SMTP Smuggling: A New Technique Allows Threat Actors to Send Spoofed Emails and Bypass Security Measures

January 4, 2024

cybersecurity wall of monitors

SMTP smuggling is an emerging technique used by threat actors to send spoofed emails with fake sender addresses, bypassing security measures [1] [2] [3]. This technique exploits inconsistencies in how outbound and inbound SMTP servers handle end-of-data sequences [2] [3], allowing threat actors to break out of the message data and send separate emails [2] [3]. Vulnerabilities have been identified in messaging servers from Microsoft, GMX [1] [2] [3], and Cisco [2] [3], as well as SMTP implementations from Postfix and Sendmail [2] [3].

Description

SMTP smuggling is a technique that takes advantage of inconsistencies in how outbound and inbound SMTP servers handle end-of-data sequences [3]. By exploiting these inconsistencies, threat actors can send spoofed emails with fake sender addresses [1] [2], effectively bypassing security measures [1] [2]. Notably, messaging servers from Microsoft [2] [3], GMX [1] [2] [3], and Cisco [2] [3], as well as SMTP implementations from Postfix and Sendmail [2] [3], have been found to be vulnerable to SMTP smuggling.

While Microsoft and GMX have addressed these vulnerabilities [2], Cisco considers them to be a feature and has not changed the default configuration [1] [2]. Consequently, inbound SMTP smuggling to Cisco Secure Email instances remains possible [1] [2] [3]. To mitigate this vulnerability [2], SEC Consult recommends changing Cisco settings from “Clean” to “Allow” to prevent the receipt of spoofed emails with valid DMARC checks [2].

Conclusion

SMTP smuggling poses a significant threat as it allows threat actors to send spoofed emails with fake sender addresses, evading security measures [1] [2] [3]. While Microsoft and GMX have taken steps to address these vulnerabilities, Cisco’s decision to consider them a feature leaves their Secure Email instances vulnerable to inbound SMTP smuggling. To mitigate this risk [3], it is crucial for organizations to change their Cisco settings from “Clean” to “Allow” to prevent the receipt of spoofed emails with valid DMARC checks. Continued vigilance and proactive measures are necessary to protect against this exploitation technique in the future.

References

[1] https://vulners.com/thn/THN:E22DE3A44703131BE1A8592478ADF381
[2] https://www.redpacketsecurity.com/smtp-smuggling-new-flaw-lets-attackers-bypass-security-and-spoof-emails/
[3] https://thehackernews.com/2024/01/smtp-smuggling-new-threat-enables.html