An analyst is investigating a suspected phishing email that appears to have been sent from a trusted partner's domain. Upon examining the email's full headers, which of the following findings within the 'Received' fields would be the strongest indicator of a spoofing attempt?
The 'Authentication-Results' header shows 'spf=pass' and 'dkim=pass'.
A 'Received' entry showing the email was relayed through an untrusted mail server in a foreign country.
The final 'Received' header shows a delivery time that is a few seconds after the 'Date' header.
Multiple 'Received' headers are present in the email.
The 'Received' fields in an email header trace the path the message took from the sender to the recipient. Each mail server (or hop) in the path adds a 'Received' header. An entry showing the email was processed by an unexpected mail server, especially one in a geographic location not associated with the purported sender, is a strong red flag. This suggests the email did not originate from the partner's legitimate infrastructure and has been routed through a malicious or compromised system, which is a common tactic in spoofing attacks. While the presence of multiple headers and normal delivery timestamps are expected, and passing SPF/DKIM checks would indicate legitimacy, an anomalous routing path is a key indicator of a potential threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are 'Received' fields in email headers?
Open an interactive chat with Bash
How can inconsistencies in 'Received' fields indicate spoofing?
Open an interactive chat with Bash
What tools can analyze 'Received' fields for suspicious activity?