Bloomberg News reports, “According to publicly available information, whoever administrated [Clinton’s private server] didn’t enable what’s called a Sender Policy Framework, or SPF, a simple setting that would prevent hackers sending emails that appear to be from clintonemail.com. SPF is a basic and highly recommended security precaution for people who set up their own servers.”
Bob Gourley, who was the chief technology officer at the DIA [Defense Intelligence Agency] and is the founder of his own cybersecurity consulting firm, says: “If [an SPF] was not in use, [hackers] could send an email that looks like it comes from her to, say, the ambassador of France that says, ‘leave the back door open to the residence a package is coming.’ Or a malicious person could send an email to a foreign dignitary meant to cause an international incident or confuse US foreign policy.” This also would have made it easy for hackers to launch “spear phishing” attacks from Clinton’s account. Other government officials could have thought they were getting a real email from Clinton and then be tricked into having their own accounts breached.
Clinton’s spokesperson claims there is no evidence her account was ever successfully exploited in this manner. But Bloomberg News points out, “The problem with such confidence is that if hackers exploited the SPF vulnerability, Clinton’s office would likely never have known her domain name…was being used surreptitiously.” (Bloomberg News, 3/18/2015)