Product: ITDR: Huntress Managed Identity Threat Detection and Response
Summary: Email spoofing involves faking sender information to deceive recipients into opening malicious links. Investigate by reviewing login events, and analyzing email headers for authentication failures, unrecognized servers/IPs, and matching tenant IDs.
Spoofed Emails
When an end-user receives an email that appears to be from their own address, it's often a technique called email spoofing. This means the sender has falsified the email header information to make it look like it originated from the recipient. While it can be alarming, it usually indicates that the sender is trying to trick the recipient into opening the email or clicking on a malicious link, and it doesn't necessarily mean the recipient's email account has been compromised or hacked.
What visibility does Huntress have?
With Huntress’ ITDR platform, we have visibility over the identity, their sign-ins, mailbox rules, and enterprise applications. We do not have visibility into emails or mail flow.
How can I leverage ITDR to investigate a potential spoof?
The first action you can take in validating a spoof or a compromise is reviewing the sign-ins. You can quickly do this with the Huntress ITDR platform.
-
Navigate to Identities.
-
Find and select your target identity.
-
In the left pane, choose "Login Events" to view all successful logins from the last 14 days. If the listed IP addresses are anticipated or confirmed with the end-user, proceed with validating the spoofed message.
Reviewing the Spoofed Message.
To review a spoofed message you will want to obtain the original email, either directly from the end users mailbox or have them export the .eml file. Do not have the email forwarded as this will overwrite the email headers.
Once the original email is obtained, you will want to view the message source to review the headers.
You can parse this as is or use your favorite email header parsing tool.
What to look for.
When reviewing the suspected spoofed message, there are a few things to pay attention to.
- Email Authentication pass/fail
- Sending Server
-
Sending IP Address
-
The first tell-tale may be when the email fails basic email authentication. Meaning it isn’t permitted to send as the domain/user that it looks like it is coming from. If using a header parsing tool, it may look like this.
-
Review the hops/received from. Sometimes threat actors will use their own infrastructure and you will see unrecognized server sending the mail.
Recently, with Exchange direct send, it triggered from the local host and then sent by Microsoft. This looks a little more convincing, but is still spoofed. More on that later.
-
You can then look at the sending IP to track where this was sent from. Within in the header you should see something like this.
This is showing the IP that sent it and confirming that the domain did not designate this IP as a permitted sender.
- Finally, verify the X-MS-Exchange-CrossTenant-Id section in the header. This should match your tenant ID.
If the email you are analyzing resembles the example above, it is highly probable that you are encountering a spoof.
How can I stop this?
There are a couple of ways you can configure things to reduce the amount of spoofed messages you receive.
- Ensure your SPF, DKIM, or DMARC are properly configured.
-
Configure your spam filter to look for and quarantine emails that are failing mail authentication.
If you have trouble configuring this, reach out to your spam filter provider for guidance.
Exchange Direct Send
Recently, there has been an increase in spoofed messages going out. Threat actors are leveraging Microsoft Exchange Direct Send to deliver spoofed messages.
Direct Send is used for devices such as scanners, printers, and other self-hosted applications. However, if not configured properly or misconfigured email authentication, it will allow threat actors to get spoof through to your exchange environment.
If this is not in use, it is recommended to turn this off. Here are some more details from Microsoft.