  3. DMARC. (n.d.). Retrieved March 24, 2025.
  4. Proofpoint. (n.d.). Retrieved March 24, 2025.
  1. FBI, State Department, NSA. (2024, May 2). North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts. Retrieved April 2, 2025.
  2. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  3. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.