EM-SPF-BYPASSInitial Access

SPF Bypass / Misconfig

Permissive SPF (~all / +all) or include: of large permissive ranges lets attackers send mail that passes SPF from an attacker-controlled IP.

§ Where this technique fits

EM-SPF-BYPASS is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

Permissive SPF / DMARC p=none → CEO impersonation BEC
Target publishes SPF ~all and DMARC p=none. Send mail from attacker IP with a forged From: <ceo@target.com>; gateway delivers as-is. Combine with display-name spoof for a credible BEC.
step 4 / 7

§ What commonly comes next

01
Display-Name Spoofing
EM-DISPLAY-SPOOF · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Permissive SPF / DMARC p=none → CEO impersonation BEC

§ What commonly comes next