Skip to content

How to simulate E-mail Spoof Attack |Part 10#12

When we hear the term “spoof E-mail attack,” the initial association that appears to our mind is – a hacker sitting in a dark room, filled with flashing lights, which quickly tap the keyboard commands and strange markings!

Sound romantic?

Well, in reality, the ability to perform or simulate E-mail spoof attack is very simple and can be accomplished very easily by each one of us.

In the current article, we will demonstrate three easy and straightforward options for simulating E-mail spoof attack.

Q1: Do you not think that it’s dangerous to post publicly information on how to carry out the spoofed E-mail attack?

A1: No, the “black hat” elements that perform a spoof E-mail attack, are usually professionals who don’t need my “help and advice” on how to perform the spoof E-mail attack.

Q2: Why should I learn about how to simulate a spoof E-mail attack?

A2: Because when we are building a “security mail infrastructure” that needs to identify and block various E-mail attacks such as – spoof E-mail attack, we need a way to test our security mail infrastructure.

In other words, we are the “white hat” side; that needs to know about the method of the “black hat” side.

We need to have the ability to “mimic” the operations that executed by the hostile element that performs the spoof E-mail attack.

We need to know how to carry out a spoof E-mail attack so; we could verify that the mail security measures that we are implemented such as – Exchange Online Spoofed E-mail rule, are working correctly and doing what they need to do – identify, block and alert about an event of spoof E-mail attack.

What tools and methods for performing the spoof E-mail attack, we will review in the current article?

In the current article, I will demonstrate three options or methods that we can use for simulating spoof E-mail attacks.

  • Option 1 – by using a very useful and efficient GUI mail client named Jbmail
  • Option 2 – by using a telnet client to perform SMTP session with the destination
    E-mail server.
  • Option 3 – by using public online web-based tools

Simulating E-mail Spoof Attack – the Action Plan

Before we start with the actual process, in which we will try to examine the Exchange Online spoof transport rule, it’s important that we will know what the “action plan is” and the task order that needs to implement:

Step 1 – create the required Exchange Online transport rule, that should identify Spoof email and will execute a particular action as a response.

Step 2- Plaining the Spoof email attack

Decide about the E-mail address that will use in our Spoof E-mail attack

  • The source recipient E-mail address – this is the E-mail address that will utilize by the “hostile element” that tries to impersonate himself to a legitimate organization recipient
  • The destination E-mail address – this is the E-mail address of the organization user whom we try to “attack”.

Step 3 – Choosing the “attack tool.”

We will need to decide what is the tool that we will use for simulating the Spoof email attach.

Step 4 – Get the hostname of the mail server that represents the domain that we want to test.

Step 5 – Executing the Spoof email attack

Step 6 – verify if the Exchange Online transport rule manages to “identify” the E-mail spoof attack + implement the required actions such as – block the E-mail message, etc.

Simulating E-mail Spoof Attack | Our scenario description

Our organization is represented by the domain name: o365pilot.com

Lately, our organization has experienced E-mail Spoof attack, in which the hostile element presents himself as Suzan, our company chief executive officer.

This hostile element sends an E-mail message to our company employees on behalf of Suzan (using the E-mail address Suzan@o365pilot.com).

To be able to prevent this spoofing attack, we have created an Exchange Online Spoof email that will identify Spoof email attacks.

The central concept of this spoofing attack is that we will address the Exchange Online server who represents the domain name – o365pilot.com, and presents ourselves as Suzan@o365pilot.com but, without providing any user credentials (anonymous SMTP session).

The destination recipient whom we will try to “attack is Bob@o365pilot.com

Simulating Spoof email attack - Scenario description

Get the host name of the destination mail server

When we choose the option of using the GUI mail client named Jbmail or using a SMTP telnet session, the preliminary information that we need to have is the Host name of the destination mail server that represents the domain which we want to test.

For example – in case that we want to simulate a spoof E-mail attack for checking the security infrastructure of a domain named – o365pilot.com, we will first need to know what is the host name of the mail server\s that represents this domain.

In more technically terms – we will need to perform DNS query looking for the MX record of the host\s that accounts for a particular domain name.

In our particular scenario, we will try to spoof the identity of a recipient named – Bob@o365pilot.com

To be able to address the mail server that represents the domain name o365pilot.com, we will need to get the exact hostname of the mail server.

We will get the name of the mail server by query public DNS server for the MX record of the domain name – o365pilot.com

Technically, there are many tools and options for creating the required query.

Get the host name of the destination mail server using NSLOOKUP

In our specific example, we will use the built in windows command tool named- NSLOOKUP

To get the required information, we will open the command prompt and type the following command:

Nslookup -q=mx o365pilot.com

In the following screenshot, we can see results.

The hostname of the mail server that represents the domain name – o365pilot.com, is o365pilot-com.mail.protection.outlook.com

Get the host name of mail server by looking for the MX record using NSLOOKUP -01

Get the host name of the destination mail server using MxToolbox

In case we prefer using a more friendly interface than the NSLOOKUP command interface, we can use a variety of web-based tools that will enable us to get the hostname of a mail server that represents a specific domain name.

My favorite web tool is the MxToolbox website.

In the following screenshot, we can see an example of how to get the required hostname.

In our particular scenario, we are looking for the hostname of the mail server that represents the domain name – o365pilot.com

Get the host name of mail server by looking for the MX record -02

The answer will include the server hostname + his IP address.

Get the host name of mail server by looking for the MX record -03

The next article in the current article series

In the next article – How to Simulate E-mail Spoof Attack |Part 11#12, we will review three different tools that we can use for simulating E-mail attack that will help us to test the Strength of the Exchange Online Spoofed E-mail rule.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *