+1 (512) 588 6950
Note: sanitization of these screenshots was performed to protect the identities of stakeholders involved.
On my most recent learning, I discovered that missing DMARC policy is not something that you should take lightly. If your organization does not have that implemented, I strongly suggest that you do so. DMARC (Domain-based Message Authentication, Reporting, and Comformance) is responsible to ensure that your organization’s domain cannot be spoofed to craft malicious messages.
For more information about DMARC: https://dmarc.org/
Below is the step-by-step tutorial on what I did to be able to send a spoofed phishing e-mail to my client. Please note that in order for a higher chance of success, this phishing is best used if the client has SPF (Sender Policy Framework) soft-policy or no-policy configured. Otherwise it might just go to SPAM. Use the SPF checker to determine if this policy is configured on the target domain.
2. Before you can send an e-mail from your Kali, you would have to install sendmail. You can do this by using the following command: sudo apt-get install sendmail
3. Start the sendmail service using systemctl
4. Craft your spoofed e-mail. Here, I am using python3 — so on your Linux terminal, type “python3”. Here is an example of my spoofed phishing e-mail requesting for a sensitive document to be sent.
Let’s break this down.
Once the message is sent, it will take a few minutes before it gets delivered to the target. In my case, I received the following e-mail after a successful launch.
Pretty awesome attack vector if you ask me. See how missing DMARC and SPF policies can be dangerous?
IMPACT: Attacker may be able to leverage this attack vector to send e-mails to your customers or other staff members within the company. This action may have negative financial, reputational, and operational impact on the organization.