In today’s digital age, email is the most commonly used mode of communication. It is simple and quick, which is its greatest strength and biggest vulnerability. When emails were introduced, the focus was on functionality rather than security, which left gaps for malicious actors to exploit.
As emails became a frequent target for cybercriminals to launch phishing, spoofing, and other malicious attacks, experts developed email authentication mechanisms like Sender Policy Framework (SPF) to tackle them. SPF provides protection against spoofing emails by checking if the server sending emails is authorized by the domain owner to do so. In this case, it adds a trust factor to the message and gives the recipient the peace of mind that the message has come from a valid source. But despite its strong defense, it is not foolproof.
Attackers have found a way to work around the safeguards of this protocol and exploit gaps in how SPF is implemented and processed. The technique they employ to do so is fairly new and is called BreakSPF. Since this technique is relatively novel, most organizations don’t even know exactly what it is, its implications, and how to protect against them.
If you’ve also never heard of this attack framework before, you’re in the right place! In this article, we will take you through everything you need to know about these attacks and how to defend against them.
What are BreakSPF attacks and how are they different from other email-based attacks?
BreakSPF attacks prey on vulnerabilities in the Sender Policy Framework, particularly in cases where organizations use shared email infrastructures, such as cloud email services, proxies, or CDNs (Content Delivery Networks). These systems often rely on a vast pool of shared IP addresses, which are also updated on the SPF records. Attackers take advantage of this fact by finding legitimate IPs within such ranges and sending forged emails that appear to originate from a trusted domain. Since such emails are authorized in the ‘legitimate’ range in the SPF record, they pass the authentication checks seamlessly and land in the inboxes.
What makes them different from typical email-based phishing or spoofing attacks is that they do not depend on trickery or malware but instead work around loopholes in how SPF is configured. For example, a complicated SPF record that has too many IP addresses. When this happens, the system can’t properly validate the sender, giving attackers a way in. This makes BreakSPF attacks more technical, focusing on exploiting system vulnerabilities rather than human errors.
How does BreakSPF work?
Did you know that over 50% of the domains have SPF records that include more than 65,000 IP addresses? That’s far more than what most domains need. Not to mention, the broader the range, the riskier it becomes. After all, cyber attackers get more opportunities to identify vulnerabilities and target them.
Apart from this, when an SPF record is overly and unnecessarily complex, it exceeds the limit of 10 DNS lookups and inevitably fails SPF validation. When this happens, the security layer meant to protect against fake emails stops working.
Let’s see how attackers leverage this loophole:
- They spot a weak domain with very lenient SPF records that permit a huge list of IP addresses.
- They then identify the specific IPs in that list that fall within the range allowed by the target domain’s SPF record. The attackers use publicly available tools to do so.
- Hackers then send spoofs from valid IPs. Since these IPs are on the domain’s SPF record, the spoof emails pass the SPF checks.
- If the domain’s DMARC policy is contingent on SPF for authentication, spoofed emails pass DMARC checks and appear authentic.
- Since spoofed emails bypass all standard email authentication measures, they reach the recipient’s inbox, where they perceive them as legitimate and coming from a trusted source.
What are the different kinds of BreakSPF attacks?
BreakSPF attacks can be executed through various methods, depending on how attackers manipulate email transmission channels, particularly HTTP servers and SMTP servers. These are broadly classified into 3 categories, each of which presents a unique challenge for detection and defense. Let us take a look at them:
Fixed IP address attacks
This type of attack happens when an attacker uses specific IP addresses for a long time, taking control of them to send spoofed emails directly to the victim’s email service. Here, the attackers present themselves as Mail Transfer Agents (MTAs) and make use of shared services, like cloud servers or proxy networks, to launch their attacks. In this case, traditional defenses like greylisting prove ineffective as they operate on the assumption that spammers use disposable IPs or servers. However, with such attacks, the use of stable, controlled IPs by attackers gives them an edge over the defenses.
Dynamic IP address attacks
Here, attackers don’t stick to a single outgoing IP address. Instead, they work dynamically; they determine which domains are vulnerable and can be exploited based on the IP address that they are using at the moment. This gives them temporary access to send spoofed emails without needing permanent control over the IPs.
Such attacks typically rely on public infrastructure like serverless platforms or continuous integration/continuous deployment (CI/CD) systems. Moreover, since the outgoing IPs are constantly changing, traditional defenses like blocklisting IP addresses aren’t as effective, making dynamic attacks more difficult to stop.
Cross-Protocol attacks
The attacker does not need to take control of any IP addresses directly in cross-protocol attacks. Instead, they embed the SMTP data inside HTTP data and then send them to the victim’s email service through shared infrastructure such as open HTTP proxies or CDN exit nodes. Since these attacks essentially disguise SMTP traffic as normal web traffic, these are very difficult to detect or trace, as they exploit the transparency or trust associated with heavily used web infrastructure.
What are the implications of BreakSPF attacks?
Although BreakSPF is a novel cyber threat, its impact can be quite damaging for both individuals and businesses. Let’s decode how:
When hackers use this technique to send spoofed emails, they essentially trick unsuspecting users into sharing sensitive information, such as passwords or financial data. For businesses, this means losing critical data and the trust of their customers or partners, who might not trust any email coming from the organization, even the legitimate ones.
That is not all, though. Reputational loss can cause damage in terms of finances, customers, and market position. It might compel people to stop buying from a brand they no longer trust, which affects sales and the bottom line. All the effort put into building a strong, reliable brand image can be undone with one successful attack. That is to say, the impact of BreakSPF goes beyond security; it touches every aspect of the business’s operations and relationships.
Looking at the bigger picture, these attacks hurt more than just businesses; they make people lose faith in email as a secure mode of communication. Once they start losing their trust in emails, they will eventually avoid using them for professional or personal purposes. This will disrupt everything from daily communication to marketing campaigns that depend on emails to reach people.
How can you protect your organization from BreakSPF attacks?
BreakSPF attacks are gaining momentum in the cybersecurity circles, particularly among cyber attackers. This means that organizations and security teams need to step up and take proactive measures to protect themselves.
Here’s what you can do to safeguard your organization:
Keep your SPF records clean and simple
Go through your SPF records, ensuring that they only include the email servers you’re really using. Do not add large ranges of IP addresses unless necessary. The simpler your SPF record is, the fewer opportunities hackers have to exploit it.
Stay within SPF limits
SPF can only process a maximum of 10 DNS lookups. If your SPF record is too complex and surpasses the limit, your emails will fail SPF checks or be flagged as suspicious. This is why it is important to stay within the lookup limit of 10. To stay within the limit, remove unnecessary ‘include’ statements or nested IPs and consider SPF flattening tools.
Properly configure authentication protocols
The primary goal of BreakSPF attacks is to exploit misconfigurations in SPF and DMARC to bypass verification checks, and attackers are most often successful in this. They capitalize on misconfigurations like incorrect setup of SPF and DMARC records, outdated configurations, or failure to optimize settings regularly. However, you can prevent them by identifying and addressing any loopholes in how these protocols are implemented.
When configuring DMARC, be sure to use a strict policy like ‘reject’ or ‘quarantine,’ which will keep unauthorized emails at bay.
The way forward
On the face of it, it might look like implementing email authentication protocol is a one-time task. But in reality, it requires continuous monitoring, updating, and optimization. If you’re struggling with implementing SPF or managing your SPF records, our team at AutoSPF is here to help you! Reach out to us today to simplify your email authentication process.