Email Spoofing

Executive Summary

Email impersonation has become harder to detect. Recent attacks exploit inbound and outbound server vulnerabilities commonly found in default settings to impersonate a sender’s email address. Over 20 million widely used domain names are impacted. This can be mitigated by changing email server settings from defaults. Best practices include avoiding the use of email to transmit unsecured sensitive information and remaining vigilant if familiar email senders prompt recipients for such information. This attack is often used to enhance phishing attacks.

Background

Cyber criminals traditionally have used obfuscation to impersonate an email’s sender [4]. In this method, the attacker selects a reputable name to display in the sender name attribute of the email.  Only the displayed name is impersonated or chosen to appear in a similar manner as a valid sender.  Essentially, what the attacker is attempting to do is socially engineer the recipient into willfully interacting with them. Email gateway and antimalware applications are now able to detect these attacks and prevent users from receiving many of these fraudulent emails. In the event that this type of email does not get blocked, the user is able to check the email’s validity by examining if the email sender’s display is actually affiliated with the email address that the sender claims to be associated with.

Unfortunately, these mitigations are no longer enough. Attackers have become more sophisticated in their approach. Hackers can now take advantage of known vulnerabilities in SMTP [5]. If an attacker understands how SMTP works, they can easily get away with impersonation. Using SMTP smuggling, email servers will bypass verifying both the name and sender address. Unless server default settings are changed, hackers can take advantage of how email servers verify sender information.

In this attack, steps can be taken to closely mimic information that causes email servers to bypass sender authentication steps and assume information is tied to a previous sender, thus skipping steps to accurately identify the sender information. A threat actor exploits the assumption that SMTP servers will receive matching data in both the outbound server and the inbound directions.  When a mismatch occurs, there is a gap left that the server assumes is another message sent by the previous sender. By piggybacking onto a previous message, email sender information can be spoofed. SMTP uses a demarcation sequence to denote the end of a message.  Attackers use a different sequence that looks similar and can be accepted in lieu of a legitimate ending sequence. Once a server sees this demarcation, it reads the message as done. However, if it sees another ending demarcation, it assumes it is a new message from the same user.  Since the servers assume that the sender’s address should be the same as the first,the fraudulent sender can successfully impersonate a different email address. Servers that use default email server settings are particularly vulnerable, since they are commonly configured with settings that allow these assumptions.

SMTP Smuggling attacks the protocol’s inbound and outbound encoding differences in header information. This is  similar to HTTP Request Smuggling, in which a hacker uses the data in a message’s header information. Because data is interpreted differently based on direction, hackers can take advantage of these discrepancies. By altering the end-of-data information, an email server can be prompted to categorize the hacker’s information as being connected to a different email address.  Although one can hover over the sender’s name to determine if the email address accurately matches the sender’s listed name, this can easily be spoofed.

If a threat actor uses this older method of email spoofing to obscure the displayed name of the sender, users can closely examine the sender’s name and email address to check the spelling for mismatches. This method can be used to identify more obvious discrepancies in a sender’s claimed identity.  Unfortunately, if an email is spoofed using SMTP smuggling, this method will not be sufficient.

Impact

Email spoofing now has a broader impact with the use of SMTP smuggling.  More than 20 million email domain names have been impacted by SMTP smuggling [1]. This undermines user confidence and also makes fraudulent email detection evermore difficult to discern. These attacks can be combined with social engineering techniques to achieve disclosure and alteration of sensitive information that is unintended for public view.  Additionally, if undetected, attackers may be able to convince unknowing recipients to take actions to assist their goals based on established rapport and simulated authority.

Mitigation

Technical mitigations concern email server configuration. Default settings should not be used for email servers. Commands must not be implicitly allowed. DKIM and SPF can also check the dns and ip address of an email sender to ensure that it has permission to have been sent from an email server[2] . Outbound SMTP servers should be configured to not support the BDAT command.   Inbound SMTP servers should be set to only accept specific ending sequences. It is essential that a server can determine where a message ends. A best practice is to check email server configuration to ensure that both inbound and outbound servers have adequate settings.

An operational mitigation is to use increased vigilance for potential social engineering attempts to harvest credentials in email correspondence regardless of who the sender appears to be. Because fraudulent emails are more difficult to detect from a standard user’s view, it is a best practice to avoid the use of email to transmit sensitive information. Secure encrypted file transfer services such as a secure fax service, encrypted cloud services or password protected files or offline, in-person communication and delivery, can mitigate unauthorized eyes from viewing disclosed information gained from a potential email spoofing attack [3]. If unsecured information is sent or received via email, it is a best practice to assume that there is a possibility that an unintended user could view the message.

Relevance

Users must use increased discretion when utilizing email services. Email spoofing is commonly used to foster trust before a phishing attack. Attackers use this method of social engineering to establish rapport and trust with their target, in order to increase the likelihood of harvesting credentials successfully. If an email appears to be from a reputable source, a recipient is less likely to question its authenticity. Because the email attacks have become more sophisticated, it is more necessary than ever to use increased discernment and discretion when using email services.

References

[1] Arghire, I. (2024, July 31). Vulnerabilities Enable Attackers to Spoof Emails From 20 Million Domains. Security Week. https://www.securityweek.com/vulnerabilities-enable-attackers-to-spoof-emails-from-20-million-domains/

[2] Carnegie Mellon University. (2024, July 30). Multiple SMTP Services are Susceptible to Spoofing Attacks due to Insufficient Enforcement. CERT Vulnerability Notes Database. https://kb.cert.org/vuls/id/244112

[3] Duffy, J. (2023, December 19). The Best Online Fax Services for 2024. PC Magazine. https://www.pcmag.com/picks/the-best-online-fax-services

[4] Lenaerts-Bergmans, B. (2022, October 07). Email Spoofing: How to Identify a Spoofed Email. https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/email-spoofing/

[5] Longin, T. (2023, Dec 27). SMTP Smuggling – Spoofing E-Mails Worldwide [Video]. Media.ccc.de. https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide