We've noticed some phishing emails that appear to originate from Truist. What's concerning is that these emails have valid SPF, DKIM, and DMARC checks. The headers show they're sent from what looks like legitimate legacy BB&T infrastructure. Given this situation, does it suggest that their email-sending infrastructure is compromised or misconfigured? How can all three authentication methods pass if these emails are illegitimate?
3 Answers
If you're receiving these messages, it's crucial to check if your mail transfer agent (MTA) is correctly validating DKIM signatures and SPF alignment. If your MTA is working fine but you have suspicious incoming mail, check their SPF record for IP alignment. If that checks out, there’s something shady going on with their signing process.
There's been a rise in Direct Send exploits lately, which could allow someone to spoof internal addresses without triggering DMARC protections. With a large organization like Truist, there’s a chance that automated systems could be misused this way, resulting in harmful emails being forwarded to clients.
I think it's essential to report this to their security team. Most likely, their infrastructure is being exploited rather than outright compromised. Possible causes could be an open relay or a compromised mail account using their legitimate mail transfer agents.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures