Long story short, as almost all vulnerabilities comes from human side, we had a small missconfig in our SPF/DMARC record which was found randomly by a security freelancer who inform us by email related to this.
The problem was ~all “softfail” instead of -all “fail” in our SPF which inform the target server to threat as suspicious other not whitelisted source ip’s/domains and apply the policy from the DMARC record which was to not reject emails, p=none
So, the SPF record became:
v=spf1 +mx +a +ip4:82.208.158.23 +ip4:81.196.83.140 +include:_spf.google.com -all-all = “fail” means that emails should be discarded and ~all = “softfail” means that emails should be tagged as spam or suspicious and check the DMARC policy.
DMARC record, which tells the receiving server what to do if one of the authentications method fails, became:
v=DMARC1;p=quarantine;rua=mailto:postmaster@iservit.ro;fo=1;sp=reject;Spoofing
So, the policy p=none set to not drop any emails and the softfail ~all ended up in a way to trick a victim that the sender is legitimate.
A small php test:
<?php
$to = "target@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From: contact@iservit.ro . ";
mail($to,$subject,$txt,$headers);
?>Stay safe 🤟