Phishers are using a vulnerability in Google’s SMTP relay service to send malicious emails that spoof well-known companies. According to a recent research paper, threat actors began misusing Google’s SMTP relay service in April 2022.
There are online services and applications that can send an email from some.server.com with whatever address line they want. The application could output something like noreply@anonymousemail.com. In the first two weeks of April, the business discovered at least 30,000 emails delivered using this method.
Google SMTP Relay Service
Gmail and Google Workspace users use an SMTP (Simple Mail Transfer Protocol) relay service to send outgoing email messages. It can be useful for businesses that send out a lot of emails.
Organisations use this service for a variety of reasons, for example, sending marketing messages to keep their own mail server from being blocked.
What Causes the Attack?
According to the report, cybercriminals can use Google’s SMTP relay service to spoof other Gmail domains without being detected when a DMARC policy with the ‘reject’ command is not configured on those domains..
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication mechanism designed to protect email domain owners against unauthorised access. Domain owners set up a particular DMARC DNS record with a directive that tells a mail server what to do.
The following are the instructions:
- None (do nothing with the faked e-mail)
- quarantine (place e-mail in spam folder)
- decline (do decline e-mail in any way)
A company’s email authentication requirements can be controlled by a policy. If an email fails the DMARC verification, a DMARC policy instructs recipient mail servers such as Gmail, Microsoft 365 on how to execute it.
New phishing attacks exploit smtp-relay.gmail.com which is a trustworthy server that is often added to email gateways and spam filtering services’ whitelists.
For example, the following email looks to come from Trello.com, but it comes from jigokar.com and was sent through Google.
These attacks are only effective if the impersonated entity’s DMARC policy is set to “none”. For example, DMARC policies are set to ‘none’ on dell.com, wikipedia.org, yandex.ru, bit.ly, and live.com.
Setting up a strong DMARC policy is a recommended security practise since it helps to avoid domain spoofing by threat actors.
Using tools like MXToolbox, anybody who uses the internet can verify whether the DMARC reject policy has been activated for a certain domain.
After being approached by Bleeping Computer, a Google spokesperson responded with:
We’ve built up countermeasures to prevent this type of attack. This research study explains why we recommend the Domain-based Message Verification, Coverage, and Correspondence (DMARC) technique to clients within the ecological community. This will very probably prohibit the use of this attack tactic, which is a well-known industry issue.
Users may get more information about how to setup their environments correctly here: https://support.google.com/a/answer/2956491?hl=en and here: https://support.google.com/a/answer/10583557.
Workspace has nothing specific to do with the way email requirements are used across the industry. This data does not include many of the split protections that keep clients secure, like DMARC and email usage systems.
Recommendations
- Verifying the sender’s address isn’t enough when it comes to detecting a malicious spoofing attack. If you’re in doubt, double-check the headers.
- Scroll over links in the message body to confirm the destination rather than clicking on them. Malware can be downloaded into your device simply by visiting unsecure websites.
- Make sure your email authentication standards are updated by following best practises from Malware and Mobile Anti-Abuse Working Group.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.
