cti/enterprise-attack/attack-pattern/attack-pattern--e1c2db92-7ae3-4e6a-90b4-157c1c1565cb.json

{
    "type": "bundle",
    "id": "bundle--0b1a83ec-2f2a-4224-a681-6f9c71624b28",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--e1c2db92-7ae3-4e6a-90b4-157c1c1565cb",
            "created": "2025-03-24T16:52:14.061Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": true,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1672",
                    "external_id": "T1672"
                },
                {
                    "source_name": "Cloudflare DMARC, DKIM, and SPF",
                    "description": "Cloudflare. (n.d.). What are DMARC, DKIM, and SPF?. Retrieved April 8, 2025.",
                    "url": "https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/"
                },
                {
                    "source_name": "DMARC-overview",
                    "description": "DMARC. (n.d.). Retrieved March 24, 2025.",
                    "url": "https://dmarc.org/overview"
                },
                {
                    "source_name": "ic3-dprk",
                    "description": "FBI, State Department, NSA. (2024, May 2). North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts. Retrieved April 2, 2025.",
                    "url": "https://www.ic3.gov/CSA/2024/240502.pdf"
                },
                {
                    "source_name": "Proofpoint TA427 April 2024",
                    "description": "Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427\u2019s Art of Information Gathering. Retrieved May 3, 2024.",
                    "url": "https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering"
                },
                {
                    "source_name": "Proofpoint-DMARC",
                    "description": "Proofpoint. (n.d.). Retrieved March 24, 2025.",
                    "url": "https://www.proofpoint.com/us/threat-reference/dmarc"
                },
                {
                    "source_name": "Barnea DirectSend",
                    "description": "Tom Barnea. (2025, September 9). Ongoing Campaign Abuses Microsoft 365\u2019s Direct Send to Deliver Phishing Emails. Retrieved September 24, 2025.",
                    "url": "https://www.varonis.com/blog/direct-send-exploit"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-04-14T22:54:37.081Z",
            "name": "Email Spoofing",
            "description": "Adversaries may fake, or spoof, a sender\u2019s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity. \n\nThis behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as `v=DMARC1; p=none; fo=1;`. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk)\n\nAdversaries may abuse Microsoft 365\u2019s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend) Adversaries may also abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as [Phishing](https://attack.mitre.org/techniques/T1566). They may also leverage email spoofing for [Impersonation](https://attack.mitre.org/techniques/T1656) of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "stealth"
                }
            ],
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Office Suite",
                "Windows",
                "macOS",
                "Linux"
            ],
            "x_mitre_version": "1.1"
        }
    ]
}