Overview
Email message header syntax can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC. These exploits enable attackers to deliver spoofed emails that appear to originate from trusted sources. Recent research has explored using the originator fields, such as From: and Sender:, to deliver spoofed emails that appear to come from trusted sources. Attackers can abuse these fields to impersonate an originator email address for nefarious purposes.
Description
Email is a primary medium for both personal and business communication. In recent years, mechanisms such as DKIM, SPF, and DMARC have been developed to verify the identity of email senders; however, end-to-end secure email remains an unsolved challenge.
A previous disclosure, dubbed SMTP Smuggling, highlighted ways in which a sender's identity could be spoofed while abusing the SMTP protocol as defined in RFC 5321. Further research shows that email message headers, as defined in the Internet Message Format (RFC 5322, updated by RFC 6854), can also be used to spoof the identity of an email sender.
In a typical scenario, an email passes SPF, DKIM, and DMARC checks, and there is one sender with an envelope header MAIL FROM field that matches the mail header From: and optional Sender: fields. RFC 6854 defines how an email may be sent on behalf of a group, putting multiple email addresses in the mail header From: field.
Using specialized syntax, an attacker can insert multiple addresses in the mail header From: field. Many email clients will parse the From: field to only display the last email address, so a recipient will not know that the email is supposedly from multiple addresses. In this way, an attacker can pretend to be someone familiar to the user.
More specifically, user attacker@example.com could send an email with the From: field formatted as <attacker@example.com>:<spoofed@example.com>. The receiving server may display spoofed@example.com as the sender. Additionally, the sending server may add DKIM signatures and forward the email in a way that aligns with SPF policies, causing the receiving system to treat the message as trusted.
These crafted email headers can take several forms, using combinations of quotation marks and angle-address notation (e.g., <attacker@example.com>), as discussed in Solnser's 2024 blog post: https://blog.slonser.info/posts/email-attacks/. Attackers can also use the null sender <>, or "null reverse path," as specified in RFC 5321 Section 4.5, further complicating genuine sender authentication.
Impact
An attacker can craft email headers to impersonate other users, bypassing DMARC policies and sender verification enforced by a domain owner. Research has demonstrated that multiple email service providers are susceptible to this type of attack.
Solution
Email Service Providers and Administrators
Email service providers should implement measures to ensure that authenticated outgoing email headers are properly verified before signing or relaying messages. Additionally, software built using the Mail Filter (milter) protocol, such as Milterfrom version 1.0.4, has recent updates to better verify authenticated senders for milter-compliant email servers.
Email End Users
Because email sender verification remains challenging, users should exercise caution when responding to emails requesting sensitive information or clicking links that may download or install malicious software. Users that want to verify the originator of an email before clicking links or sharing sensitive information can check the original headers for the From: and Sender: fields by viewing the "Original Message" or "Message Source," depending on the email client.
Acknowledgements
Thanks to Hao Wang and Caleb Sargent from PayPal for reporting these issues. This document was written by Vijay Sarvepalli and Renae Metcalf.
( 7
min )
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Media drivers;
- Network drivers;
- Netfilter;
- TLS protocol;
(CVE-2025-21729, CVE-2025-38227, CVE-2025-38616, CVE-2025-38678)
( 4
min )
The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry.
The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js."
"
South Korea's financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware.
"This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP)
Enterprises today are expected to have at least 6-8 detection tools, as detection is considered a standard investment and the first line of defense. Yet security leaders struggle to justify dedicating resources further down the alert lifecycle to their superiors.
As a result, most organizations' security investments are asymmetrical, robust detection tools paired with an under-resourced SOC,
If you're using community tools like Chocolatey or Winget to keep systems updated, you're not alone. These platforms are fast, flexible, and easy to work with—making them favorites for IT teams. But there’s a catch...
The very tools that make your job easier might also be the reason your systems are at risk.
These tools are run by the community. That means anyone can add or update packages. Some
Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that's capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet.
The extension, named Crypto Copilot, was first published by a user named "sjclark76" on May 7, 2024. The developer describes the browser add-on as
The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent.
"This is the first time that a RomCom payload has been observed being distributed by SocGholish," Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report.
The activity has been attributed with medium-to-high
The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes.
The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262
