Skip to content

T1672 Email Spoofing

Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.4 In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim’s inbox, which may cause modified emails to appear as if they were from the spoofed entity.

This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).125 Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as v=DMARC1; p=none; fo=1;. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.43

Adversaries may abuse Microsoft 365’s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.6 Adversaries may also abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts3 such as Phishing. They may also leverage email spoofing for Impersonation of legitimate external individuals and organizations, such as journalists and academics.3

Item Value
ID T1672
Sub-techniques
Tactics TA0005
Platforms Linux, Office Suite, Windows, macOS
Version 1.1
Created 24 March 2025
Last Modified 24 September 2025

Mitigations

ID Mitigation Description
M1054 Software Configuration Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.87

References

  1. Cloudflare. (n.d.). What are DMARC, DKIM, and SPF?. Retrieved April 8, 2025. 

  2. DMARC. (n.d.). Retrieved March 24, 2025. 

  3. FBI, State Department, NSA. (2024, May 2). North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts. Retrieved April 2, 2025. 

  4. Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024. 

  5. Proofpoint. (n.d.). Retrieved March 24, 2025. 

  6. Tom Barnea. (2025, September 9). Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails. Retrieved September 24, 2025. 

  7. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. 

  8. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.