Forum Discussion

Sumesh1980's avatar
Sumesh1980
Copper Contributor
Aug 25, 2020
Solved

Vulnerability in My Office 365

Hi there    I got an email from one of the security researcher saying that their is a big vulnerability in our mail server i observe this when i send a email from user@mydomain.com through http:/...
  • Sumesh1980's avatar
    Sumesh1980
    Aug 25, 2020

    HidMov 

     

    Hey 

     

    That's a very good way to explaining how things work at Office365 server. I will try to set the DMARC policy from none  to "p=quarantine"

     

    Let's see if this gives us a fair warning about the legitimate of the mails 

HidMov's avatar
HidMov
Iron Contributor
Aug 25, 2020

Hi Sumesh1980 

 

Short answer: This is an issue with email security in general and not a security flaw with Office 365 itself. Check that your DMARC record is set to at least quarantine or reject

 

Longer answer (sorry for rambling)

 

This isn't really a security issue with Office 365 in and of itself, but with how email fundamentally works.

 

The base email protocol's do not have any built in mechanism for authentication - in fact, open relays weren't too uncommon in the early days. In addition, there are some legitimate uses for spoofing email.

 

That website you posted has no interaction with Office 365 whatsoever - it does not try to log in, relay or have anything to do with Office 365, so there isn't a security vulnerability in that sense. 

 

That website simply sends out an email saying it is from user@company.com - it can do that because as mentioned there are no authentication protocols in base email. Anyone could set up their own server to do that.

 

The problem in this case is that the receiving server - in this case gmail - is accepting the email. I've tested that website to spoof and email from gmail.com from my O365 address and while it did give a warning that it does not look like the email was legitimate, it still delivered it to my inbox.

 

So what should happen? Well, the receiving server should get the email and run through SPF, DKIM and DMARC and see if the email passes these tests. Is the sending IP listed in the SPF record? Do the DKIM keys match? What should it do with the email if it fails?

 

It is up to the configuration of the receiving server on how it will deal with an email with these tests that have failed. While it is excellent that you have set up SPF/DKIM/DMARC, many others have not so lots of organisations do not enforce the checks because they might miss out on legitimate email. SPF/DKIM/DMARC only really work best when everyone is using them.

 

I just made a quick change on my DMARC record - the policy was set to none but I've changed this to "p=quarantine" and resent the email via that website - now it has gone directly into spam, so it seems that Google is respecting my domains DMARC record instructions. If I want to completely avoid doubt, I could set it to reject but this might interfere with some third-parties, so I would want to double check this before applying

 

Apologies for the big wall of text - hope this has been useful.

 

Mark

Sumesh1980's avatar
Sumesh1980
Copper Contributor
Aug 25, 2020

HidMov 

 

Hey 

 

That's a very good way to explaining how things work at Office365 server. I will try to set the DMARC policy from none  to "p=quarantine"

 

Let's see if this gives us a fair warning about the legitimate of the mails 

  • HidMov's avatar
    HidMov
    Iron Contributor
    Aug 30, 2020

    Hi Sumesh1980 

     

    Did my advice of changing your DMARC record to "p=quarantine" fix your issue?

Resources