Simply put, phishing emails are designed to trick the recipient into believing that they are legitimate. A common way of accomplishing this is by making the emails appear to come from someone that the recipient knows and trusts. Email spoofing is one way of accomplishing this. A spoofed email is designed so that the display name of the email belongs to someone that the email recipient trusts.
An email can be broken into two main sections: the headers and the body. The purpose of the headers is to provide metadata and the information required to route the email to its destination. The body of the email is the actual message being conveyed.
The Simple Mail Transfer Protocol (SMTP) defines the structure of emails and how computers communicate over email. When SMTP was developed, security was not a priority, and the protocol was designed with no way to verify the authenticity of email headers.
Email spoofing takes advantage of this by changing the value of the FROM header, which should contain the email address of the sender. This value is used only to inform the recipient of the sender’s identity, so modifying it won’t cause the email to fail.
However, the FROM address may be used to direct replies to an email, which could be a problem for some phishing campaigns. However, the SMTP standard also includes a REPLY-TO header where the sender can specify that replies to an email should be sent to a different address. This field is commonly used in marketing email blasts but can also be used by a phisher to receive replies to phishing emails where they have spoofed the address.
Spoofed emails are part of phishing campaigns, which are designed to trick the recipient into taking some action that helps the attacker. If an email has an embedded link to click, an attachment, or requests some other action, then it is wise to check it for spoofing.
In some cases, the attacker may use a real, lookalike address, such as substituting cornpany.com for company.com. In others, the value of the FROM header may be replaced with a legitimate address that is not under the sender’s control.
While the first case can usually be detected by taking a careful look at the sender’s email address, the second might require more digging. Spoofed FROM addresses can be identified based on:
Received: The RECEIVED header in an email indicates the IP addresses and domain names of the computers and email servers along the path that the email traveled. An email from and to email addresses within the same company should only pass through the company’s email server.
Spoofed emails are designed to be deceptive, meaning that employees may struggle to identify sophisticated phishing attacks. A single click on a malicious link or opening a malware-laden attachment can cause significant harm to the enterprise. Phishing emails are a leading cause of data breaches and one of the top delivery mechanisms for ransomware and other malware.
For this reason, corporate cybersecurity training for phishing email detection should be augmented with a strong anti-phishing solution. Check Point, along with Avanan, has developed Harmony Email and Office, which provides comprehensive protection against phishing scams. To learn more about Harmony Email and Office and how it can help to mitigate the threat of spoofed phishing emails to your organization, you’re welcome to sign up for a free demo.