We received what seem to be phishing emails from Truist, but interestingly, these emails are passing SPF, DKIM, and DMARC checks. The emails appear to be originating from legitimate infrastructure associated with Truist's legacy systems based on the headers we examined. Given that we noticed this verification success, could it mean that their email infrastructure is compromised or misconfigured? If these checks pass, how can illegitimate emails still get through?
7 Answers
It's possible that a legitimate email account was compromised. If they altered their DNS to set up their own DKIM keys, they may still be using Truist's servers to send emails while appearing authentic. Given that the email looks like it’s coming from within their domains, that could explain the SPF validation.
As the recipient, your mail transfer agent (MTA) should verify DKIM signatures and SPF alignment accurately. If the incoming email seems suspicious but the checks pass, you might want to investigate the SPF records for any IP alignment issues. If that’s all fine, the DKIM signing or the MTA from their end might be problematic.
Just a note that since Truist acquired BB&T, all this infrastructure now belongs to them.
I've noticed a rise in Direct Send exploits recently. This allows actors to spoof internal addresses while bypassing DMARC protections. Given the size of their operation, this exploitation could have led to significant issues and impacts on their clients, so they may need to disable Direct Send features.
It seems more likely that their infrastructure is being abused rather than outright compromised. Common reasons include misconfiguration, open relays, or a compromised mailbox sending emails through their legitimate mail transfer agents. Also, some marketing platforms might allow anyone to send emails as @bbandt.com without thorough vetting. Just remember, SPF, DKIM, and DMARC only ensure the mail is from authorized infrastructure, not that the content is legitimate. It’s a good idea to forward the suspicious headers to their security team; they’d want to look into it.
While many are suggesting they were compromised, it could simply be a misconfiguration that led to this situation.
If DKIM passes, that means the email is signed with the correct key. This suggests either their DNS has been compromised, altering the SPF/DKIM records, or their mail server (which holds the signing key) is compromised.
Just to clarify, in this case, it's about Truist's infrastructure, not ours.
Make sure you read carefully before responding!
Yeah, we faced a similar situation, and later received an apology from the bank when they realized a staff member had their account phished, which led to legit-looking emails being sent to their entire contact list.