Reply to potentially spoofed email

Question

A colleague recieved an unsolicited email along the lines below:

Dear Ms. Smith

please click on the following link to recieve Document X regarding Project Y.

Yours,

Eve Nobody
eve.nobody@company.com

I suggested my colleague to reply to Eve Nobody, and ask whether the email is legitimate. Note, that we typed-in the address of Eve Nobody, since one could tamper with the reply-to header.

I assume three possible scenarios:

Eve Nobody exists and she did send the email
Eve Nobody exists, but she didn't send the email
Eve Nobody does not exist, and the email-server of company.com will reply with an error message

In all possible scenarios, we only interact with company.com, and not with any potential spoofer. Thus, I consider this course of action safe.

Was my advice sound, or are there other aspects to consider?

For context:

We are a firm which does research with academia and industry, hence we have plenty of information on our current projects along with the corresponding researchers. Thus, the information contained in the initial email (a reasonable title for Document X and the title of Project Y) can be gather from our homepage.
company.com is a legitimate company, and is involved in some research of ours.

I'm curious what e-mail service you use that you believe the reply-list could be modified in a hidden way. — STF_ZBR, Aug 18 '20 at 02:07
@STF_ZBR Not exactly hidden and definitely not modified, but the DisplayName property for an address in the ReplyTo list could be set to `Eve Nobody`. At first glance, it wouldn't be obvious to a non-technical person that the reply isn't sent to the original sender. — Lars Kristensen, Aug 18 '20 at 06:01
@LarsKristensen I suppose STF_ZBR's point is: what e-mail client hides the fact that the recipient is being substituted via the Reply-To: mechanism? OP is obviously technical, and suspicious. Maybe too much so in this point? — Kaz, Aug 18 '20 at 06:16
@Kaz, I can name one such client: Outlook for Windows. It doesn't hide the fact that the recepient is substituted, but the client is not informed either. — Lars Kristensen, Aug 18 '20 at 07:40
One very easy piece of information you did not pay attention to was the link itself - where did it link to? Don't click on it, obviously, but you can inspect it to see where it goes. This can be a huge clue when trying to determine if an email is legitimate or not. — J..., Aug 18 '20 at 12:37
In addition to what J said, look at the raw headers of the e-mail, if you suspect a spoof. Compare the trail of Received: headers to legit e-mails from the same source, and other clues. — Kaz, Aug 18 '20 at 16:25
@STF_ZBR : "Սոісоḋе ḣοѕtոаⅿеѕ." Very little between those double quotes is ASCII or comes from the Basic Latin block. — Eric Towers, Aug 18 '20 at 23:30
@Eric Towers, that's a valid point of concern, though likely visible in some form. — STF_ZBR, Aug 19 '20 at 01:41
@STF_ZBR: Nоt nесеssаrily. This соmmеnt соntаins оnly оnе wоrd withоut аny nоn-Lаtin lеttеrs. Саn yоu tеll whiсh оnе? — Ilmari Karonen, Aug 19 '20 at 08:18
@IlmariKaronen yes, but only with a hex editor :) Rot-13: Gur nyy-Yngva jbeq vf guvf. That is actually alarmingly convincing! — Vicky, Aug 19 '20 at 12:51
Also if you paste it into Word you get nice red wavy underlines on every word except the all-Latin word. — Vicky, Aug 19 '20 at 12:52
@IlmariKaronen Definitely true. Curious, are those all characters from the same language, though? I believe you can only register a domain using all one language, unless I'm not correct. Scary to think, however, that someone would mimic a domain, have knowledge of their contacts, and be able to trick them into clicking a link, especially one that may appear to be hosted by that same domain. At a certain point we have to realize nothing is ever safe. Windows break, people lie, and humans err. — STF_ZBR, Aug 22 '20 at 02:16

schroeder · Accepted Answer · 2020-08-17T13:04:03.077

62

You are focused on the person existing and not the account. Consider that Eve exists, did not send the email, but someone with access to her account did, and has entered an email rule to prevent your emails from hitting the inbox. You could carry on a conversation with that account but not Eve herself.

So I would add:

Account exists, email was sent from the account, but Eve did not send the email (compromised account)
Account exists, email was sent from the account, but Eve does not exist (dummy account)

In both cases, if you reply, you could be replying with the malicious actor and not Eve.

