Score:-1

Server

Proving Email Origin through Mail Header

Matthew Flynn

8/17/24, 9:12 AM

A supplier appears to be have been a victim of an server breach (though they are denying this and bring the point of my question).

This has then caused the directors of our company to make a payment to the scammers.

From looking at an original email, this containing a doctored payment mandate PDF (notably this appears to be an original supplier document but the bank details have been altered, but other than this there is even the scan of the director signature on it),

The header of the email contain the following information (I'll just paste what I think is relevant);

ip is IP ADDRESS) smtp.rcpttodomain=.co.uk smtp.mailfrom=SUPPLIER DOMAIN.com; dmarc=bestguesspass action=none header.from=SUPPLIER DOMAIN.com; dkim=pass (signature was verified) header.d=SUPPLIER DOMAIN.onmicrosoft.com; dkim=pass (signature was verified) header.d=SUPPLIER DOMAIN.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,2,smtp.mailfrom=SUPPLIER DOMAIN.com] dkim=[1,1,header.d=SUPPLIER DOMAIN.com] dmarc=[1,1,header.from=SUPPLIER DOMAIN.com])

Authentication-Results: spf=pass (sender IP is IP ADDRESS) smtp.mailfrom=SUPPLIER DOMAIN.com; dkim=pass (signature was verified) header.d=SUPPLIER DOMAIN.onmicrosoft.com;dmarc=bestguesspass action=none header.from=SUPPLIER DOMAIN.com;compauth=pass reason=109 Received-SPF: Pass (protection.outlook.com: domain of SUPPLIER DOMAIN.com designates IP ADDRESS as permitted sender) receiver=protection.outlook.com; client-ip=IP ADDRESS; helo=EUR05-VI1-obe.outbound.protection.outlook.com; pr=C Received: from EUR05-VI1-obe.outbound.protection.outlook.com (IP ADDRESS) by CWLGBR01FT041.mail.protection.outlook.com (IP ADDRESS) with Microsoft SMTP

As the supplier is stating no breach of their system has been made does this indicitively prove the opposite? As the email has come from their server and as such proves a breach of their system?

Equally as looking through the email trails the scammers registered a domain very similar to the suppliers bar transposing a character. They then mirror email addresses of many contacts from the supplier that existed. Does this again give more credance that they had access to their system?

1 + 4

email-server

HBruijn

8/17/24, 9:36 AM

Message headers NOT added by your own MTA were supplied by the client (in the message they supplied to your MTA) and such headers are obviously suspect and subject to manipulation; especially in a spearfishing attack.

symcbean

8/17/24, 10:01 AM

There is stuff missing from your post, there is stuff included which is not relevant. Based on the information here it does look as if the supplier was either compromised or one of their agents was complicit, but you are out of your depth here and if this escalates the two parties currently involved then your actions and recommedations will be scrutinized. I STRONGLY advise you to get some advice from a good security provider on the matter - I would seek to get agreement with your supplier on whom that should be (but they should NOT be proposing a provider).

HBruijn

8/17/24, 10:01 AM

*"As the supplier is stating no breach of their system has been made does this indicitively prove the opposite? "* - No. Arguably the relationship with your supplier and whom to address that fake invoice to is information that could also have been discovered after a *compromise of your own systems.* - *"They then mirror email addresses of many contacts from the supplier"* which is trivial to achieve with a catch-all email address. -|- Regardless both your own company as well as the supplier that was abused are victims and not the perpetrator

Matthew Flynn

8/17/24, 11:43 AM

What action can you recommend we take to establish where the breach occurred? As a precaution all passwords have been reset on our end anyway. The big pointer to the the thinking it is the supplier who was compromised is that 1. they have a copy of a singed mandate (albeit an edited one) with the actual directors signature. 2. they somehow know of other contacts at the supplier who were not involved in the original email chain. 3. the emails were sent to the supplier contact who has been put on garden leave and since left the company (with no explanation as to why)

Score:1

Server

anx

8/17/24, 12:23 PM

No, the doctored quotes you provided prove nothing without significant context. The headers may have been sent along and not contain information validated on your end, or they may have been inserted by a compromised system on your end.

Neither does the knowledge of the accounts used on their end provide proof of a previous compromise on either end. That information might have been taken from the mailbox of another customer of theirs, possibly not even one you know of.

However, the message may still carry signatures and such signatures may still be useful. If you are able to validate it on a known-good system, they may establish that the actual business party has had an account, server or service provider of theirs compromised.

Also note, while that is not definitive proof either way, the party that tricked you into misdirecting the payment might not have needed a separate domain if they had succeeded in fully compromising your business partner. Thus, the fact that you see they bothered to register a domain for the attack is a weak pointer in the direction of the mistake being entirely on your end.

As was already suggested in comments, I strongly recommend you to have further analysis conducted and your next steps planned by a specialised security provider. You just do not know whether some or multiple unauthorized parties are able to read and/or modify your mail communication.

+ 5

Matthew Flynn

8/17/24, 1:03 PM

Thank you for your reply. The supplier has confirm emails sent by ourselves are on their system (though early on and verbally). So we do know the emails sent @supplier for ourselves were being received. Is there anything we can do from our end to try to valid any of the emails? As I mentioned in the comment above - somehow the scammers have managed to get hold of a signed mandate from the supplier and simply overlay the frauludant bank details. This document holds a scann of the directors signature.

anx

8/17/24, 1:15 PM

Well, are you able to validate the signature after copying to message to a known-good system? If you do not know how to do that yourself, contract someone who can, which is something you very much should do anyway.

Matthew Flynn

8/17/24, 1:25 PM

Could you give a bit more detail by what would be a known-good system? Theres only really me here - the email system has had no issues since - i do have peronsel email systems I could potentially use?

Matthew Flynn

8/17/24, 3:21 PM

And then would the header information be considered clean? How would you then test the file for its origin?

anx

8/17/24, 7:48 PM

?? The same file in a different place.. is still the same file. Again, if you do not know how to execute and how to interpret the result of a potentially possible signature validation.. get someone to do it for you.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Proving Email Origin through Mail Header

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.