Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Defense Evasion
  4. >ATTACK-T1672
ATTACK-T1672Active

Email Spoofing

Statement

Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.

This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as v=DMARC1; p=none; fo=1;. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk)

Adversaries may abuse Microsoft 365’s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend) Adversaries may also abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as Phishing. They may also leverage email spoofing for Impersonation of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)

Location

Tactic
Defense Evasion

Technique Details

Identifier
ATTACK-T1672
ATT&CK Page
View on MITRE

Tactics

Defense Evasion

Platforms

Office SuiteWindowsmacOSLinux

Detection

Detection Strategy for Email Spoofing

Mitigations

Software Configuration: Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:

Conduct a Security Review of Application Settings:

  • Review the software documentation to identify recommended security configurations.
  • Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

  • Restrict access to sensitive features or data within the software.
  • Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

  • Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
  • Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

  • Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
  • Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

  • Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

  • Perform configuration changes in a staging environment before applying them in production.
  • Conduct regular audits to ensure that settings remain aligned with security policies.

Tools for Implementation

Configuration Management Tools:

  • Ansible: Automates configuration changes across multiple applications and environments.
  • Chef: Ensures consistent application settings through code-based configuration management.
  • Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

  • CIS-CAT: Provides benchmarks and audits for secure software configurations.
  • Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

  • Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

  • Splunk: Aggregates and analyzes application logs to detect suspicious activity.

