Sending an email with a forged address is easier than previously thought due to flaws in the email forwarding process, according to a research team from the University of California San Diego. This vulnerability affects the integrity of email sent from tens of thousands of domains, including government organizations, financial service companies, and major news organizations. The researchers found that they can send email messages impersonating these organizations, bypassing the safeguards deployed by email providers such as Gmail and Outlook. This spoofing technique can lead to recipients opening attachments with malware or clicking on links that install spyware. The team presented their findings at a symposium in 2023, where their work won best paper.
https://today.ucsd.edu/story/forwarding_based_spoofing