A German security researcher has discovered a group of vulnerabilities in various email clients, collectively dubbed Mailsploit, which allow an attacker to spoof email sender identities without being picked up by DMARC.
Mailsploit also allows the bad guys to launch cross-site scripting (XSS) and code-injection attacks.
According to Sabri Haddouche, the bombshell issue is that the spoofing is not detected by email servers, and can thus circumvent email security mechanisms such as DMARC and spam filters. It’s a widespread issue, too: Bugs were found in over 30 applications, including prominent ones like Apple Mail, Mozilla Thunderbird, various Microsoft email clients, Yahoo! Mail, ProtonMail and others.
“Email identities were really easy to spoof back in the 90s and early 2000s,” Haddouche said, in an analysis. “Changing the ‘From’ header field was enough to make friends believe an email came from their mother, significant other or even the FBI. There were websites specially made for this purpose. However, those tricks no longer work thanks to anti-spoofing protections such as DMARC (DKIM / SPF) and anti-spam filters. Today, emails with spoofed From fields either go to the spam folder or are completely rejected by the server.”
Mailsploit could change all of that. Now, Haddouche wryly noted, there’s “a way to bypass DMARC protection and spoof the sender name like it was 1999.”
Mailsploit allows the attacker to display an arbitrary sender email address to the email recipient. In a demo, Haddouche used potus@whitehouse.gov, but any other email address could be used.
He describes the issue:
“And this is how it works: In an email, all headers must only contain ASCII characters, including the From header. The trick resides in using RFC-1342 (from 1992!), a recommendation that provides a way to encode non-ASCII chars inside email headers in a such way that it won't confuse the MTAs processing the email. Unfortunately, most email clients and web interfaces don’t properly sanitize the string after decoding which leads to this email spoofing attack.”
DMARC is not attacked directly, but rather bypassed by taking advantage of how the clients display the email sender name. The server still validates properly the DKIM signature of the original domain and not the spoofed one.
“While [email servers] not only don’t detect and block these spoofed email addresses, they will happily relay those emails as long as the original email seems trustworthy enough (the attacker can therefore ironically profit from setting up DMARC on that email address),” Haddouche said. “This makes these spoofed emails virtually unstoppable at this point in time.”
He has contacted the affected vendors; as of 5 Dec, it was fixed in eight products (~ 24%) and triaged for 12 additional products (~ 36%). Two vendors (Mozilla and Opera) said they won’t fix the bug (they consider it to be a server-side problem) and another one (Mailbird) closed the ticket without responding, Haddouche reported. As for the remaining 12 products (~ 36%), the vendors have received the bug report but have not commented on whether they will address it.
“This is a perfect example of how phishing campaigns are becoming increasingly sophisticated and targeted,” said Eyal Benishti, CEO and founder of IRONSCALES, via email. “As is the case here, fraudsters are frequently adopting spoofing and impersonation techniques in a quick, easy, and incredibly successful way to lure their potential victims into a false sense of security. As a result, it is becoming virtually impossible for end users to identify these phishing emails as they land in inboxes across the workforce.”
He recommends checking for spoofing through sender policy framework (SPF) records, display name, email address and domain similarity; augmenting the representation of senders inside the email client by learning true sender indicators and score sender reputation through visual cues and meta data associated with every email; integrating automatic smart real-time email scanning into multi anti-virus, and sandbox solutions so forensics can be performed on any suspicious emails either detected, or reported; and allowing quick reporting via an augmented email experience, thus helping the user make better decisions."