Cybersecurity

Novel SMTP Smuggling Technique Slips Past DMARC, Email Protections

A novel way to abuse a decades-old protocol used to send emails since the beginning of the Internet allows attackers to evade Domain-based Message Authentication, Reporting and Conformance (DMARC) and other email protections, putting organizations and individuals at risk for targeted phishing attacks that appear to come from legitimate sources.

Using a technique called “SMTP smuggling,” attackers can exploit Simple Mail Transfer Protocol (SMTP) on vulnerable servers to send scores of malicious emails with fake sender addresses that pass typical email security checks, security researcher Timo Longin, senior security consultant at SEC Consult, revealed in a blog post published Dec. 18.

The technique — which can be used with both inbound and outbound messages — exploits zero-day flaws in messaging servers from Microsoft, GMX, and Cisco to send spoofed emails from millions of domains to millions of receiving SMTP servers. Microsoft and GMX patched their flaws, while a potential for misconfiguration in Cisco Secure Email — both on-premises and cloud versions — remains unaddressed, according to the firm.

“SMTP smuggling is a novel email spoofing technique, which allows attackers to send emails with fake sender addresses (e.g., [email protected]) to pose as someone else,” Longin explains to Dark Reading. “Usually, there are some mitigations in the email infrastructure to limit such attacks, but with the new approach, such a spoofed email will be delivered.”

How SMTP Smuggling Attacks Work

SMTP smuggling is part of the “smuggling vulnerability” family that exploits differing interpretations of the SMTP protocol, and is related to smuggling vulnerabilities in other protocols, such as HTTP smuggling.

In SMTP smuggling, attackers exploit how inbound and outbound SMTP servers interpret the end-of-data code sequence used in messaging — “<CR><LF>.<CR><LF>” — to give SMTP a different understanding of where the message data ends, allowing an attacker to break out of the message data, specify arbitrary SMTP commands, and/or even send separate emails.

“SMTP smuggling works by sending a specially crafted email through a number of (affected) email servers,” Longin explains. “With the right tools, this is an easy task for an attacker.”

Further, this technique allows malicious emails to pass typical checks by email protection protocols DMARC, SPF, and DomainKeys Identified Mail (DKIM) by making it look like messages passed the necessary required handoff protocols built into the messaging system.

“Where one server may only see one email, another server may suddenly see two emails, as the second one was hidden within the protocol,” Longin explains. “Email sender names and email addresses can be spoofed and security features bypassed with the identified SMTP-smuggling attack.”

Since emails get smuggled/sent from the actual email server, SPF alignment checks, which are required by DMARC, let the messages pass through, Longin explains. “This is the case because most email servers don’t require [both] SPF and DKIM alignment, but only one of them,” he says.

Enterprises are at risk from the attacks particularly because they allow threat actors to use targeted social engineering to send advanced phishing mails to employees, or create spear-phishing attacks, “making the victims believe the attacker’s email was received from a known person,” Longin says.

This is a significant threat because phishing attacks are still the primary way threat actors infiltrate organizations’ networks to conduct further malicious activity — including loading ransomware and other malware, he notes.

Affected Systems and Mitigation

The researchers found vulnerabilities in several email services from Microsoft, GMX, and Cisco Secure Email Cloud Gateway that allow for SMTP smuggling and together affect millions of SMTP servers.

Microsoft Exchange Online allowed smuggling from every domain pointing their SPF record to Exchange Online, the researchers found.

“This amounts to millions of domains all across the globe, including some very high-value targets owned by Microsoft like microsoft.com, msn.com, github.com, outlook.com, office365.com, openai.com and many more, and also domains of their customers (e.g., tesla.com, mastercard.com, nike.com, etc.),” Longin wrote in the post.

However, smuggling from Exchange Online is somewhat restricted since the receiving inbound SMTP server must support a protocol called BDAT, the researchers said.

GMX and Ionos email services allowed SMTP smuggling from roughly 1.35 million different domains, as indicated by the domains pointing their GMX record to Ionos, of which GMX is a part, the researchers found.

However, since SMTP smuggling doesn’t work for every receiving inbound SMTP server and, in this case, requires inbound SMTP servers to accept <LF>.<CR><LF> as an end-of-data sequence, the researchers conducted tests to find that only few of the bigger email providers, including Fastmail and Runbox, were affected.  

The Cisco flaw, meanwhile, affects more than 40,000 vulnerable instances and allows an attacker to send spoofed emails to high-value targets, such as Amazon, PayPal, and eBay.

The researchers disclosed the bugs to all of the affected vendors, and Microsoft and GMX responded quickly to patch their systems. However, Cisco sees what the researchers consider a flaw “as a feature, not a bug” and against their recommendations, “won’t issue a warning to their customers, who need to change a vulnerable default configuration setting in order to be protected,” Longin says.

Because of this, SEC Consult recommends that organizations using Cisco Secure Email Gateway (on premises) or Cisco Secure Email Cloud Gateway (cloud) to change the default settings of “CR and LF Handling” from “Clean” to “Allow,” citing Cisco guidelines to help administrators understand the change that should be made.

Regarding phishing emails in general, the researchers have advised that organizations must maintain vigilance and perform periodic awareness trainings for all employees to avoid compromise through this attack vector.

“Sometimes even big software vendors use default settings with questionable security,” Longin says. “Regular security tests against [an organization’s] own infrastructure are highly recommended to find out about the current attack surface and also detect recent vulnerabilities.”