Two newly identified vulnerabilities could allow threat actors to abuse hosted email services to spoof the identity of the sender and bypass existing protections, and the researchers who found them said millions of domains are affected.
The issues, tracked as CVE-2024-7208 and CVE-2024-7209, allow authenticated attackers to spoof the identity of a shared, hosted domain, and to use network authorization to spoof the email sender, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University notes in an advisory.
The flaws are rooted in the fact that many hosted email services fail to properly verify trust between the authenticated sender and their allowed domains.
“This allows an authenticated attacker to spoof an identity in the email Message Header to send emails as anyone in the hosted domains of the hosting provider, while authenticated as a user of a different domain name,” CERT/CC explains.
On SMTP (Simple Mail Transfer Protocol) servers, the authentication and verification are provided by a combination of Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) that Domain-based Message Authentication, Reporting, and Conformance (DMARC) relies on.
SPF and DKIM are meant to address the SMTP protocol’s susceptibility to spoofing the sender identity by verifying that emails are sent from the allowed networks and preventing message tampering by verifying specific information that is part of a message.
However, many hosted email services do not sufficiently verify the authenticated sender before sending emails, allowing authenticated attackers to spoof emails and send them as anyone in the hosted domains of the provider, although they are authenticated as a user of a different domain name.
“Any remote email receiving services may incorrectly identify the sender’s identity as it passes the cursory check of DMARC policy adherence. The DMARC policy is thus circumvented, allowing spoofed messages to be seen as an attested and a valid message,” CERT/CC notes.
These shortcomings may allow attackers to spoof emails from more than 20 million domains, including high-profile brands, as in the case of SMTP Smuggling or the recently detailed campaign abusing Proofpoint’s email protection service.
More than 50 vendors could be impacted, but to date only two have confirmed being affected.
To address the flaws, CERT/CC notes, hosting providers should verify the identity of authenticated senders against authorized domains, while domain owners should implement strict measures to ensure their identity is protected against spoofing.
The PayPal security researchers who found the vulnerabilities will present their findings at the upcoming Black Hat conference.
Related: Domains Once Owned by Major Firms Help Millions of Spam Emails Bypass Security
Related: Google, Yahoo Boosting Email Spam Protections
Related: Microsoft’s Verified Publisher Status Abused in Email Theft Campaign