Researchers determined that it is possible to “smuggle” or send spoofed emails while still passing sender policy framework (SPF) alignment checks by exploiting interpretation differences of Simple Mail Transport Protocol (SMTP). The researchers at SEC-Consult found instances of SMTP smuggling that were possible for both inbound and outbound mail servers. This type of attack exists due to the different interpretations of where a message’s data ends, potentially allowing a threat actor to break out of the message data and, in some cases, initiate SMTP commands to send separate emails. To demonstrate the viability of SMTP smuggling, the researchers registered accounts with various public email providers that support SMTP. They then sent emails through outbound SMTP servers and received them via an inbound SMTP analysis server to observe any differences in the protocol interpretation. They found that certain commands sent to some SMTP servers are interpreted as the end of the message data and allow a threat actor to include other text or commands below what the server considers the message data. This may facilitate email sender spoofing, often used in phishing campaigns, to convince the email recipient that the message is sent from a trusted entity.

Recommendation

The NJCCIC recommends users take caution with all emails received, even when they pass security checks such as SPF alignment. While some major vendors patched the vulnerabilities that could allow SMTP smuggling, this flaw could still be exploited by others. The NJCCIC also encourages users to review the SEC-Consult blog post for additional details on SMTP smuggling.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact us here at Cyber Command with any questions.