The Unspoken Spoof: Navigating Spoof Risk in SaaS Applications

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L1 Bithead



As Software as a Service (SaaS) applications continue to shape the digital landscape, software security remains a paramount concern.

Within this realm of ever-present vulnerabilities, spoofing emerges as a sneaky threat. Spoofing occurs when a malicious actor or cybercriminals act as a trusted source to gain unauthorized access to sensitive information or perform malicious actions.
In this blog post, we'll delve into the nuances of spoofing in SaaS and explore strategies to safeguard against it. And how Palo Alto Networks can help by providing application risk factors in the risk associated with spoofing which helps admins to assess overall security posture of application.


Understanding Spoofing in SaaS Applications

Spoofing in SaaS applications manifests in various forms, including email spoofing, IP spoofing, and website spoofing.


  1. Email spoofing : involves forging the sender's email address to deceive recipients into believing the message is from a legitimate source. This tactic is commonly used in phishing attacks

  2. IP spoofing : involves manipulating the source IP address of a network packet to conceal the sender's identity or impersonate another entity. This technique can be leveraged in distributed denial-of-service (DDoS) attacks

  3. Website spoofing involves creating counterfeit websites that mimic legitimate ones to trick users into divulging login credentials or financial information

Mitigating Spoof Risk

Combatting spoof risk in SaaS applications requires a multi-layered approach encompassing technological solutions, and proactive monitoring.


  1. Implement Multi-Factor Authentication (MFA): By requiring users to verify their identity through multiple methods, such as passwords, biometrics, or one-time codes, MFA adds an extra layer of security that makes it significantly harder for attackers to spoof legitimate users

  2. Deploy Email Authentication Protocols: Implement protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to authenticate email senders and detect spoofed emails. These protocols help verify the legitimacy of incoming emails and mitigate the risk of phishing attacks

  3. Monitor Network Traffic: Employ intrusion detection systems (IDS) and anomaly detection mechanisms to monitor network traffic for signs of spoofing activity. Real-time monitoring allows for timely detection and response to potential threats, minimizing the impact of spoofing attacks on your SaaS environment

Let's delve deeper into the rising trend of exploiting misconfigured SPF and DMARC records in domain names for sophisticated phishing attacks -


  • SPF and DMARC records play crucial roles in email authentication and protection against spoofing and phishing attempts. 

What is an SPF Record ?

SPF allows domain owners to specify which IP addresses are authorized to send emails on behalf of their domain.




What is DMARC Protocol ?

DMARC uses SPF and DKIM and provides policies for email receivers to authenticate incoming messages, instructing them on how to handle messages that fail authentication.

However, when these records are misconfigured or poorly managed, they become exploitable weak points for attackers. 


Exploiting Misconfigured SPF/DMARC Records:

Scenario 1: Lack of SPF Record

Scenario 2: Incorrect SPF Record

Scenario 3: Absence of DMARC or DMARC set to "none"


Real Time Phishing Attack Flow Diagram : 




Deploying appropriately Configured SPF and DMARC to thwart Email Spoofing :




SaaS Inline Research Data :

We recently added a security attribute - Spoof Risk Level in SaaS Inline to identify the risk associated with the SPF & DMARC misconfigurations in the SaaS application domain.


Approach :

Built a Heuristic Engine which parses, analyzes and validates the SPF and DMARC record for a DNS record of SaaS application.

Based on records data(POLICIES) we are classifying spoof protection levels as below :

  1. Safe - The domain has DNS records configured correctly to prevent domain spoofing. The DMARC and SPF policies for the domain are strict
  2. Critical - The domain has weak policies for both DMARC and SPF, which allow the domain to be spoofed. The DNS records are not configured correctly to prevent domain spoofing
  3. High- Either the DMARC or SPF policy is not configured correctly, which allows the domain to be spoofed. The domain DNS records are not configured correctly to prevent domain spoofing
  4. Medium - Based on the domain DNS records, the domain can be spoofed. However, the spoofed messages will most likely be quarantined at the receiver's end. The domain's DMARC and SPF policies are both moderate
  5. Low - Although the risk of spoofing the domain is low, further DNS records hardening could further help prevent domain spoofing. The domain's DMARC and SPF policies are strict, but might fail to prevent some spoofing attempts
  6. Unknown- We were unable to find the domain's SPF and DMARC records

Research Trend : 

In our analysis of 66k+ SaaS applications, we found that more than 37% of the SaaS applications are at high risk due to weak DNS configuration, which includes DNS record of these SaaS domains lacks DMARC or SPF record or corresponding policies are not properly configured(like overly permissive policies, misconfigured alignment settings, or incomplete SPF records) for robust email authentication and it's security.



Few of the Recent Attacks in SaaS Environment :

Recently, a concerning phishing campaign exploiting a major cloud provider's domain was discovered in the wild. The attack begins with a deceptive email posing as an IT notification, urging recipients to reset their passwords for security reasons. The email, meticulously crafted to mimic legitimate correspondence, prompts users to fill out an attached form to initiate the password reset process.


  1. Unbeknownst to the recipients, the attached form is an obfuscated HTML file designed to redirect them to a fake login page upon opening. This page, convincingly resembling the login portal, awaits unsuspecting users to input their credentials. Once entered, the JavaScript code embedded within the HTML file performs basic validations before redirecting the user multiple times to obscure the malicious intent



2. Suspicious emails being sent that falsely portray GoToWebinar Customer Care emailsCheck out this blog 



The exploitation of SPF and DMARC misconfigurations poses a significant threat in the realm of cybersecurity and integrity of SaaS applications, enabling attackers to execute convincing phishing attacks with alarming efficacy. Vigilance, proactive security measures, and continuous education are essential defense against such evolving threats in today's digital landscape and safeguard their SaaS environments.

Integration of Spoof Risk Level in SaaS applications Risk framework gives admin granular visibility to identify applications with weak DNS record and spoof risk level associated with.

Also the application risk factors in the risk associated with spoofing which helps admins to assess overall security posture of application.


Thanks for reading !
Thanks Mohsin Dalla, Manish Mradul, Rohit Sawhney, Charles Choe for your invaluable insights and feedback.