Email Spoofing
mediumemail-spoofing
Adversary forges email sender identity to impersonate trusted parties for phishing, fraud, or business email compromise. Enabled by missing or permissive SPF/DKIM/DMARC records, open mail relays, or look-alike domains; closely paired with phishing as the delivery technique but distinct in that the failure is in mail-authentication policy rather than user judgement.
SpoofingRepudiation
MITRE ATT&CK techniques
| ID | Name | Tactic |
|---|---|---|
| T1656 | Impersonation | Defense Evasion |
| T1585.002 | Establish Accounts: Email Accounts | Resource Development |
| T1534 | Internal Spearphishing | Lateral Movement |
Common Weakness Enumeration
Mitigating controls
ctrl-emailspoof-1- Publish a strict DMARC policy (p=reject) with aligned SPF and DKIM for every sending domain, including parked ones
ctrl-emailspoof-2- Configure inbound mail servers to enforce DMARC and reject or quarantine failures
ctrl-emailspoof-3- Deploy MTA-STS and TLS-RPT to enforce authenticated transport between mail servers
ctrl-emailspoof-4- Monitor DMARC aggregate and forensic reports to detect abuse and unauthorised senders
ctrl-emailspoof-5- Apply external-sender warning banners and detect display-name impersonation of executives
ctrl-emailspoof-6- Defensively register and lock common typo-squat and homoglyph variants of corporate domains