On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The "hook" it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.
There were two attachments (see hashes bellow). RTF file masquerading as a Word Document ("SHIPPING DOCUMENT..doc"), which tried to exploit the famous CVE-2017-11882 vulnerability in Equation Editor used by Microsoft Office[1]. The second was an ACE archive ("INVOICE & AWB..ace"), containing a malicious executable ("mk.exe"). Although the executable was kind of interesting – it was an info stealer using Delphi packer[2] – the phishing turned out to be notable for a different reason. The spoofed sender domain had a Sender Policy Framework (SPF)[3,4] record set.
However even with SPF record correctly set for the sender.tld domain, the following attempt at spoofing will pass SPF checks if the non-spf-domain.tld doesn’t have such record as well (although that doesn’t mean the spoofed e-mail won’t be blocked by some other security mechanism):
Due to its simplicity and effectiveness (to a user, sender seems to be the address in the "From" header of the message, not the address which was specified in "MAIL FROM"), this technique is often used by phishing authors when they send spoofed e-mail messages. The sender appears to be dhlexpress@shipping.com and if we take a look at the headers, we’ll see that the same e-mail was used as the "MAIL FROM" address. We may also discover that although a SPF check took place, it ended in "Neutral" result. This means that the SPF record doesn’t state whether the sending IP is or is not authorized to send e-mails for the domain. To understand the last line of the header and the reason for the result, one only needs to know that SPF enables us to use qualifiers to specify from which hosts should e-mails be accepted/passed (+), from which hosts they should be dropped/failed (-), from which they should be marked as suspicious/softfailed (~) and for which hosts the policy isn’t specified (?). The record for shipping.com which we see above therefore basically specifies that several servers are permitted to send e-mails for the domain and for all others may do so as well. Benefits of such SPF records are disputable at best. SHIPPING DOCUMENT..doc INVOICE & AWB..ace mk.exe
|
Jan 75 Posts ISC Handler Oct 17th 2019 |
Thread locked Subscribe |
Oct 17th 2019 2 years ago |
The recommendation to activate SPF straight away is too bold. When SPF is implemented on its own, it tells the receivers how the sender wants them to process mail. The receivers are free to either take the sender's wish, or to apply a policy of their own.
Most of the time, SPF is in use in conjunction with DMARC. And DMARC-aware receivers will take policy decisions as prescribed by the sender. A recipe for a disaster: Introduce your SPF record with FAIL or SOFTFAIL policy in the presence of DMARC. Generic enterprise will have about a dozen mail senders, unknown to IT or unmanaged by IT. Essential chunk of mail will be either rejected, or placed to quarantine. It will NOT reach the intended recipients in a way, similar to how it was prior to making a simple and quick DNS change. Business people will be impacted. R stands for Reporting in DMARC. Having visibility of DMARC reports is essential prior to making any changes to SPF policies, including publishing the SPF policy itself. |
Anonymous |
Quote |
Oct 19th 2019 2 years ago |
I agree with you that SPF may cause problems if it is not implemented with regard to existing IT infrastructure and processes. In the end, the same may be said for a firewall or pretty much any other security technology. Just like in case of a new firewall, the individual or organization who wants to deploy SPF should know the limitations and potential impacts of the technology and minimize risks connected to it before they deploy it (if they chose to deploy it at all).
In an ideal world, SPF, DKIM and DMARC would be used by everyone. But for those unwilling or unable to set them all up, just publishing a SPF record can be a quick and easy win, if they do it as a part of considered security strategy and not in a haphazard fashion. |
Jan 75 Posts ISC Handler |
Quote |
Oct 19th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!