Missing DMARC Records Lead to Phishing

Email will continue to be the dominant mode of digital communication for the foreseeable future. However, the email framework was not designed with security in mind. There still are security flaws that bad actors regularly exploit to their advantage.

Recently, researchers have discovered a business-email compromise scam in Russia. Known as Cosmic Lync, the cybercriminal group running this scam has been associated with more than 200 security incidents targeting senior-level executives globally since July 2019.

This group can send phishing emails that look authentic, right from the content of the message to the sender’s address. Even an experienced user would find it difficult to identify a fake email without taking a deep -dive.

How it works 

First, the attacker needs to find a vulnerable website by identifying if the website has a DMARC record, which is a TXT record visible in the DNS settings.

nslookup -type=txt example.com

If the website has no DMARC record, it means the attacker can spoof any email address with the website domain name. For example, the attacker can choose to send an email with the address ceo@example.com without any authentication.

Next, the attacker needs to set up an SMTP Open Relay Server, which is a regular mail server with the Relay option enabled. Sometimes, server administrators forget to turn off the Relay option. These types of servers are ideal for sending phishing emails, as they allow the attacker to send from a targeted phishing email address using the victim’s domain without having to authenticate.

The attacker can identify if the server is an Open Relay Server by running the following telnet command which checks for a connection to the default SMTP port (25):

telnet mail.examplemailserver.com 25

If the connection is established, it means the server is accepting SMTP connections:

Trying 192.168.1.2...

Connected to mail.examplemailserver.com

Escape character is '^]'.

220 mailserver.examplemailserver.com

The attacker can then check if Open Relay is enabled:

MAIL FROM: <ceo@example.com>

250 OK <ceo@example.com > Sender ok

If an OK is received, the server is accepting messages from email accounts that are not hosted on this server.

Running the following commands will then send the email to the target:

RCPT TO: <recepient@example.com>

250 OK <recipient@example.com> Recipient ok

Finally, the contents of the message can be sent with the following command:

DATA

354 Start mail input; end with <CRLF>.<CRLF>

test email

.

Pressing “.” sends the email.

The email might land into the inbox or the spam folder. But from the first look, it seems genuine.

Email Headers Reveal Spoofed Email

Let’s investigate the email headers for closer inspection:

Received: from MN2PR02MB5854.namprd02.prod.outlook.com (2603:10b6:a03:1d0::37)

by BY5PR02MB6802.namprd02.prod.outlook.com with HTTPS via

BY5PR04CA0027.NAMPRD04.PROD.OUTLOOK.COM; Tue, 4 Aug 2020 13:36:11 +0000

Received: from MWHPR21CA0069.namprd21.prod.outlook.com (2603:10b6:300:db::31)

by MN2PR02MB5854.namprd02.prod.outlook.com (2603:10b6:208:113::31) with

Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16; Tue, 4 Aug

2020 13:36:10 +0000

Received: from MW2NAM10FT060.eop-nam10.prod.protection.outlook.com

(2603:10b6:300:db:cafe::a) by MWHPR21CA0069.outlook.office365.com

(2603:10b6:300:db::31) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.0 via Frontend

Transport; Tue, 4 Aug 2020 13:36:09 +0000

Authentication-Results: spf=none (sender IP is 192.168.1.2)

smtp.mailfrom=example.com; example.com; dkim=none (message not

signed) header.d=none;example.com; dmarc=none action=none

header.from=example.com;compauth=fail reason=001

Received-SPF: None (protection.outlook.com: example.com does not

designate permitted sender hosts)

Received: from mailserver.exampleserver.com (192.168.1.2) by

MW2NAM10FT060.mail.protection.outlook.com (10.0.0.1) with Microsoft SMTP

Server id 15.20.3239.17 via Frontend Transport; Tue, 4 Aug 2020 13:36:09

+0000

Received: from  (UnknownHost [192.168.10.1]) by mailserver.exampleserver.com with SMTP;

Tue, 4 Aug 2020 09:35:52 -0400

Message-ID:

<982e2392-01f5-4275-bf47-0cbc97d73b97@MW2NAM10FT060.eop-nam10.prod.protection.outlook.com>

From: <ceo@example.com>

To: Undisclosed recipients:;

Return-Path: ceo@example.com

Date: Tue, 4 Aug 2020 13:36:09 +0000

X-MS-Exchange-Organization-ExpirationStartTime: 04 Aug 2020 13:36:09.6244

(UTC)

X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit

X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000

X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit

X-MS-Exchange-Organization-Network-Message-Id:

db4b44e2-faeb-4c5d-b1c1-08d8387b58e1

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: d5f1622b-14a3-45a6-b069-003f8dc4851f:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-MS-Office365-Filtering-HT: Tenant

X-MS-PublicTrafficType: Email

MIME-Version: 1.0

X-MS-Exchange-Organization-AuthSource:

MW2NAM10FT060.eop-nam10.prod.protection.outlook.com

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Office365-Filtering-Correlation-Id: db4b44e2-faeb-4c5d-b1c1-08d8387b58e1

X-MS-TrafficTypeDiagnostic: MN2PR02MB5854:

X-MS-Exchange-Organization-AVStamp-Service: 1.0

X-MS-Oob-TLC-OOBClassifiers: OLM:1728;

X-MS-Exchange-Organization-SCL: 5

X-Forefront-Antispam-Report:

As you can see, the email is sent from the email ceo@example.com. The only difference is that the IP address of the sender’s email server does not match the IP address in the MX records of example.com.

Hence, if we can verify the sender’s IP address and correlate that with the MX records of the sender’s domain, we would be able to detect a spoofed email successfully — that’s what DMARC is designed to do.

Conclusion

DMARC (Domain-based Message Authentication, Reporting & Conformance) works in combination with existing security mechanisms like SPF and DKIM to identify if the email message comes from a legitimate mail server or if it is spoofed.

DMARC Workflow
Figure: DMARC Workflow

A typical DMARC record is a TXT record with the format:

Type: TXT

Host/Name: _DMARC.example.com

Value: v=DMARC1; p=quarantine; ruf=mailto:dmarc@example.com

Explanation of parameters:

  • v=DMARC1 means the current version of DMARC
  • p=quarantine means in case of DMARC violation the mail is quarantined by receiving email address listed by the next parameter
  • ruf=mailto:dmarc@example.com means that the receiver will send forensic information about the quarantined email to dmarc@example.com

The presence of a valid DMARC record ensures that the receiver’s email server will not only identify if the mail is spoofed.

Adding a DMARC record is essential to prevent spoofed email.

According to a study made by Valimail, 79% of Fortune 500 companies and 25% of U.S. federal domains are still unprotected from DMARC-based spoofing attacks.   You can help improve this statistic — and your website’s security — by setting up and implementing DMARC records if you haven’t yet done so.

Does your domain have a DMARC record? Let us know by tweeting us @sucurisecurity.

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Kaushal Bhavsar. Read the original post at: https://blog.sucuri.net/2020/09/missing-dmarc-records-lead-to-phishing.html