If you're struggling to secure email forwarding, it's not you, it's ... the protocols
Eggheads prove they can mimic messages and bag bug bounty bucks
Analysis Over the past two decades, efforts have been made to make email more secure. Alas, defensive protocols implemented during this period, such as SPF, DKIM, and DMARC, remain unable to deal with the complexity of email forwarding and differing standards, a study has concluded.
In a preprint paper titled, "Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy," scheduled to appear at the 8th IEEE European Symposium on Security and Privacy in July, authors Enze Liu, Gautam Akiwate, Mattijs Jonker, Ariana Mirian, Grant Ho, Geoffrey Voelker, and Stefan Savage show that email messages can be easily spoofed despite the existence of supposed defenses.
The researchers, affiliated with UC San Diego and Stanford University in the US, and University of Twente in the Netherlands, reveal that attackers can still easily take advantage of security issues arising from email forwarding. They demonstrated this by delivering spoofed messages to accounts at major email providers like Google Gmail, Microsoft Outlook, and Zoho.
SPF, DKIM, and DMARC do help. Sender Policy Framework (SPF) provides a way to set a list of IP addresses that can send email on behalf of a domain, and to define what actions recipients should take upon receipt of a message from an unauthorized IP address.
DomainKeys Identified Mail (DKIM) creates a cryptographic signature binding a message to the sending domain, but doesn't verify the sender (the FROM header).
Domain Message Authentication, Reporting, and Conformance (DMARC) builds upon and extends SPF and DKIM by telling the message recipient what to do if a message does not pass authentication tests, and can report that information back to the sender.
These defenses, however, have trouble coping with email forwarding. One problem, the boffins explain, is that forwarding involves at least three parties and that the authenticity of email commonly gets decided by the party with the weakest security settings.
- Namecheap admits 'unauthorized emails' pwning its customers
- Microsoft to enterprises: Patch your Exchange servers
- Attackers abuse Microsoft's 'verified publisher' status to steal data
- UK Cyber Security Centre's scary new story: One phish, two phish, Russia phish, Iran phish
Spoofed messages appear to come from prominent domains operated by government, finance, legal, and media organizations, but come from somewhere else. An example cited in the paper of a successful attack is a spoofed email purporting to be firstname.lastname@example.org that was delivered to a Gmail user’s inbox without any warning notification.
The sorts of social engineering attacks made possible by spoofed email continue to present security challenges for organizations and individuals. To underscore that point, the researchers point to the 2021 Verizon Data Breach Investigation Report, which indicates that phishing is involved in over a third (36 percent) of the more than 4,000 data breaches investigated, and that email-based attacks are commonly used for social engineering.
Another issue is that the goal of forwarding is for the relaying party to send an existing message on behalf of the original sender in a way that's transparent. That, the researchers opine, is contrary to the anti-spoofing aspirations of SPF and DMARC.
"Finally, there is no single standard implementation of email forwarding," the researchers state in their paper. Consequently, choosing to permit open forwarding, while it doesn't necessarily harm the security of the implementing party, has a downstream impact on other email services and their users.
Sadly not rocket science
The boffins describe four different email spoofing attacks, each of which works with a different set of commercial email providers. Here's one that involves Microsoft Outlook:
An attacker starts by creating a personal account for forwarding (email@example.com), adding the spoofed address (firstname.lastname@example.org) to the account’s “allowlist” (thereby preventing any quarantining by Outlook), and configuring the account to forward all email to the desired target (email@example.com).
In this case, the spoofed domain state.gov includes Outlook’s SPF record (spf.protection.outlook.com) into its own SPF record and has a DMARC policy of REJECT.
Next, the attacker forges an email that purportedly originates from state.gov and sends it to their personal Outlook account.
Normally, Outlook would quarantine this email because it fails DMARC validation. However, since the spoofed address is present in the account’s allowlist, this configuration overwrites the quarantine decision, and as a result, Outlook would forward the spoofed email to the target.
According to the researchers, this technique works – or did at the time it was tested – for domains that include the SPF record of six large commercial email services, including Outlook, iCloud, Freemail, Hushmail, Mail2World and Runbox.
More than a few people are potentially vulnerable to this attack. The academics say that given Outlook's size, an attacker using this technique would be able to spoof email for more than 12 percent of the Alexa 100,000 most popular domains. And 32 percent of US .gov domains, including 22 percent of the domains used by federal agencies, can be spoofed using this technique.
The paper goes on to explore three other spoofing techniques. These involve abusing relaxed forwarding validation, exploiting vulnerabilities in ARC (Authenticated Received Chain) implementations, and laundering spoofed email through mailing lists.
The boffins say they have disclosed the vulnerabilities and attacks to affected providers and have already received responses from some. Zoho, they say, fixed its ARC implementation and awarded the researchers a bug bounty.
Microsoft, meanwhile, confirmed the vulnerabilities, designating them "Important," which is the highest severity the company awards for spoofing bugs, and paid a bug bounty. Mailing list service Gaggle Mail confirmed the reported flaw and said it would start enforcing DMARC. Gmail fixed the issue it was made aware of. And Apple's iCloud is said to be investigating the researchers' bug report.
"While there are certain short-term mitigations (e.g., eliminating the use of open forwarding) that will significantly reduce the exposure to the attacks we have described here, ultimately email requires a more solid security footing if it is to effectively resist spoofing attacks going forwards," the paper concludes. ®