If you recall earlier this month, I wrote an article regarding a new exploit that hackers are using to spoof legitimate companies by using security protocols such as DKIM, SPF, DMARC, and most notably, BIMI. What is happening is Gmail is being manipulated/tricked into showing a blue verified checkmark on a fake spoofed email from significant companies. It seems that companies such as BIMI, Google, and Microsoft are pointing fingers at whose fault this ultimately is. Luckily, Google has issued an update that fixes this exploit by implementing more stringent requirements for displaying this verification checkmark.
Was it Just UPS?
In the image displayed above, a verification checkmark can be seen by the supposed sender, UPS. As well as their logo. When hovering over the checkmark, the text reads “The sender of this email has verified that they own URL.example.com and the logo in the profile image.” While many people may speculate that this was just UPS, that isn’t the case. A researcher by the name of Jonathan Rudenberg demonstrated this by spoofing emails from DigiCert and Entrust.com, security companies that are root authorities who are trusted to create digital signatures for code signing and SSL Certificates. It is clear that UPS wasn’t the only company affected by this exploit, and if these security companies were vulnerable to this, I believe it could be considered very serious.
Context to Understand What’s Happened.
To understand the severity, you need to know some context. Such as the technologies that exist that allow someone to prove their legitimacy. One that allows people to do that is SPF. Sender Policy Framework helps protect a domain against spoofing and helps prevent outgoing messages from being marked as spam by receiving servers. SPF specifies the mail servers that are allowed to send emails for a domain. Websites will also publish a list of servers that are allowed to send emails on their behalf. For example, if you know an email is supposed to come from Google servers, but instead comes from some random email server from a different location, it is fake.
Another protocol is Domain-based Message Authentication, Reporting, and Conformance. DMARC ensures that the domain that the email is using for verification is the same one that is displayed in the “From” address to the user. DMARC can be compared to a security checkpoint at an event. Just as a checkpoint verifies the identity and legitimacy of individuals entering an event venue, DMARC verifies the authenticity of emails sent on behalf of a domain. It acts as a security measure that combines Sender Policy Framework and DKIM protocols to ensure that only authorized senders can use a domain and prevent fraudulent or malicious emails from reaching recipients’ inboxes. DMARC monitors and enforces email authenticity by providing organizations with greater control and visibility over email communications. It helps protect recipients from receiving suspicious or unauthorized emails, enhancing email security and reducing the risk of phishing attacks. For a better in-depth explanation of the security protocols used, you can find them in my previous article regarding this exploit.
How This Was Done.
First, scammers would set up an account through Microsoft’s Instance of Exchange, which is Microsoft’s email server system for enterprise companies. This lets your company use an email service that Microsoft manages at the base level which you can configure. Then scammers send themselves an email spoofing domains that belong to companies such as UPS. In response, UPS’ DMARC policies said to reject such an email. Microsoft however allows you to configure your own Exchange account to accept an email, even if it fails the DMARC policy that outlets claim that you should treat for emails supposedly coming from them that fail the policy. In this case, UPS stated that if emails fail the policy, delete them. However, scammers changed their account so that it was accepted anyway, knowing it would fail. Then scammers had their Exchange instance forward that email to the final recipient at Gmail but preserved the so-called envelope info, which contains the “From” address. However, it appears that UPS must have Microsoft as one of their email systems because their SPF records that have been published contain Microsoft IP addresses as being listed as allowed to send on behalf of UPS. Considering these factors, scammers more than likely knew this. Therefore, when Google received the forwarded email, the “From” address was seen as UPS. Additionally, the sending servers were seen as from Microsoft, along with SPF records coming from UPS allowing Microsoft IPs to send UPS emails. Therefore, it was believed that the DMARC test “aligned,” it’s referred to as and authenticated the email. The reason is that at the time to show a verified checkmark, the BIMI checkmark, and the logo, then Gmail required that DMARC pass with alignment with either SPF or DKIM, but not both. This wouldn’t necessarily be unreasonable if there wasn’t more information in that chain showing that the DMARC failed in the original email being sent, or anywhere else in the chain. Only the most recent links were reviewed in the chain. While the DKIM test passed because it was sent and signed by Microsoft, it didn’t align with the “From” address. However, an alignment isn’t required to pass the DKIM test. As long as there’s some matching signature in the email headers, then it might pass DKIM. But DMARC is what determines whether it’s aligned or not.
Were Other Email Services Affected?
I conducted a test to determine what email services were easily sensitive. It seems that Apple’s Mail application shows the verification checkmark. Whether it was an implication of BIMI or not is still being determined. Other mail providers that use BIMI implantations are most notably iCloud, Yahoo, and Fastmail. If you would like to see the visuals on this test, refer to my Instagram and Facebook page. Luckily now that a lot of attention is being brought to this issue, every email service will hopefully require a stronger authentication for displaying this verification checkmark.
Hey there! Came across your post on the WordPress feed and couldn’t resist saying hello. I’m already hooked and eagerly anticipating more captivating posts. Can’t seem to find the follow button, haha! Guess I’ll have to bookmark your blog instead. But rest assured, I’ll be keeping an eye out for your updates!
may i leave a link to my blog here? feel free to post a comment on my site and leave your link 🙂 helps both our sites !!
Hope to see your comment soon 🙂
https://pomeranianpuppies.uk/2023/04/13/how-much-exercise-does-a-pomeranian-need-daily/
Hey there! We really enjoy reading people’s blogs and the entertaining content that creators like you produce . Your unique perspective contributes to the engaging online community that we all cherish . Keep sharing and connecting your audience, because your ideas can make a significant impact on the world. We can’t wait to see what you’ll create next!
Hey there! Stumbled upon your post on the WordPress feed and couldn’t resist saying hello. I’m already hooked and eagerly looking forward to more captivating posts. Can’t seem to find the follow button, haha! Guess I’ll have to bookmark your blog instead. But rest assured, I’ll be eagerly watching for your updates!