Once in a while, I get the chance to pull back the curtain on how threat activity works in this column, and a recent question “I got a fake email from Microsoft, but it was the REAL microsoft.com domain – how did they do that?” gives me the opportunity to do so now. Let’s take a look at some of the tricks threat actors use to make you think that spam/threat/phishing email is actually coming from a domain that looks legitimate.
Technique 1: Basic Spoofing
Threat actors are able to manipulate emails in many ways, but the most common is to just force your email application to display something other than the real email 
address they’re sending from. There are several ways to do this, but the most common involves the manipulation of headers. Headers are metadata (data about data) that email systems use to figure out where an email is coming from, where it should go to, who sent it, etc. One of the most common techniques involves using different headers for the display name (which shows up before you hover over the From: address in the message) and the actual email address the mail is coming from (which you can see by hovering over the From: field). This would result in a situation where you get an email from “Microsoft Support ()” and is somewhat easy to spot if you hover over the sender and see what email address it’s really from.
If you’re wondering why email systems don’t reject messages like that, it’s because this situation is a valid feature-set of how email works. Simple Mail Transfer Protocol (SMTP) is the method used by the whole world to send emails, and part of that protocol allows for a display name in addition to an email address. This is how your company’s emails can have the name of the person that sent it to you, or a company can give an email account a friendly name – so there’s a trade-off here. While the feature is legitimate, it can be used for malicious purposes, and you need to look at the actual email address of the sender and not just the display name.
Technique 2: Fake Domains
“OK,” you say, “But I definitely have gotten fake emails that used real email addresses for a company.” While you’re not losing your mind, the emails did not come from the company in question. Threat actors use multiple tricks to make you believe that the email domain that message came from is real. For example, in the last sentence, the words “make,” “believe,” and “domain,” aren’t actually those words at all. They have what is known as a “zero-width space” embedded into them. While this space isn’t visible, it’s still there – and my spell-checker flagged each of the words as mis-spelled because they indeed are. Techniques like this allow a threat actor to send an email from “support@microsoft.com” because they registered that email domain with an invisible space between the letters (between the “m” and the “i” in this case). To the naked eye, the domain looks very much real, but from the perspective of an email system, it is not actually the microsoft.com domain, and therefore is not something that would get extra attention from most security tools.
This same theory can be used in another way. For example, have a look at AMAΖON.COM – notice anything odd there besides it being in all caps? Well, the “Z” in that domain name isn’t a “Z” at all – it’s the capitalized form of the Greek letter Zeta. Utilizing foreign characters and other Unicode symbols is a common way to trick a user into believing that an email is coming from a domain that they know, when in fact it is coming from a domain specifically set up to mislead the user.
There are two ways to defend against this kind of malicious email activity. The first – and most important – is to follow best practices for cyber hygiene. Don’t click on links or open attachments in email, and never assume that an email is from who you think it is from without proof. Did you get an email from a friend with an attachment that you weren’t expecting? Call or text them to check that they sent it. Get an email from your employer with a link in it? Hover over the link to confirm where it goes – or better yet, reach out to your IT team and make sure you are supposed to click on that link. Most companies have begun to send out pre-event emails such as “You will be receiving an invitation link to register for our upcoming event later today. The email will be from our event parter – myevents.com.” in order to make sure users know what is real and what is suspicious if not outright fake.
The second defense is one you can’t control directly, but is happening all the time. Your email provider (your company, Google for GMail, Outlook.com for Microsoft, etc.) is constantly updating lists of known fake, fraudulent, and/or malicious email domains. Once a fake domain goes on the list, emails that come from there get blocked. While this is an effective defense, it can’t work alone as there will always be some time between when a threat actor starts using a new fake domain and when your email provider discovers and blocks it.
In short, that email from that legitimate looking email address may still be fake and looking to trick you. Hovering over the email sender name to see the full and real address and following good cyber hygiene can save you from opening or clicking something that is out to do you, your computer, and/or your company harm.