EM-HEADER-SMUGGLEInitial Access

Email Header Smuggling

Two From: headers, encoded From, RFC-edge cases — one parser sees attacker, another sees victim. Gmail / Outlook variants over the years.

§ Where this technique fits

EM-HEADER-SMUGGLE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Header smuggling → gateway sees vendor, mailbox sees attacker
Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.
step 2 / 6

§ What commonly comes next

01
WAF Bypass
W-WAF-BYPASS · Defense Evasion
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Header smuggling → gateway sees vendor, mailbox sees attacker

§ What commonly comes next