Spoofed & Trusted: Next-Generation Email Attacks Targeting Email Design and Implementation Flaws

Email spoofing attacks are rapidly evolving, becoming increasingly sophisticated and alarmingly effective at circumventing established security standards. This presentation introduces several groundbreaking email spoofing techniques that exploits DKIM and DMARC implementation flaws , enabling attackers to disseminate convincing phishing emails on a massive scale from highly reputable enterprise domains

We will also provide a detailed examination of several advanced and frequently overlooked spoofing patterns uncovered through recent research. These attack methods are actively targeting Fortune 500 companies and government agencies, highlighting critical vulnerabilities across essential sectors. Despite existing documentation and defensive measures, attackers continue to exploit these vulnerabilities extensively, underscoring significant gaps in current security frameworks.

Participants attending this session will gain practical, actionable insights and advanced defensive strategies tailored to detecting, mitigating, and proactively defending against these sophisticated email spoofing attacks. Enhancing awareness and adopting the demonstrated mitigation approaches will significantly bolster organizational resilience against evolving phishing threats.

The presentation begins by revisiting the foundational aspects of email spoofing, emphasizing common misconfigurations and limitations of SPF, DKIM, and DMARC. Following this foundation, we will explore three distinct categories of advanced spoofing attack vectors, presenting six specific techniques under two attack patterns through real-world examples and live demonstrations:

Attack pattern #1: SPF, DKIM, DMARC Abuse:

Undisclosed research on amplified DKIM replay attack: An exclusive disclosure of unpublished attack vectors exploiting DKIM combined with distribution lists to vastly amplify phishing campaigns.(upcoming disclosure by our research team).

CVE-2024-7209: Exploiting shared SPF records in multi-tenant environments to spoof sender identities via network-level authorization (Discovered by our team; published via US-CERT: https://kb.cert.org/vuls/id/244112).

CVE-2024-7208: Exploiting multi-tenant hosting vulnerabilities to bypass DMARC, SPF, and DKIM controls, allowing authenticated attackers to spoof hosted domains (Discovered by our team; published via US-CERT: https://kb.cert.org/vuls/id/244112).

Attack pattern #2:SMTP Server Parsing Logic Exploits

Undisclosed research on DMARC failures: Novel techniques allowing spoofed emails to reach inboxes despite DMARC enforcement (upcoming disclosure by our research team). SMTP smuggling attacks: Exploiting differences in end-of-data sequence interpretations between outbound and inbound SMTP servers. SMTP recipient parsing Exploits: Leveraging SMTP servers’parsing discrepancies of mail recipients to spoof emails (We discovered that Google Group is vulnerable to this attack)

The session concludes by offering attendees robust, proactive defense strategies specifically designed to counteract these emerging threats, significantly improving organizational email security posture. In addition, we will talk about how DKIM V2 can address some of email spoofing issues in the near future.

About the Speakers

Caleb Sargent

Caleb is a seasoned cybersecurity professional, boasting over 9 years of experience in threat emulation. He specializes in various areas, including red teaming, purple teaming, penetration testing, and physical security assessments. Previously a consultant at Optiv where he obtained the OSCP, and currently serving as an Offensive Security Engineer at PayPal, Caleb orchestrates and executes red team engagements by focusing on enhancing security effectiveness through purple team engagements within both cloud and internal networks. Caleb demonstrates his ability to identify vulnerabilities and mitigate risks through active participation in bug bounty programs on platforms like HackerOne and PayPal, contributing as both a researcher and in supportive roles. Additionally, he has refined his skills through endpoint detection and response testing, further enhancing his expertise in cybersecurity.