An analyst is investigating a suspected phishing email that appears to have been sent from a trusted partner's domain. Upon examining the email's full headers, which of the following findings within the 'Received' fields would be the strongest indicator of a spoofing attempt?
The final 'Received' header shows a delivery time that is a few seconds after the 'Date' header.
A 'Received' entry showing the email was relayed through an untrusted mail server in a foreign country.
The 'Authentication-Results' header shows 'spf=pass' and 'dkim=pass'.
Multiple 'Received' headers are present in the email.
The 'Received' fields in an email header trace the path the message took from the sender to the recipient. Each mail server (or hop) in the path adds a 'Received' header. An entry showing the email was processed by an unexpected mail server, especially one in a geographic location not associated with the purported sender, is a strong red flag. This suggests the email did not originate from the partner's legitimate infrastructure and has been routed through a malicious or compromised system, which is a common tactic in spoofing attacks. While the presence of multiple headers and normal delivery timestamps are expected, and passing SPF/DKIM checks would indicate legitimacy, an anomalous routing path is a key indicator of a potential threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the 'Received' header in an email signify?
Open an interactive chat with Bash
What are common signs of a phishing or spoofing attack in email headers?
Open an interactive chat with Bash
How do SPF and DKIM protect against email spoofing?