Cybercriminals Use DKIM Replay Attacks to Evade Security Filters
INKY
“To send scam emails that get past security filters, cybercriminals are misusing real invoices and dispute notifications from well-known firms.”
This method has been used by the attackers to pose as DocuSign, HelloSign, Apple, PayPal, and other companies.
Researchers
|
When establishing an invoice or notification, these platforms frequently let users add a custom note or enter a 'seller name.’
“By entering a phone number and scam instructions into those user-controlled sections, attackers take advantage of this feature. To make sure the malicious content is included in a genuine, vendor-produced message, they then send the generated invoice or dispute notice to an email account under their control.” |
The emails themselves are more likely to reach users' inboxes because they come from reputable sources. If the emails appear to be from reliable vendors, people are also more likely to fall for the fraud.
INKY
“The message readily passes DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) checks since it comes directly from the vendor, like PayPal, and is cryptographically signed.”
“The attacker merely transmits the authentic email to their intended recipients after obtaining it. As a result, the message appears genuine, passes email verification, and shows up in inboxes with little to no notice.”
This method, referred to as a "DKIM replay attack," enables the emails to get beyond security measures.
Researchers
|
“A DKIM replay attack happens when a malicious actor copies an authentic email that has been signed by DKIM and then ‘replays’ the identical message to other recipients.”
“The DKIM signature keeps valid because the message body and original headers don't change. Because of this, even though the email is being redistributed by an attacker instead of being delivered by the original sender, it still passes DMARC authentication. Attackers purposefully do not alter the message after it has been signed to prevent violating DKIM.” |
|
Note: To get a stress-free working environment, you can go for a specially designed tool, “PhishNext,” which provides specialized simulations of phishing attacks so that users can get used to such attacks and never become victims of such attacks. |
Explore More Blogs
- What Is Open-Source Intelligence (OSINT)? | PhishNext
- What Is AI Security Posture Management (AI-SPM)?
- Winner of the AI Arms Race: Threat Actors vs Cybersecurity Defenders
- Phishing Simulation: How It Works to Reduce Risk? | PhishNext
- 50% Rise in Ransomware Attacks Even as Payments Drop
- Top Six Key Benefits & Core Features of Endpoint Security | PhishNext
- Top Tools That Hackers Use to Weaponize Emails | PhishNext
- Stolen Traveler Data Is on Sale at Dark Web, According to Eurail
- Threat Actors Get Real-Time Access to Attacks via Voice Phishing Kits
- Attackers Using LLMs to Create Phishing Pages in Real Time
- Why Phishing Attacks Are Increasing in 2026?
