Cybersecurity works only if there are no vulnerabilities in the tools and protocols themselves. However, experts have recently found security loopholes in multiple hosted, outbound SMTP servers. These vulnerabilities allow authenticated email senders and some trusted networks to send emails with spoofed sender information.
What this means, in simpler words, is that despite having email authentication protocols like SPF, DKIM, and DMARC in place, ill-intended people can send phishing emails on behalf of your business.
The vulnerabilities getting exploited are CVE-2024-7208 and CVE-2024-7209.
CVE-2024-7208
The CVE-2024-7208 vulnerability allows an authenticated sender to spoof the shared, hosted domain identity. It works by taking advantage of the shortcomings of SPF, DKIM, and DMARC and showing an illegitimate email as legitimate.
Multi-tenant hosting environments are more likely to be tricked by this vulnerability, as the proper verification of the sender’s identity against allowed domain identities is often inadequate.
CVE-2024-7209
The CVE-2024-7209 vulnerability mostly targets shared SPF records in multi-tenant hosting providers. By exploiting this vulnerability, malicious actors can use network authorization to spoof the sender’s email identity.
The overall impact of the vulnerabilities
Both of these email vulnerabilities emerge from the SMTP protocol’s inherent insecurity, which is also explained in RFC5321. SPF works by allowing domain owners to mention which IP addresses and mail servers are used by their company’s trusted senders, which include employees, CXOs, third-party vendors, and other stakeholders.
On the other hand, DKIM signs all outgoing messages from your domain. The digital signature is verified at the recipient’s end to ensure the message was not altered in transit.
DMARC combines the capabilities of SPF and DKIM while allowing domain owners to specify how they want the receiving servers to handle potentially fraudulent emails that came from their domains. As a domain owner, you have the option to subject the illegitimate emails sent from your domain to either of the three commands- none (do nothing with such emails and place them in the inbox), quarantine (tag such emails as spam and place them in the spam folder), or reject (completely disallow such emails to enter the mailbox of the recipient; not even letting them get placed in the spam folder).
However, cybersecurity experts have discovered how many hosted email services that host multiple domains lack the mechanism to verify the authenticated sender against their allowed domain entities. This vulnerability makes it possible for attackers to send emails that appear to be from any user within the same hosted environment, posing significant risks to email security and trust.
These security hindrances ultimately affect a company’s operations and reputation, triggering severe financial repercussions.
Are there any solutions?
Yes, here are a few recommendations-
- Choose domain hosting providers with stricter verification processes to ensure authenticated senders are authorized.
- Opt for email service providers that use reliable methods to match the sender’s network identity (MAIL FROM) with the email’s header (FROM:).
- As domain owners, you should set your DMARC records to stricter policies (quarantine or reject) and also choose to receive RUA and RUF reports. These reports help you monitor outgoing emails.
We at AutoSPF can help you have unhindered DMARC by resolving the ‘too many DNS lookup’ error in your SPF record. If your SPF record has this error, allow us to help you.