easyEMAIL FORENSICS150 pts

Mail Trap

An employee in the finance department received an email claiming to be from the company CFO requesting an urgent wire transfer. The SOC team captured the raw SMTP conversation. Find out what was really sent.

— scenario

Incident report #2026-004

Alert triggered at 09:15 UTC by email-gateway rule SUSPICIOUS-SENDER-MISMATCH.
Recipient: finance@company.local
Claimed sender: ceo@company.com (John Smith, CFO)

Initial triage flagged the email as potentially spoofed: the sending mail server does not match the claimed domain's SPF record. The gateway logged the complete SMTP transaction before delivery.

Analyze the attached SMTP log. Identify the spoofing technique, locate the hidden payload in the email body, and decode the flag.

— challenge file

smtp.log3 KB

— write-up

The write-up explains SMTP header spoofing, SPF/DKIM failures, and how attackers use MIME base64 encoding to hide payloads in plain sight.

reveal write-up (spoilers)

Step 1 — identify the spoofed header

The From: header claims the email came from ceo@company.com. But the first Received: header (added by the receiving gateway) shows the actual origin:

Received: from badactor-mail.cc (badactor-mail.cc [185.220.101.47])

The sending server is badactor-mail.cc — completely unrelated to company.com. The SPF check at the bottom of the log confirms this: FAIL.

Also note the Reply-To: header points to payments-processing@badactor-mail.cc — any reply would go to the attacker, not the real CFO.

Step 2 — extract the base64 body

The email headers declare:

Content-Transfer-Encoding: base64

The body contains a single base64 string:

Rk9JTHtzcDAwZjNkX2Zyb21faDM0ZDNyfQ==

Step 3 — decode

python3 -c "import base64; print(base64.b64decode('Rk9JTHtzcDAwZjNkX2Zyb21faDM0ZDNyfQ==').decode())"

Result: FOIL{sp00f3d_from_h34d3r}

Why this attack works

SMTP's MAIL FROM (envelope sender) and From: (header sender) are completely independent. A mail server will accept and deliver a message whose header From: says anything at all — the gateway only checks the envelope. Without strict DMARC enforcement (p=reject), spoofed emails reach inboxes.

Detection: always check the topmost Received: header and compare the sending domain to the claimed From: domain. SPF FAIL + missing DKIM = strong spoofing indicators.