The best response is to contact Eve through some means other than email (call, other contact info, etc.)

edited Aug 17 '20 at 13:04

answered Aug 17 '20 at 12:52

schroeder

123,438
55
284
319

2

In that case, company.com has a serious problem. I imagined a spoofer outside of company.com simply using the name of the company and possibly the name of an employee to craft a phishing email. – Dohn Joe Aug 17 '20 at 12:59
43

Compromised accounts are quite common. They are a common way to compromise 3rd parties who trust them. – schroeder Aug 17 '20 at 13:00
9

@DohnJoe this exact scenario of malicious actor controlling a user account of a legitimate company, or even legitimate company's mail server is a reasonably common pattern for invoice redirect fraud, for example. – Peteris Aug 17 '20 at 22:08
12

@Peteris This has been a [big problem](https://www.bankinfosecurity.com/wire-fraud-victim-sues-bank-a-3159) in the real estate industry. A hacker will compromise a real estate agent's account and tell the home buyer to release the escrow funds and wire them to the fraudster's account. Often the accounts are overseas and funds are unrecoverable. People are losing tens of thousands in a single transaction. – Booga Roo Aug 17 '20 at 23:37
if no other means of contact is possible, at least checking on the company homepage that eve exists eliminates case 5) and changing the email header in the response to not include the original one and the body to not include the original body, may reduce the risk to not get through to actual Eve in case 4. Delaying any response when asked for any action on your end and asking back after a couple of days may also reduce the risk in both cases as it increases the chance that the company found out about the misuse in the meantime (but obviously, if you are asked to do something crucial, don't). – Frank Hopkins Aug 18 '20 at 00:13
If somebody is going through the effort of taking over an e-mail and making you a target, there is no reason to believe that the number provided is safe. Call the company and ask to speak to Eve, if you trust Eve. – STF_ZBR Aug 18 '20 at 02:15
2

I would look at the full headers of the e-mail. If the e-mail has gone through the same servers as various past legit e-mails, then it's either legit also, or a compromised account. If the Received: headers show a trail of unfamiliar servers, that almost certainly confirms it as a forgery. – Kaz Aug 18 '20 at 06:19
1

@Kaz: No, that misses the point of this answer entirely. That will not work because the account itself may be compromised. – BlueRaja - Danny Pflughoeft Aug 19 '20 at 00:21
@DohnJoe Exactly that thing happened to SANS, a security company that trains security experts on these kinds of things. And the issue was in place for months, undetected. It was, however, the only problem they had. So it is both possible for highly technical defenders to find themselves in that situation and for it to not to be a serious problem. – Cliff Aug 20 '20 at 19:14

score 27 · Answer 2 · answered Aug 17 '20 at 15:41

If you don't know Eve, I see no reason to follow up.

If you do business with the company she claims to represent, you could reach out to a regular contact you use at that business. Don't try to engage that account directly because it may not be what it seems (e.g. a compromised account or a spoofing trick that fools your email client).

You can also vet the DMARC, SPF, and/or DKIM on the message to see if it is legitimate. First, check that the From domain is correct. Then look for an Authentication-Results header in the message. Only trust it if it is surrounded by headers added by your email infrastructure (the systems your company uses to receive your mail). It will tell you what of DMARC, SPF, and DKIM passed. You're looking for DMARC alignment (a DKIM header whose d= value matches the From header's domain or an SPF approval, which means finding the SPF record for the From domain and verifying that the IP of the system connecting to your MX record is approved). There are tools like G Suite Toolbox Messageheader that can look this up for you (but it'll be Google-centric). If SPF or DKIM pass with alignment, the message is probably legitimately sent by that domain's infrastructure (but you don't know if it was sent by a compromised account).

The first sentence feels like a blanket statement that doesnt always work. I have worked on projects where ignoring emails from individuals from certain organisations could get you in a lot of trouble. Of course never opening any email is the safest option, but it is not a very useful one. — Anders, Aug 20 '20 at 07:28
When failing to provide context and popping out of the blue _without a prior organizational relationship_, there's reason to be suspicious and I stand by that statement. _If there's a relationship in place_, as I said in paragraph two, it may be worth reaching out to a colleague of the supposed message-sender. — Adam Katz, Aug 20 '20 at 13:48

symcbean · Answer 3 · 2020-08-19T17:17:30.077

A long time ago when I was just out of short trousers and working my first gig as a system administrator I replied to a spam email asking them to stop spamming me.

It turned out the FROM address was actually the spam distribution list and thousands of people received an email from me asking them to stop sending me spam. They then emailed me back to say they weren't sending spam - how could I think such a thing.

Since then I just pass them off to my bayesian filters.

Reply to potentially spoofed email

3 Answers3