20 Million Trusted Domains Vulnerable to Email Hosting Exploits

Three novel attack techniques that chain together vulnerabilities found in numerous email-hosting platforms are allowing threat actors to spoof emails from more than 20 million domains of trusted organizations.

The flaws — discovered by several security researchers at PayPal — allow attackers to use simple mail transfer protocol (SMTP) smuggling to bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) security protocols to deliver malicious emails from domains owned by reputable Fortune 500 companies and government agencies.

The findings include vulnerabilities in email verification processes used by numerous large email service providers, specifically domain-authentication issues, request for comments (RFC) violations, and the abuse of valid DKIM signatures and SPF records.

Email-Hosting, Vulnerable by Default

The researchers — Hao Wang, offensive security senior manager; Caleb Sargent, offensive security engineer; and Harrison Pomeroy, lead threat detection engineer — plan to disclose how chaining these vulnerabilities together creates the new attack patterns in a session at the forthcoming Black Hat USA conference during first week in August, entitled "Into the Inbox: Novel Email Spoofing Attack Patterns."

They also will reveal the affected vendors, which could number more than 50. The lag is due to the responsible disclosure timeline, as the researchers allow time for the issues to be addressed, Wang says.

"The issue we want to emphasize is that email gateway vendors remain vulnerable to SMTP smuggling in their default configuration," Wang tells Dark Reading in an interview. "This vulnerability can have a significant impact, especially if the outbound SMTP server of large email or hosting providers is permitted to send emails on behalf of multiple domains."

While some email gateway vendors include a setting to reject spoofed emails and thus mitigate the issue, enabling this feature may inadvertently block legitimate emails. "Consequently, many large customers continue to use the default, vulnerable setting," he says, creating a wide avenue for attacker abuse.

Novel Attack Techniques

The team's research was informed by two previous works from other researchers: a "SpamChannel" talk presented by Marcello Salvati at DefCon 2023, and an innovative SMTP smuggling attack unveiled by Timo Longin in December, Wang says.

The first attack technique involves SPF abuse and is due to the fact that several large email and hosting service providers fail to verify domains properly when sending emails, which violates RFC requirements.

"Their domains often have overly permissive SPF records, enabling attackers to bypass SPF/DMARC security controls and deliver fraudulent emails," Wang explains, adding that the attack has a "high success rate" due to the large number of affected domains and the broad reach of email spoofing.

The second attack pattern abuses DKIM due to improper domain verification when utilizing feedback loop (FBL) features from major mailbox providers, allowing large-scale email spoofing campaigns.

The third attack pattern is one that expands upon Longin's SMTP smuggling attack discovery, and will be revealed in more detail during the Black Hat USA session. Longin discovered that attackers can exploit SMTP on vulnerable servers to send scores of malicious emails with fake sender addresses based on the exploit of existing flaws on messaging servers from Microsoft, GMX, and Cisco.

"Most of the attacks do not directly circumvent SPF, DKIM, and DMARC controls in place, but instead leverage misconfigurations and design decisions made by the affected vendors," Wang says. "The result of these attacks are emails with valid SPF and DKIM records that will pass the DMARC check."

SMTP Smuggling Detection and Mitigation 

As part of their session, the researchers plan to reveal a method for detecting SMTP smuggling attacks that involves the Message-ID identifier that email servers add when they send someone's email. The method correlates the difference between the Message-IDs added by the outbound and inbound SMTP servers when an attacker attempts to send multiple emails within a short period through a single SMTP connection.

"This difference would serve as a strong indicator of an SMTP smuggling attack, enabling the development of custom detection rules," Wang says. "At the very least, organizations can incorporate this technique as part of their compensating controls for mitigating this type of attack."

Indeed, while the attack patterns discovered can allow email spoofing by bypassing DMARC, DKIM, and SPF security controls, the researchers still highly recommended that organizations enforce these measures for their domains as a foundational security baseline.

"Implementing these controls significantly enhances email security by providing mechanisms for verifying the authenticity of email messages, reducing the risk of phishing and email spoofing attacks," Wang says.

Organizations also should use email-filtering solutions that leverage heuristic and content-based analysis in addition to validating messages through DMARC, DKIM, and SPF security controls for a multilayered approach that helps identify and block potential spoofing and phishing emails more effectively, he says.

Wang adds that enforcing RFC standards for authentication and authorization across all email service providers also "is critical for maintaining the security and reliability of email communications," and preventing various forms of email-based attacks."