MITRE ATT&CK Technique
Description
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity. This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as `v=DMARC1; p=none; fo=1;`. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk) Adversaries may abuse Microsoft 365’s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend) Adversaries may also abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as [Phishing](https://attack.mitre.org/techniques/T1566). They may also leverage email spoofing for [Impersonation](https://attack.mitre.org/techniques/T1656) of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2025-03-24T16:52:14.061Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may fake, or spoof, a sender’s identity by '
'modifying the value of relevant email headers in order to '
'establish contact with victims under false '
'pretenses.(Citation: Proofpoint TA427 April 2024) In addition '
'to actual email content, email headers (such as the FROM '
'header, which contains the email address of the sender) may '
'also be modified. Email clients display these headers when '
"emails appear in a victim's inbox, which may cause modified "
'emails to appear as if they were from the spoofed entity. \n'
'\n'
'This behavior may succeed when the spoofed entity either does '
'not enable or enforce identity authentication tools such as '
'Sender Policy Framework (SPF), DomainKeys Identified Mail '
'(DKIM), and/or Domain-based Message Authentication, Reporting '
'and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, '
'and SPF)(Citation: DMARC-overview)(Citation: '
'Proofpoint-DMARC) Even if SPF and DKIM are configured '
'properly, spoofing may still succeed when a domain sets a '
'weak DMARC policy such as `v=DMARC1; p=none; fo=1;`. This '
'means that while DMARC is technically present, email servers '
'are not instructed to take any filtering action when emails '
'fail authentication checks.(Citation: Proofpoint TA427 April '
'2024)(Citation: ic3-dprk)\n'
'\n'
'Adversaries may abuse Microsoft 365’s Direct Send '
'functionality to spoof internal users by using internal '
'devices like printers to send emails without '
'authentication.(Citation: Barnea DirectSend) Adversaries may '
'also abuse absent or weakly configured SPF, SKIM, and/or '
'DMARC policies to conceal social engineering '
'attempts(Citation: ic3-dprk) such as '
'[Phishing](https://attack.mitre.org/techniques/T1566). They '
'may also leverage email spoofing for '
'[Impersonation](https://attack.mitre.org/techniques/T1656) of '
'legitimate external individuals and organizations, such as '
'journalists and academics.(Citation: ic3-dprk)',
'external_references': [{'external_id': 'T1672',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1672'},
{'description': 'Cloudflare. (n.d.). What are DMARC, '
'DKIM, and SPF?. Retrieved April 8, '
'2025.',
'source_name': 'Cloudflare DMARC, DKIM, and SPF',
'url': 'https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/'},
{'description': 'DMARC. (n.d.). Retrieved March 24, '
'2025.',
'source_name': 'DMARC-overview',
'url': 'https://dmarc.org/overview'},
{'description': 'FBI, State Department, NSA. (2024, '
'May 2). North Korean Actors Exploit '
'Weak DMARC Security Policies to Mask '
'Spearphishing Efforts. Retrieved '
'April 2, 2025.',
'source_name': 'ic3-dprk',
'url': 'https://www.ic3.gov/CSA/2024/240502.pdf'},
{'description': 'Lesnewich, G. et al. (2024, April '
'16). From Social Engineering to '
'DMARC Abuse: TA427’s Art of '
'Information Gathering. Retrieved May '
'3, 2024.',
'source_name': 'Proofpoint TA427 April 2024',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering'},
{'description': 'Proofpoint. (n.d.). Retrieved March '
'24, 2025.',
'source_name': 'Proofpoint-DMARC',
'url': 'https://www.proofpoint.com/us/threat-reference/dmarc'},
{'description': 'Tom Barnea. (2025, September 9). '
'Ongoing Campaign Abuses Microsoft '
'365’s Direct Send to Deliver '
'Phishing Emails. Retrieved September '
'24, 2025.',
'source_name': 'Barnea DirectSend',
'url': 'https://www.varonis.com/blog/direct-send-exploit'}],
'id': 'attack-pattern--e1c2db92-7ae3-4e6a-90b4-157c1c1565cb',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-09-24T21:03:46.869Z',
'name': 'Email Spoofing',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Office Suite', 'Windows', 'macOS', 'Linux'],
'x_mitre_version': '1.1'}