How do threat actors use SPF policies in BEC attacks?
Business email compromise, or BEC, is a sophisticated phishing attack conducted primarily through a combination of social engineering and deception to get access to sensitive data, files, systems, networks, etc. It’s attempted mainly by impersonating a company’s C-suite, instructing executives to share data, or authorizing fraudulent wire transfers. For example- an executive receiving an email from a scammer pretending to be their boss, urgently asking them to buy gift cards and sharing the codes. They think it’s real, but it’s actually a trick to steal money!
In the last ten years, more than $55 billion has been lost to BEC scams worldwide, making them one of the most financially damaging cyberattack vectors. Moreover, with the advent of generative artificial intelligence, threat actors are equipped and competent to draft flawless, convincing emails that are devoid of spelling errors, grammatical mistakes, unprofessional language, poor graphics, etc., which are usually considered red flags of malicious emails.
This era of sophisticated BEC attacks demands stronger defenses, and SPF SoftFail may fail to fulfill that. In fact, cybercriminals have devised tactics to exploit this relatively weaker SPF policy to create false legitimacy.
Let’s dive deep into understanding how attackers manipulate SPF policies to bypass security measures.
Understanding SPF in email authentication
SPF is an email authentication protocol that enables domain owners to specify which mail servers are authorized to send emails on their behalf. This is done via a DNS TXT record, which contains a list of approved IP addresses and mechanisms.
When an email reaches the recipient’s server, it first queries the DNS TXT record of the sending domain to retrieve its SPF policy. This record lists the authorized IP addresses allowed to send emails on behalf of the domain. For example, an SPF record like v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:_spf.paypal.com -all permits only the specified IPs and those within _spf.paypal.com. The server then checks the actual sending IP against this list. If the IP matches, the email passes; if it doesn’t, it may be flagged or rejected based on the SPF policy.
A strict ‘-all’ enforces rejection (HardFail), while a ‘~all’ allows delivery with warnings (SoftFail), and a ‘?all’ takes no action.
If an adversary tries to send a potential phishing email using a forged ‘MAIL FROM’ domain from an unauthorized IP address, the email will fail SPF authentication checks and be marked as spam or rejected.
Now, all major email service providers, like Google, Microsoft, and Yahoo, use SPF in tandem with DKIM and DMARC to fight BEC and other email-based cyber threats.
How do cybercriminals exploit SPF policies in BEC attacks?
SPF is effective in preventing phishing and spoofing. However, it’s not entirely foolproof, and threat actors have devised ways to exploit its loopholes. Here are some common ways they manipulate SPF records to bypass email security and execute BEC attacks.
Using SPF pass to create false legitimacy
Bad actors register domains and deploy a correctly configured, legitimate SPF record for them so that phishing emails sent by them pass authentication filters. This increases the domain’s credibility, gaining trust with email service providers and ensuring most emails land in the inboxes of the targeted recipients.
In most cases, these domain names mimic some credible business names. Threat actors buy domain names with lookalike characters or slight spelling variations that go unnoticed by users—for example, buying b00king.com to impersonate booking.com.
Such BEC attack tactics are now encouraging businesses to buy as many lookalike or cousin domains as possible to preemptively prevent cybercriminals from exploiting their brand name online.
SPF SoftFail and HardFail bypass
Organizations often misconfigure SPF with SoftFail (~all) instead of enforcing HardFail (-all), allowing unauthorized emails to be delivered even if they fail SPF checks. Some mail servers accept SoftFail emails, assuming they are from legitimate but unverified sources, which attackers exploit.
This way, threat actors take advantage of third-party email accounts or misconfigured relay servers to send phishing emails that easily bypass authentication filters.
Exceeding SPF lookup limits
RFC has imposed a limit of a maximum of 10 DNS lookups per SPF record. If an SPF record exceeds this limit, the validation process fails. Attackers intentionally exploit this limit by adding multiple ‘include:’ statements to the targeted domain’s SPF record, triggering an SPF validation failure.
How to prevent SPF-based BEC attacks?
Business owners need a multi-layered defense strategy to protect their brands from BEC attacks. Here are the key defenses that can help fortify the risks.
Implement strict SPF policies
SPF’s effectiveness depends on which policy you have set. Organizations often misconfigure SPF with SoftFail (~all), allowing unauthorized emails to be delivered instead of rejected. This creates an entry point for cybercriminals, as many mail servers still accept SoftFail emails.
Setting your SPF record to HardFail instead of SoftFail provides optimum protection against targeted BEC attacks. This ensures that unsolicited and illegitimate emails are rejected outright.
Moreover, only authorize services that are necessary for business operations (e.g., Microsoft 365, Google Workspace). Overly permissive SPF policies increase the attack surface.
Using SPF in tandem with DKIM and DMARC
SPF is not enough when it comes to darting off from BEC attacks targeted towards your company. This is because it’s possible to manipulate an email’s ‘From’ field to impersonate a trusted sender and bypass SPF verification checks. This is why DKIM and DMARC should also be a part of your defensive toolkit.
DKIM adds a cryptographic signature to verify email integrity, ensuring the email was not altered in transit. Attackers cannot easily forge DKIM-protected emails. DMARC, on the other hand, allows you to define how an email server should handle SPF or DKIM failures. You can instruct to either mark such emails as spam or reject them outright.
Employee awareness and email security training
Even with the best email authentication policies, BEC attacks often succeed due to human error. Attackers use social engineering tactics to manipulate employees into approving fraudulent transactions, sharing sensitive data, or clicking on malicious links. Training employees to recognize suspicious emails is just as critical as securing email infrastructure.
Educate them on common BEC tactics, such as CEO fraud, invoice scams, and urgent wire transfer requests. Also, encourage them to double-check sender details and use alternate communication channels, like phone calls, to confirm requests.