During a routine penetration test for a mid-size company, our security team discovered something that made the client's CTO go silent on the call for about ten seconds.
We had just sent an email to the company's finance director — from the CEO's email address. The email asked for an urgent wire transfer to a new vendor. It landed in the inbox. No spam filter. No warning banner. No "this email might be suspicious" message. It looked exactly like every other email the CEO had ever sent.
We did this from a laptop in Porto, using a single command, with no access to the company's email infrastructure. No passwords. No hacked accounts. No insider access. Just a misconfigured DNS record that had been sitting in plain sight for over three years.
This is not a theoretical vulnerability. This is how Business Email Compromise (BEC) works in the real world — and it is the single most financially damaging type of cyberattack, responsible for over $2.7 billion in losses in the US alone in 2024 according to the FBI's IC3 report.
What We Found
The company used Microsoft 365 for email, a transactional email service for automated notifications, and a marketing platform for newsletters. A perfectly normal enterprise email setup.
But their DNS records told a different story.
Their DMARC policy was set to "none" — which is the email security equivalent of installing a burglar alarm and then leaving a sign on the door that says "please ignore the alarm." The policy exists, monitoring is enabled, but no action is taken when a spoofed email is detected. The email is delivered anyway.
Their SPF record used a "softfail" configuration instead of a "hardfail." In practical terms, this means that when an unauthorized server sends an email pretending to be from their domain, the receiving mail server says "that looks suspicious" but delivers it to the inbox anyway.
DKIM — the cryptographic signature that proves an email was actually sent by an authorized server — was not configured for all their sending services.
The result: anyone on the internet could send an email that appeared to come from any address at their domain, and it would be accepted by Office 365, Outlook, and most other email providers without rejection.
How the Attack Works
The technical barrier to email spoofing is shockingly low. The internet's email protocol — SMTP — was designed in the 1980s without any concept of sender verification. When you send an email, you can write any address you want in the "From" field. The protocol trusts you by default.
SPF, DKIM, and DMARC were invented to fix this fundamental design flaw. They are DNS-based records that tell receiving mail servers how to verify whether an email actually came from an authorized sender. But they only work when configured correctly and set to enforce.
Here is what happens when they are not:
An attacker identifies a target company. They check the company's DNS records — this takes about 30 seconds using any public DNS lookup tool. If DMARC is set to "none" or is missing entirely, the domain is vulnerable.
The attacker connects directly to the target's mail server (the MX record is public) on port 25 — the standard SMTP port that must be open for email to work. They send an email with any "From" address they want. The receiving server checks SPF, sees a softfail, checks DMARC, sees "policy: none", and delivers the email.
The recipient sees an email from their colleague, their boss, or their vendor. It looks real because, from the email system's perspective, it was processed through the same infrastructure as legitimate emails.
In our penetration test, the entire process — from DNS lookup to delivered spoofed email — took less than two minutes.
Why This Is Devastating
Email spoofing is the foundation of the most damaging corporate cyberattacks:
Business Email Compromise (BEC): An attacker sends an email as the CFO to the accounts payable team requesting an urgent wire transfer to a "new vendor account." The email comes from the CFO's exact email address. The finance team has no reason to doubt it. According to the FBI, the average BEC loss is $125,000 per incident — and many go much higher.
Targeted Phishing: An attacker sends an email as IT support to all employees with a link to "update your password." The email comes from [email protected]. Employees click, enter their credentials on a convincing login page, and the attacker now has access to the corporate network.
Vendor Fraud: An attacker sends an email to the company's clients pretending to be from the billing department, with updated bank details for future payments. The clients have no reason to verify — the email comes from the real domain.
Malware Distribution: An attacker sends an email as a trusted colleague with a "Q3 report" attachment that contains malware. The recipient opens it without hesitation because it came from someone they know.
Reputation Damage: Even if no money is stolen, discovering that anyone can send emails as your company destroys trust with clients, partners, and regulators.
The Numbers Are Alarming
The scale of this problem is staggering:
According to multiple industry reports, over 70% of corporate domains have DMARC either missing or set to "none" — meaning they are vulnerable to exactly the attack we demonstrated. More than 80% of phishing attacks involve some form of email spoofing. Business Email Compromise grew 65% between 2022 and 2024. The average time to detect a BEC attack is 197 days.
The companies most at risk are mid-size organizations — large enough to have significant financial transactions and complex vendor relationships, but often without dedicated email security expertise. They set up Microsoft 365 or Google Workspace, configure the basics, and never revisit the security settings.
What Makes This Worse
Most companies do not know they are vulnerable. The email system works perfectly — messages send and receive without issues. There is no error, no warning, no indication that the domain is wide open to spoofing.
The DNS records in question are set once during initial domain configuration and rarely reviewed. IT teams focus on keeping email flowing, not on the security policies that protect against impersonation. Many managed IT providers configure the minimum required records (MX and basic SPF) without implementing DMARC enforcement or DKIM signing.
Even companies that have DMARC in place often leave it at "none" indefinitely. The original intent is usually "we will monitor first and enforce later" — but "later" never comes. The monitoring reports go to an inbox that nobody checks, and the policy stays permissive for years.
During our penetration tests over the past two years, we have found this vulnerability in approximately 7 out of 10 companies we assess. It crosses every industry — technology, finance, healthcare, manufacturing, retail. The company size does not matter. The vulnerability is in the configuration, not the technology.
The Solution Exists — But It Requires Expertise
The fix for email spoofing is well-understood: properly configured SPF, DKIM, and DMARC records working together with an enforcement policy. The technical implementation is not complicated — but getting it right without disrupting legitimate email flow requires careful planning, monitoring, and phased enforcement.
This is exactly the kind of security gap that penetration testing is designed to find. Our cybersecurity team at Privum regularly discovers email spoofing vulnerabilities during authorized security assessments — and we help organizations fix them before attackers exploit them.
If you are not sure whether your company's email is properly protected, or if you want to understand your full security posture, we offer comprehensive cybersecurity assessments that cover email security, cloud configurations, access controls, and compliance readiness.
Is your company's email protected against spoofing? Most are not. Get a free cybersecurity assessment from Privum's security team — we will tell you in 48 hours whether your domain can be impersonated.