Researchers at PayPal have uncovered three novel attack techniques that are exploiting vulnerabilities in various email-hosting platforms, enabling threat actors to spoof emails from over 20 million trusted domains owned by reputable organizations. These vulnerabilities, which involve the misuse of SMTP to bypass security protocols like SPF, DKIM, and DMARC, are being chained together to deliver malicious emails from Fortune 500 companies and government agencies.
The vulnerabilities in the email verification processes of major service providers have exposed flaws in domain authentication, RFC compliance, and the abuse of legitimate DKIM signatures and SPF records. This has created a significant loophole that attackers are exploiting to disguise fraudulent emails as originating from trustworthy sources.
A team of researchers from PayPal, including Hao Wang, Caleb Sargent, and Harrison Pomeroy, will be presenting their findings at the upcoming Black Hat USA conference in a session titled “Into the Inbox: Novel Email Spoofing Attack Patterns.” They plan to disclose the affected vendors, estimated to be more than 50, after allowing time for responsible disclosure and remediation of the issues.
According to Wang, the primary issue revolves around the vulnerability of email gateway vendors to SMTP smuggling attacks in their default configurations. While some vendors offer settings to reject spoofed emails, enabling this feature may inadvertently block legitimate emails, leading many organizations to continue using the default, vulnerable settings and providing attackers with a broad avenue for abuse.
The researchers drew inspiration from previous works, including a presentation on “SpamChannel” at DefCon 2023 and an SMTP smuggling attack by Timo Longin. These served as the foundation for the team’s exploration of new attack patterns exploiting SPF, DKIM, and SMTP vulnerabilities.
The first attack technique capitalizes on SPF misconfigurations by service providers, allowing attackers to bypass essential security controls and execute successful email spoofing campaigns. The second technique leverages DKIM vulnerabilities, particularly related to domain verification via feedback loop features, to conduct large-scale email spoofing operations. The third technique builds upon Longin’s SMTP smuggling attack discovery and will be elaborated on during the Black Hat USA session.
To detect and mitigate SMTP smuggling attacks, the researchers have developed a method that focuses on monitoring the Message-ID identifiers added by email servers during message transmission. By correlating the differences between outbound and inbound Message-IDs, organizations can identify potential smuggling attempts and implement custom detection rules to counter these attacks.
While the newly identified attack patterns pose a serious threat to email security by circumventing established controls, the researchers emphasize the importance of enforcing measures like DMARC, DKIM, and SPF for domain protection. Implementing these security mechanisms can significantly enhance email security, reduce the risk of phishing attacks, and mitigate the impact of email spoofing incidents.
In addition to enforcing security controls, organizations are advised to deploy email-filtering solutions that utilize heuristic and content-based analysis to identify and block potential spoofing and phishing emails effectively. Wang also highlights the critical role of adhering to RFC standards for authentication and authorization across all email service providers in maintaining the security and reliability of email communications while preventing various email-based attacks.
In conclusion, the research conducted by PayPal’s team sheds light on the evolving threat landscape facing email-hosting platforms and underscores the importance of proactive security measures to combat emerging attack vectors. By raising awareness of these vulnerabilities and providing recommendations for detection and mitigation strategies, the researchers aim to empower organizations to safeguard their email infrastructure against sophisticated spoofing attacks.