www.darkreading.com
Open in
urlscan Pro
2606:4700::6812:6e2f
Public Scan
URL:
https://www.darkreading.com/cloud-security/cloud-email-filtering-bypass-attack
Submission: On April 01 via api from TR — Scanned from DE
Submission: On April 01 via api from TR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.
Black Hat NewsOmdia Cybersecurity
Newsletter Sign-Up
Newsletter Sign-Up
Cybersecurity Topics
RELATED TOPICS
* Application Security
* Cybersecurity Careers
* Cloud Security
* Cyber Risk
* Cyberattacks & Data Breaches
* Cybersecurity Analytics
* Cybersecurity Operations
* Data Privacy
* Endpoint Security
* ICS/OT Security
* Identity & Access Mgmt Security
* Insider Threats
* IoT
* Mobile Security
* Perimeter
* Physical Security
* Remote Workforce
* Threat Intelligence
* Vulnerabilities & Threats
World
RELATED TOPICS
* DR Global
* Middle East & Africa
See All
The Edge
DR Technology
Events
RELATED TOPICS
* Upcoming Events
* Webinars
SEE ALL
Resources
RELATED TOPICS
* Library
* Newsletters
* Reports
* Videos
* Webinars
* Whitepapers
*
*
*
*
* Partner Perspectives:
* > Microsoft
SEE ALL
* Сloud Security
* Application Security
* Cybersecurity Operations
* Endpoint Security
CLOUD EMAIL FILTERING BYPASS ATTACK WORKS 80% OF THE TIME
A majority of enterprises that employ cloud-based email spam filtering services
are potentially at risk, thanks to a rampant tendency to misconfigure them.
David Strom, Contributing Writer
March 29, 2024
5 Min Read
Source: Cultura Creative RF via Alamy Stock Photo
Computer scientists have uncovered a shockingly prevalent misconfiguration in
popular enterprise cloud-based email spam filtering services, along with an
exploit for taking advantage of it. The findings reveal that organizations are
far more open to email-borne cyber threats than they know.
In a paper that will be presented at the upcoming ACM Web 2024 conference in
Singapore in May, the authoring academic research team noted that services in
wide use from vendors such as Proofpoint, Barracuda, Mimecast, and others could
be bypassed in at least 80% of major domains that they examined.
The filtering services can be "bypassed if the email hosting provider is not
configured to only accept messages that arrive from the email filtering
service," explains Sumanth Rao, a graduate doctoral student at University of
California at San Diego and lead author of the paper, entitled "Unfiltered:
Measuring Cloud-based Email Filtering Bypasses."
That might seem obvious, but setting the filters to work in tandem with the
enterprise email system is tricky. The bypass attack can happen because of a
mismatch between the filtering server and the email server, in terms of matching
how Google and Microsoft email servers react to a message coming from an unknown
IP address, such as one that would be used by spammers.
Google's servers reject such a message during its initial receipt, while
Microsoft's servers reject it during the "Data" command, which is when a message
is already delivered to a recipient. This affects how the filters should be set
up.
The stakes are high, given that phishing emails remain the initial access
mechanism of choice for cybercriminals.
"Mail administrators that don't properly configure their inbound mail to
mitigate this weakness are akin to bar owners who deploy a bouncer to check IDs
at the main entrance but allow patrons to enter through an unlocked, unmonitored
side door as well," says Seth Blank, CTO of Valimail, an email security vendor.
ENTERPRISE INBOXES WIDE OPEN TO PHISHING
After examining Sender Policy Framework (SPF)-specific configurations for 673
.edu domains and 928 .com domains that were using either Google or Microsoft
email servers along with third-party spam filters, the researchers found that
88% of Google-based email systems were bypassed, while 78% of Microsoft systems
were.
The risk is higher when using cloud vendors, since a bypass attack isn't as easy
when both filtering and email delivery are housed on premises at known and
trusted IP addresses, they noted.
The paper offers two major reasons for these high failure rates: First, the
documentation to properly set up both the filtering and email servers is
confusing and incomplete, and often ignored or not well understood or easily
followed. Second, many corporate email managers err on the side of making sure
that messages arrive to recipients, for fear of deleting valid ones if they
institute too strict a filter profile. "This leads to permissive and insecure
configurations," according to the paper.
Not mentioned by the authors, but an important factor, is the fact that
configuring all three of the main email security protocols — SPF, Domain-based
Message Authentication Reporting and Conformance (DMARC), and DomainKeys
Identified Mail (DKIM) — are needed to be truly effective at stopping spam. But
that isn't easy, even for experts. Add that to the challenge of making sure the
two cloud services for filtering and email delivery communicate properly, and
the coordination effort becomes extremely complex. To boot, the filter and email
server products are often managed by two separate departments within larger
corporations, introducing yet more potential for errors.
"Email, like many legacy Internet services, was designed around a simple use
case that is now out of step with modern demands," the authors wrote.
EMAIL CONFIGURATION DOCUMENTATION LAGS, SPARKING SECURITY GAPS
The documentation provided by each filtering vendor does vary in quality,
according to the researchers. The paper points out that the instructions on the
filtering products from TrendMicro and Proofpoint are particularly error-prone
and can easily produce vulnerable configurations. Even those vendors that have
better documentation, such as Mimecast and Barracuda, still produce high rates
of misconfiguration.
