Computer scientists have discovered a surprisingly common misconfiguration in popular cloud-based enterprise email spam filtering services, along with an exploit to take advantage of it. The findings reveal that organizations are much more open than they imagined to cyber threats transmitted via email.
In a document that will be presented soon ACM Web Conference 2024 In May, in Singapore, the authoring academic research team noted that widely used services from vendors such as Proofpoint, Barracuda, Mimecast and others could be circumvented in at least 80% of the major domains examined.
Filtering services can be “bypassed if your email hosting provider is not configured to only accept messages that come from the email filtering service,” explains Sumanth Rao, a doctoral candidate at the University of California at San Diego and lead author of the article, titled “Unfiltered: Measuring cloud-based email filtering bypasses.”
It might seem obvious, but setting up filters to work in tandem with your business email system is tricky. The bypass attack can occur due to a mismatch between the filter server and the email server, in terms of matching how Google and Microsoft email servers react to a message from an address Unknown IP, such as would be used by spammers.
Google’s servers reject such a message upon initial reception, while Microsoft’s servers reject it during the “Data” command, i.e. when the message has already been delivered to a recipient. This affects how the filters are set.
The stakes are high, given this Phishing emails remain the preferred initial entry mechanism for cyber criminals.
“Mail administrators who do not properly configure inbound mail to mitigate this weakness are similar to bar owners who use a bouncer to check IDs at the front entrance but also allow users to enter through an unlocked side door and unmonitored,” says Seth Blank, CTO of Valimail, an email security provider.
Company mailboxes open to phishing
After examining Sender policy framework (SPF) for 673 .edu domains and 928 .com domains that used Google or Microsoft email servers in conjunction with third-party spam filters, the researchers found that 88 percent of Google-based email systems were being bypassed, while 78% of Microsoft systems were.
The risk is greater when using cloud providers, as a bypass attack is not as simple when both email filtering and delivery are hosted on-premise at known and trusted IP addresses, they noted.
The paper offers two main reasons for these high failure rates: First, the documentation for properly setting up both filtering and email servers is confusing and incomplete, and often ignored or not well understood or easily followed. Second, many corporate email managers err on the side of ensuring that messages reach recipients, for fear of eliminating good ones if they set up too strict a filtering profile. “This leads to permissive and insecure configurations,” according to the document.
Not mentioned by the authors, but an important factor, is the fact that the configuration of all three major email security protocols: SPF, Domain-based Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) — are needed to be truly effective at blocking spam. But that It’s not easy, even for experts. Add to this the challenge of ensuring that the two cloud services for email filtering and delivery communicate correctly, and the coordination effort becomes extremely complex. Additionally, email filter and server products are often managed by two separate departments within larger companies, introducing even more potential errors.
“E-mail, like many legacy Internet services, was designed around a simple use case that is now out of step with modern needs,” the authors wrote.
Delays in email setup documentation and security gaps
According to the researchers, the documentation provided by each filter vendor varies in quality. The document points out that instructions on TrendMicro and Proofpoint’s filtering products are particularly error-prone and can easily produce vulnerable configurations. Even vendors that have better documentation, such as Mimecast and Barracuda, continue to produce high rates of configuration errors.
While most vendors did not respond to Dark Reading’s request for comment, Olesia Klevchuk, product marketing manager at Barracuda, says: “Proper configuration and regular ‘health checks’ of security tools are important. We provide guidance to the status checker that customers can use to help them identify this and other misconfigurations.”
He adds: “Most, if not all, email filter vendors will offer professional support or services during and after implementation to ensure their solution works as it should. Organizations should periodically take advantage of and/or invest in these services to avoid potential security risks.”
Corporate email administrators have several ways to harden their systems and prevent these bypass attacks from occurring. One way, suggested by the authors of the article, is to specify the IP address of the filtering server as the sole source of all email traffic and ensure that it cannot be spoofed by an attacker.
“Organizations should configure their email server to only accept email from their filtering service,” the authors wrote.
Microsoft documentation explains email defense options and recommends setting a number of parameters to enable this protection, for example, for Exchange online deployment. Another is to ensure that all SPF, DKIM, and DMARC protocols are specified correctly for all domains and subdomains used by a company for email traffic. As mentioned above, this could pose a challenge, especially for larger companies or places that have acquired numerous domains over time and forgotten about using them.
Finally, another solution, says Valimail’s Blank, “is to include the filtering application Authenticated Receiver Chain (RFC 8617) email headers and for the internal layer to use and trust these headers.”