Mail servers readily hijacked due to MSP oversight

Email authentication checks could be hoodwinked by phishing emails impersonating nearly 200 Australian organizations due to a vulnerability discovered more than two years after its conception.

Now fixed, the problem was traced to a managed service provider (MSP) that designed the organizations’ websites and managed their Domain Name Server (DNS) and email infrastructure.

The MSP in question, the Precedence Group, had “unfortunately added an extremely over-permissive SPF DNS record to each of the domains”, Sebastian Salla, CEO of CanIPhish and cloud security architect at Palo Alto Networks, told The Daily Swig.


DON’T FORGET TO READ HTML smuggling: Fresh attack technique increasingly used to target banking sector


“Because the MSP [had] added every single AWS /16 address block in Australia to the SPF record of each organization, any Amazon Web Services (AWS) user could spin up a virtual machine and send authenticated emails as though they come from these organizations,” Salla told The Daily Swig.

According to a blog post published by Salla today (December 1), attackers merely had to acquire any of the many SPF-compliant IP addresses that were not under the control of the target organization in order to pass SPF and DMARC authentication checks.

“You can cross-reference these address blocks against AWS’ public IP ranges file to see the issue,” added Salla.

What is the SPF?

The Senders Policy Framework (SPF) is an email authentication mechanism designed to detect fraudulent emails that are ostensibly sent on behalf of legitimate entities.

Organizations stipulate a list of IP addresses that are authorized to send emails on their behalf within their SPF record, which is published on their DNS.

Emails purporting to come from the organization that originate from an IP address not listed in its SPF record will therefore be flagged as suspicious.


Salla sent himself an email purporting to be from a city council that passed email authenticated checks

‘Extreme risk’

Salla found that 190 organizations were impacted by the MSP’s SPF oversight, including city councils, financial services firms, freight service companies, legal firms, and construction companies.

“Given the position many of these organizations are in (i.e. in and around property/financial services), there was an extreme risk to Australian individuals in the form of business email compromise attacks,” said Salla.

“A threat actor who stumbled across any of these organizations could find a customer and send fake invoices, purchase orders, etc, and there would be absolutely no way to spot the real from fake.”


Catch up on the latest email security news


Salla’s discovery began when “a one-time scan on a few hundred Australian organizations” surfaced a city council with a bunch of /16 address blocks within its SPF record that overlapped with “every IP address that AWS reserves for EC2 instances in Australia – 1,048,544 IP addresses”.

He validated his suspicions by creating an EC2 instance with an authorized IP address and sending himself an email impersonating the council that bypassed SPF and DMARC checks.

The MSP’s SPF record, Salla discovered, had existed in its vulnerable form since March 2019.

The fix

According to Salla, the Precedence Group fixed the issue on Monday (November 29) – the same day it was alerted by the Australian Cyber Security Centre, which the researcher notified on November 25.

Salla said the MSP has “removed all the overly permissive /16 address blocks and replaced them with single IP addresses for the mail servers that are actually under their control” – thus applying “the fix to all affected customers at once”.

Salla’s research in this area is ongoing. “Over the coming weeks/months, I fully expect more organizations will be identified as I begin expanding the scope of these scans and refine the approach,” he explained.

The Precedence Group did not respond to our request for comment. This article will be updated if we hear back.


YOU MIGHT ALSO LIKE Panasonic admits data breach after attackers gain access to file server