While most vendors did not respond to Dark Reading's request for comment, Olesia
Klevchuk, a product marketing manager at Barracuda, says, "Proper setup and
regular 'health checks' of security tools is important. We provide a
health-check guide that customers can use to help them identify this and other
misconfigurations."
She adds, "most, if not all, email-filtering vendors will offer support or
professional services during deployment and after to help ensure that their
solution works as it should. Organizations should periodically take advantage
and/or invest in these services to avoid potential security risks."
Enterprise email administrators have several ways to strengthen their systems
and prevent these bypass attacks from happening. One way, suggested by the
paper's authors, is to specify the filtering server's IP address as the sole
origin of all email traffic, and to ensure that it can't be spoofed by an
attacker.
"Organizations need to configure their email server to only accept email from
their filtering service," the authors wrote.
Microsoft's documentation lays out email defense options and recommends setting
a series of parameters to enable this protection for exchange online deployment,
for example. Another is to ensure that all SPF, DKIM, and DMARC protocols are
correctly specified for all domains and subdomains used by an enterprise for
email traffic. As mentioned, that could be a challenge, particularly for larger
companies or places that have acquired numerous domains over time and have
forgotten about their use.
Finally, another solution, says Valimail's Blank, "is for the filtering
application to include Authenticated Receiver Chain (RFC 8617) email headers,
and for the inner layer to consume and trust these headers."
ABOUT THE AUTHOR(S)
David Strom
Contributing Writer
David Strom is one of the leading experts on network and Internet
technologies and has written and spoken extensively on topics such as
cybersecurity, VOIP, convergence, email, cloud computing, network management,
Internet applications, wireless and Web services for more than 35 years. He was
the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's
Hardware.com. He has written two computer networking books and appeared on a
number of TV and radio shows explaining technology concepts and trends. He
regularly blogs at https://blog.strom.com, and is president of David Strom Inc.
See more from David Strom
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe
You May Also Like
--------------------------------------------------------------------------------
Сloud Security
Saudi Arabia Arms Public Sector With Google Cloud Services
Сloud Security
Novel Google Cloud RAT Uses Calendar Events for C2
Сloud Security
Amazon Quietly Wades Into the Passkey Waters
Сloud Security
More Than Half of Browser Extensions Pose Security Risks
More Insights
Webinars
* Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024
* Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024
* Defending Against Today's Threat Landscape with MDR
April 18, 2024
* Securing Code in the Age of AI
April 24, 2024
More Webinars
Events
* Black Hat USA - August 3-8 - Learn More
August 3, 2024
* Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024
* Black Hat Asia - April 16-19 - Learn More
April 16, 2024
More Events
EDITOR'S CHOICE
Red telephone receivers haning upside down from their cords
Cyberattacks & Data Breaches
Don't Answer the Phone: Inside a Real-Life Vishing AttackDon't Answer the Phone:
Inside a Real-Life Vishing Attack
byElizabeth Montalbano, Contributing Writer
Mar 20, 2024
10 Min Read
zero trust networks
Cybersecurity Operations
6 CISO Takeaways From the NSA's Zero-Trust Guidance6 CISO Takeaways From the
NSA's Zero-Trust Guidance
byRobert Lemos, Contributing Writer
Mar 15, 2024
5 Min Read
A hand holding a tablet device with a hologram of a digital brain floating above
it
Сloud Security
ML Model Repositories: The Next Big Supply Chain Attack TargetML Model
Repositories: The Next Big Supply Chain Attack Target
byJai Vijayan, Contributing Writer
Mar 18, 2024
4 Min Read
Infinity sign explosion with particles, computer generated abstract background,
3D rendering
Сloud Security
300K Internet Hosts at Risk for 'Devastating' Loop DoS Attack300K Internet Hosts
at Risk for 'Devastating' Loop DoS Attack
byElizabeth Montalbano, Contributing Writer
Mar 21, 2024
5 Min Read
Reports
* Industrial Networks in the Age of Digitalization
* Zero-Trust Adoption Driven by Data Protection
* How Enterprises Assess Their Cyber-Risk
* The Rise of the No-Code Economy
* 2021 Digital Transformation Report
More Reports
White Papers
* A Solution Guide to Operational Technology Cybersecurity
* Demystifying Zero Trust in OT
* Causes and Consequences of IT and OT Convergence
* Zero Trust Access For Dummies, 2nd Fortinet Special Edition
* 2023 Work-from-Anywhere Global Study
More Whitepapers
Events
* Black Hat USA - August 3-8 - Learn More
August 3, 2024
* Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024
* Black Hat Asia - April 16-19 - Learn More
April 16, 2024
More Events
DISCOVER MORE WITH INFORMA TECH
Black HatOmdia
WORKING WITH US
About UsAdvertiseReprints
JOIN US
Newsletter Sign-Up
FOLLOW US
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.
Home|Cookie Policy|Privacy|Terms of Use
Cookies Button
ABOUT COOKIES ON THIS SITE
We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy
Accept All
Settings
COOKIE PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Confirm My Choices