No cross-framework mappings available

← Back to Defense Evasion
Defense Evasion183 controls
ATTACK-T1006Direct Volume AccessATTACK-T1014RootkitATTACK-T1027Obfuscated Files or InformationATTACK-T1027.001Binary PaddingATTACK-T1027.002Software PackingATTACK-T1027.003SteganographyATTACK-T1027.004Compile After DeliveryATTACK-T1027.005Indicator Removal from ToolsATTACK-T1027.006HTML SmugglingATTACK-T1027.007Dynamic API ResolutionATTACK-T1027.008Stripped PayloadsATTACK-T1027.009Embedded PayloadsATTACK-T1027.010Command ObfuscationATTACK-T1027.011Fileless StorageATTACK-T1027.012LNK Icon SmugglingATTACK-T1027.013Encrypted/Encoded FileATTACK-T1027.014Polymorphic CodeATTACK-T1027.015CompressionATTACK-T1027.016Junk Code InsertionATTACK-T1027.017SVG SmugglingATTACK-T1036MasqueradingATTACK-T1036.001Invalid Code SignatureATTACK-T1036.002Right-to-Left OverrideATTACK-T1036.003Rename Legitimate UtilitiesATTACK-T1036.004Masquerade Task or ServiceATTACK-T1036.005Match Legitimate Resource Name or LocationATTACK-T1036.006Space after FilenameATTACK-T1036.007Double File ExtensionATTACK-T1036.008Masquerade File TypeATTACK-T1036.009Break Process TreesATTACK-T1036.010Masquerade Account NameATTACK-T1036.011Overwrite Process ArgumentsATTACK-T1036.012Browser FingerprintATTACK-T1055Process InjectionATTACK-T1055.001Dynamic-link Library InjectionATTACK-T1055.002Portable Executable InjectionATTACK-T1055.003Thread Execution HijackingATTACK-T1055.004Asynchronous Procedure CallATTACK-T1055.005Thread Local StorageATTACK-T1055.008Ptrace System CallsATTACK-T1055.009Proc MemoryATTACK-T1055.011Extra Window Memory InjectionATTACK-T1055.012Process HollowingATTACK-T1055.013Process DoppelgängingATTACK-T1055.014VDSO HijackingATTACK-T1055.015ListPlantingATTACK-T1070Indicator RemovalATTACK-T1070.001Clear Windows Event LogsATTACK-T1070.002Clear Linux or Mac System LogsATTACK-T1070.003Clear Command HistoryATTACK-T1070.004File DeletionATTACK-T1070.005Network Share Connection RemovalATTACK-T1070.006TimestompATTACK-T1070.007Clear Network Connection History and ConfigurationsATTACK-T1070.008Clear Mailbox DataATTACK-T1070.009Clear PersistenceATTACK-T1070.010Relocate MalwareATTACK-T1078Valid AccountsATTACK-T1078.001Default AccountsATTACK-T1078.002Domain AccountsATTACK-T1078.003Local AccountsATTACK-T1078.004Cloud AccountsATTACK-T1112Modify RegistryATTACK-T1127Trusted Developer Utilities Proxy ExecutionATTACK-T1127.001MSBuildATTACK-T1127.002ClickOnceATTACK-T1127.003JamPlusATTACK-T1134Access Token ManipulationATTACK-T1134.001Token Impersonation/TheftATTACK-T1134.002Create Process with TokenATTACK-T1134.003Make and Impersonate TokenATTACK-T1134.004Parent PID SpoofingATTACK-T1134.005SID-History InjectionATTACK-T1140Deobfuscate/Decode Files or InformationATTACK-T1197BITS JobsATTACK-T1202Indirect Command ExecutionATTACK-T1205Traffic SignalingATTACK-T1205.001Port KnockingATTACK-T1205.002Socket FiltersATTACK-T1207Rogue Domain ControllerATTACK-T1211Exploitation for Defense EvasionATTACK-T1216System Script Proxy ExecutionATTACK-T1216.001PubPrnATTACK-T1216.002SyncAppvPublishingServerATTACK-T1218System Binary Proxy ExecutionATTACK-T1218.001Compiled HTML FileATTACK-T1218.002Control PanelATTACK-T1218.003CMSTPATTACK-T1218.004InstallUtilATTACK-T1218.005MshtaATTACK-T1218.007MsiexecATTACK-T1218.008OdbcconfATTACK-T1218.009Regsvcs/RegasmATTACK-T1218.010Regsvr32ATTACK-T1218.011Rundll32ATTACK-T1218.012VerclsidATTACK-T1218.013MavinjectATTACK-T1218.014MMCATTACK-T1218.015Electron ApplicationsATTACK-T1220XSL Script ProcessingATTACK-T1221Template InjectionATTACK-T1222File and Directory Permissions ModificationATTACK-T1222.001Windows File and Directory Permissions ModificationATTACK-T1222.002Linux and Mac File and Directory Permissions ModificationATTACK-T1480Execution GuardrailsATTACK-T1480.001Environmental KeyingATTACK-T1480.002Mutual ExclusionATTACK-T1484Domain or Tenant Policy ModificationATTACK-T1484.001Group Policy ModificationATTACK-T1484.002Trust ModificationATTACK-T1497Virtualization/Sandbox EvasionATTACK-T1497.001System ChecksATTACK-T1497.002User Activity Based ChecksATTACK-T1497.003Time Based ChecksATTACK-T1535Unused/Unsupported Cloud RegionsATTACK-T1542Pre-OS BootATTACK-T1542.004ROMMONkitATTACK-T1542.005TFTP BootATTACK-T1548.006TCC ManipulationATTACK-T1550Use Alternate Authentication MaterialATTACK-T1550.001Application Access TokenATTACK-T1550.002Pass the HashATTACK-T1550.003Pass the TicketATTACK-T1550.004Web Session CookieATTACK-T1553Subvert Trust ControlsATTACK-T1553.001Gatekeeper BypassATTACK-T1553.002Code SigningATTACK-T1553.003SIP and Trust Provider HijackingATTACK-T1553.004Install Root CertificateATTACK-T1553.005Mark-of-the-Web BypassATTACK-T1553.006Code Signing Policy ModificationATTACK-T1562Impair DefensesATTACK-T1562.001Disable or Modify ToolsATTACK-T1562.002Disable Windows Event LoggingATTACK-T1562.003Impair Command History LoggingATTACK-T1562.004Disable or Modify System FirewallATTACK-T1562.006Indicator BlockingATTACK-T1562.007Disable or Modify Cloud FirewallATTACK-T1562.008Disable or Modify Cloud LogsATTACK-T1562.009Safe Mode BootATTACK-T1562.010Downgrade AttackATTACK-T1562.011Spoof Security AlertingATTACK-T1562.012Disable or Modify Linux Audit SystemATTACK-T1562.013Disable or Modify Network Device FirewallATTACK-T1564Hide ArtifactsATTACK-T1564.001Hidden Files and DirectoriesATTACK-T1564.002Hidden UsersATTACK-T1564.003Hidden WindowATTACK-T1564.004NTFS File AttributesATTACK-T1564.005Hidden File SystemATTACK-T1564.006Run Virtual InstanceATTACK-T1564.007VBA StompingATTACK-T1564.008Email Hiding RulesATTACK-T1564.009Resource ForkingATTACK-T1564.010Process Argument SpoofingATTACK-T1564.011Ignore Process InterruptsATTACK-T1564.012File/Path ExclusionsATTACK-T1564.013Bind MountsATTACK-T1564.014Extended AttributesATTACK-T1578Modify Cloud Compute InfrastructureATTACK-T1578.001Create SnapshotATTACK-T1578.002Create Cloud InstanceATTACK-T1578.003Delete Cloud InstanceATTACK-T1578.004Revert Cloud InstanceATTACK-T1578.005Modify Cloud Compute ConfigurationsATTACK-T1599Network Boundary BridgingATTACK-T1599.001Network Address Translation TraversalATTACK-T1600Weaken EncryptionATTACK-T1600.001Reduce Key SpaceATTACK-T1600.002Disable Crypto HardwareATTACK-T1601Modify System ImageATTACK-T1601.001Patch System ImageATTACK-T1601.002Downgrade System ImageATTACK-T1610Deploy ContainerATTACK-T1612Build Image on HostATTACK-T1620Reflective Code LoadingATTACK-T1622Debugger EvasionATTACK-T1647Plist File ModificationATTACK-T1656ImpersonationATTACK-T1666Modify Cloud Resource HierarchyATTACK-T1672Email SpoofingATTACK-T1678Delay ExecutionATTACK-T1679Selective Exclusion