Mailsploit: The Undetectable Spoofing Attack [Updated 2019]

August 26, 2019 by

Megan Sawle

Pentester Sabri Haddouche just uncovered a major new email spoofing tactic. Named Mailsploit, the technique leverages bugs in email clients and allows hackers to launch undetectable email spoofing attacks. Over 30 email applications are vulnerable to attack, including popular clients like Microsoft Outlook 2016, Apple Mail, Yahoo! Mail and more.

Mailsploit easily passes through email servers and circumvents established spoofing protection tools like DMARC and spam filters. Emails sent with Mailsploit appear to come from totally legitimate senders. In most cases, unless email headers are inspected by technicians, emails sent using Mailsploit are undetectable.

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

It gets worse: According to Haddouche, emails sent using Mailsploit are virtually unstoppable at this point in time.

Where Do We Go From Here?

In a post-Mailsploit world, it is now more important than ever to avoid sending sensitive and confidential information over email. Email users everywhere must assume no information sent via email is secure.

Here are four ways you can fight Mailsploit and other email-based threats with security awareness training:

1. Teach Your Workforce Email Use Best Practices

Mailsploit is not the first email-based security threat facing your workforce — everyday they receive phishing emails and malware from hackers trying to breach your systems. Many of these attacks are developed to circumvent technical controls, leaving it up to your team to spot and prevent hacking attempts. It’s essential your security awareness training program covers email-based threats in detail and reinforces email use best practices.

Want to learn more about phishing? Here's an article on 10 Most Common Phishing Attacks!

2. Ask Your Workforce to Verify Email Sender Identity

Always take time to evaluate emails you receive before replying. If you don’t know the sender or it's unusual for the sender to contact you, find another way to contact the sender other than email.

3. Educate Your Workforce About the Dangers of Sharing Sensitive Information Via Email

Email should never include sensitive information. This was true before the discovery of Mailsploit and remains especially true now. As soon as information leaves your network, you lose control over how the data is used and shared. Always call or find another way to communicate sensitive information.

4. Enroll Your Workforce in Ongoing Security Awareness Training

New security threats like Mailsploit emerge everyday. Enrolling your team in engaging security awareness training will keep them current on these threats and teach them the value of secure behavior.

SecurityIQ by InfoSec Institute integrates security awareness training, phishing simulations and personalized learning in one platform. It self-evolves with employees’ security aptitudes, roles and learning styles to create personalized learning experiences that motivate everyone to care about security and change their behaviors. This gives you more time to patch technical vulnerabilities, while ensuring your human firewall remains secure.

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING