Attackers Manage to Bypass Security and Spoof Emails with SMTP Smuggling
New year — new risks. 2024 has only started but it’s already clear that one of the threats we’ll be facing is SMTP smuggling. The technique lets attackers sneak malicious emails past security checks by messing with email headers. It’s a clever hack that dupes systems into delivering fake messages straight to your inbox, ignoring the usual guards like SPF, DKIM, and DMARC.
More on SMTP Smuggling: How It Works
SMTP smuggling is a fairly sophisticated trick. Attackers craft an email and tinker with the SMTP headers — those bits of code that tell the server where the email is from and where it’s going. They insert extra commands within these headers and trick the receiving server into treating one email as two.
Here’s how it all unfolds. The crafted email hits the server, which, misled by the smuggled commands, splits the email in two. The first part is the decoy, perfectly normal. It passes all security checks without raising any alarms. The second part, however, carries the malicious payload. It smuggles past the usual defenses like SPF, DKIM, and DMARC and lands directly in the target’s inbox.
The crux of this technique lies in exploiting discrepancies in how different servers interpret when an email message ends. Attackers create a situation where the sender’s server sees one continuous message, but the recipient’s server is duped into seeing two separate messages. The result? A dangerous email skirts around security measures that businesses commonly have in place to protect their employees. It delivers the harmful content right where attackers want it.
Major Vulnerabilities: What’s Known So Far
Reports say that SMTP servers of major platforms such as Microsoft, GMX, and Cisco are vulnerable to SMTP smuggling attacks. The attackers can launch stealthier phishing attacks by bypassing the aforementioned security protections.
Microsoft and GMX have addressed these concerns and implemented fixes for the vulnerabilities identified in their SMTP servers. Cisco says they do not view it as a vulnerability. The thing is that the vulnerable feature in their Secure Email solution can be disabled. You only need to change the CR and LF Handling to “Reject” (instead of “Clean”). This can be done in Listener Settings.
Any Solutions Available?
Security experts recommend several protection methods against SMTP smuggling attacks.
- Proper Configuration and Updates
Keep your SMTP server configurations up to date and ensure they are properly configured to handle SMTP commands securely. Servers must correctly interpret end-of-data sequences to prevent smuggling.
- Advanced Email Security Solutions
Deploy email security solutions that offer advanced protection features, including the ability to detect and block SMTP smuggling attempts. Solutions that can perform deep inspection of email headers and payloads may be the most effective.
- Multi-layered Security Measures
Do not rely solely on SPF, DKIM, and DMARC. Combine them with additional layers of security such as endpoint protection and intrusion detection systems.