News Items: Bug Bounty via Hacker One for Porn Hub Blind XSS on Go Daddy Support Submission ImageTragick HTML PoC + Exploit PoC Cybrary Session Wednesday: How to Break Into A Company From the Internet Pt.1 Pwndlist got Pwned Facebook CTF platform Verizon 2016 DBIR released... And it is a source of controversy Ransomware on house of Reps have increased dramatically, resulting in the blocking of yahoo mail List of Panama Papers Officials released Technical Segment: Email Spoofing and Phishing Highlight: If a company is using Google Apps for Work and has not set up SPF/DKIM/DMARC their domain can be leveraged to spoof emails..very reliably. Surprise surprise, people click links! Do you even need to be crafty? No probably not, but lets discuss some ways anyhow. You can spoof Emails - It can happen: Great write-up from Cobalt Strike If you are new to the email spoofing you should really read this article Telnet to the mail server, and attempt to manually craft the email. This works in default configurations on many Email servers and security appliances - SPF/DKIM/DMARC may not be setup allowing you to send email from the domain unauthenticated - The Cobalt Strike blog demonstrates that. This can also be done in Gmail! - Shows up as spoofed in normal gmail, but what about Google Apps for Work - You do not have SPF/DKIM/DMARC setup and can very easily spoof emails from that domain - both two the target domain and externally, and it will very frequently bypass security controls - we will release code on how to do that. We are normally targeting organizations that leverage Outlook - It will only grab the name portion of the email header (not the email) and present that to users, so you can have a Gmail email (can bypass controls since its Gmail/legit) and you can send email using Python (or another scripting language), and modify the name to be a quazi-spoof.