Might be interesting for some: The article describes an attack that abuses weaknesses in Microsofts and Proofpoints email services to send spoofed emails that pass both SPF and DKIM checks for various domains like ibm.com or disney.com and others that use both services:
https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6 Sending spoofed emails that pass SPF alone for domains that use hosted email services like Office365 is not new and has already been documented in the past (eg in https://arxiv.org/pdf/2302.07287.pdf). That’s why some providers like Gmail started to consider only DKIM for the BIMI verdict / authentication checkmarks and do not rely on SPF any longer (https://www.theregister.com/2023/06/09/google_bimi_email_authentication/). However in this case the attackers managed to take it one step further and combine two hosted email services to get valid DKIM signatures for their messages too. Beside fixing the configuration within the Proofpoint tenant for the affected domains, I advise to also prefix „include:spf.protection.outlook.com“ in the SPF record with a question mark and rely only on DKIM for authentication, as in the end you cannot control what is being allowed by this broad SPF include. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 [email protected]<mailto:[email protected]> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
