During phishing campaigns or red teaming projects, the offensive security team of Comsec sometimes faces challenges in delivering phishing emails to the targeted company’s employees. In particular, this concerns companies which rely on Google’s G-Suite email services; this is because G-Suite implements certain highly mature and complex spam and phishing filtering features. The following are some of the challenges that we face and the techniques we use to circumvent such obstacles:
0x1 – Extra information next to sender’s name
The first and most obvious problem that you notice when you send a phishing email against a targeted company which uses G-Suite is that the recipient of the email will be presented with extra information next to the sender’s address. In particular, “via” followed by the third-party email delivery domain name.
This is triggered because the domain the phishing email was sent from does not match the domain in the "From:" address.
This issue can be solved by adding the domain name or IP address of the third-party email delivery service in the SPF record of the phishing domain.
0x2 – Gmail couldn’t verify the sender
"Gmail couldn't verify that [domain name] actually sent this message (and not a spammer)."
Gmail changes the avatar of the sender into a red question mark and the alt text shows the above warning message. This is because of domain authentication.
The solution is to add the Sender Policy Framework (SPF) and Domain Keys Identified Email (DKIM) records on the phishing domain. Please note that some third-party email delivery service providers make available an option to add these records in automated way.
0x3 - Sender name spoofing
“Be careful with this message
[Sender name] is similar to a name in your organization, but the email address does not belong to your domain or [company name]. Gmail couldn’t verify that it actually came from [email address]. Avoid replying to this email unless you reach out to the sender by other means to ensure that this email address is legitimate.”
This warning message appears when you try to send a phishing email on behalf of existing employees (spoofed employee names). For instance, if firstname.lastname@example.org is a valid email address and you intend to send a phishing email on behalf of “John Doe” using the email address email@example.com.
This warning can be bypassed by slightly changing the “From:” address. For instance, sending the phishing email from firstname.lastname@example.org will clear the warning message away.
0x4 – Suspicious External Link
“The link leads to an untrusted site. Do you want to proceed to [domain name]?”.
This warning message pops up when the email body contains a hyperlink pointing to the phishing site. This protection measure implemented by Gmail can be bypassed in the following manner:
• Make sure you have a valid SPF record;
• Add domain verification/ownership record from Google; usually a CNAME or a TXT record (https://postmaster.google.com/managedomains).
0x5 – Related to Typo-squatting Domain
“Be careful with this message. Someone may be trying to trick you by using similar looking characters in their email address or links. For example, replacing the letter ‘O’ with the number ‘0’.”
This warning message is caused by the similarity of the targeted domain and the phishing domain (where the phishing email is originating from). For instance, if you send a phishing email from exomple.com (phishing domain) to example.com (targeted domain, this warning message will be displayed by Gmail.
In order to avoid this issue, it is recommended to set up domain authentication.
Providing domain authentication settings using SPF and DKIM records increases the reputation of the sending domain, which in turn enhances email deliverability. In addition, setting domain verification and domain ownership from Google has a significant and positive impact on the overall outcome of the phishing campaign.
like to learn more about your Phishing readiness,
feel free to contact us and sigh up for our newsletter/Blog