LEGALAUDIT
Cyber Coach

Phishing

Phishing email: brand impersonation and DMARC

Emails pretending to be your bank, post office, tax agency or a coworker. Defend by reading headers, SPF, DKIM and DMARC.

8 min readBeginner

Red flags to recognize

  • Sender with a domain that looks similar but is not identical
  • SPF=fail, DKIM=none or DMARC=quarantine in technical headers
  • Link with friendly text pointing to a different real domain
  • Urgent request for credentials, OTP, card data or password reset
  • Unexpected HTML, ZIP or macro-document attachment
  • Slightly unnatural language or mixed translations
  • Reply-To different from the visible From
  • Reference to an invoice, parcel or case you do not recognize

What to do now

  • Do not click: open the official site manually or use your installed app
  • Expand the full header and check SPF/DKIM/DMARC with an analyzer
  • Forward the message as attachment to abuse@ or your national CERT
  • If compromised: change password, enable hardware 2FA, audit forwarding rules
  • Preserve the original eml file as forensic evidence (hash, timestamp, headers)
  • Warn coworkers or family if the topic concerns them too

Real case

Fake tax agency rebate email, spring 2025

An Italian SME receives what looks like a tax agency email titled 'F24 rebate withheld - action required within 24h'. The logo is perfect, the tone formal, the link goes to 'agenziaentrate-rimborsi.servizi-fiscali.cloud'.

The accountant follows the link, types corporate tax-portal credentials and an SMS OTP. Within 12 hours the criminals issue four delegations to a fake intermediary and exfiltrate VAT records. The national CERT had flagged the domain 72 hours earlier.

Forensic analysis showed the domain was registered five days before the attack on an offshore registrar, the headers showed SPF fail and missing DKIM, and the sending IP came from known bulletproof hosting. Mythos rebuilt the evidence chain for the criminal complaint.

What Mythos can do on this case

  • SMTP header analysis with SPF/DKIM/DMARC and Received chain inspection
  • Sender domain reputation, registration history and WHOIS
  • URL extraction, redirect chain, landing screenshot and fingerprint
  • Brand-impersonation classification and CERT cross-check
  • Signed PDF dossier for criminal complaint

Next steps

Analyze the email with MythosLesson: spot phishing in 60 seconds