Security flaw in forwarding rules

%3CLINGO-SUB%20id%3D%22lingo-sub-352975%22%20slang%3D%22en-US%22%3ESecurity%20flaw%20in%20forwarding%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352975%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20I%20found%20a%20security%20flaw.%20But%20maybe%20not.%3C%2FP%3E%3CP%3EI%20have%20reported%20it%20to%20Microsoft%20%2C%20but%20I%20wanted%20to%20raise%20this%20here%20and%20get%20some%20thoughts%20from%20real%20experts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20one%20of%20my%20customers%20got%20in%20touch%20with%20me%20and%20had%20concerns%20that%20one%20of%20his%20%22SHARED%20email%20accounts%22%20had%20been%20hacked%20because%20he%20got%20an%20email%20%22FROM%22%20that%20shared%20email%20account%20saying%20%22You%20have%20been%20hacked%2C%20please%20deposit%20bitcoin.........%20etc%20etc%20etc..%20blablabla...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20understand%20this%20post%20better%20lets%20call%20the%20shared%20email%20address%20%22shared%5Bat%5Dexample.com%22%3C%2FP%3E%3CP%3EAnd%20his%20main%20account%20%22main%5Bat%5Dexample.com%22%3C%2FP%3E%3CP%3EThe%20hacker%20is%20sending%20from%20%22hacking%5Bat%5Dhackerexample.com%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20first%20thought%20was%20%22His%20account%20has%20been%20hacked%22.....%20If%20the%20sender%20is%20not%20%22%3CEM%3Edesignated%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Epermitted%20sender%20hosts%3C%2FEM%3E%22%20the%20email%20should%20hit%20the%20%22Junk%20mail%20folder%22%20in%20his%20main%20account%20but%20it%20didn't%20in%20this%20case%2C%20it%20went%20straight%20into%20his%20Inbox.........%20Thats%20why%20I%20thought%20this%20is%20a%20real%20threat...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20started%20my%20research%20inside%20the%20Exchange%20and%20also%20inside%20the%20%22Shared%20mailbox%22%20and%20found%20that%20his%20account%20was%20%22NOT%22%20hacked.....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EThat's%20strange%3C%2FEM%3E%22%20I%20thought...........%20If%20the%20shared%20email%20account%20was%20not%20hacked%2C%2C%2C%20then%20why%20did%20the%20email%20not%20hit%20his%20main%20account%20junk%20mail%20folder.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20its%20because%20he%20has%20a%20forwarding%20rule%20%22FROM%22%20his%20shared%20email%20account%20%22INTO%22%20his%20main%20email%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ESo%20the%20the%20hacker%20%3CSTRONG%3Espoofs%3C%2FSTRONG%3E%20an%20email%20to%20be%20shared%5Bat%5Dexample.com%20and%20sends%20it%20into%20shared%40example.com.%3C%2FLI%3E%3CLI%3EThe%20email%20goes%20through%20the%20SPF%20DNS%20system%20and%20gets%20flagged%20as%20spam%20and%20hits%20the%20junk%20folder%20on%20the%20shared%5Bat%5Dexample.com%20account.%3C%2FLI%3E%3CLI%3EThen%20it%20is%20forwarded%20into%20the%20%22main%5Bat%5Dexample.com%22%20but%20NOW%20it%20is%20not%20going%20through%20the%20SPF%20checks.....%20The%20email%20is%20sent%20directly%20into%20the%20Inbox%20of%20the%20main%40example.com%3C%2FLI%3E%3C%2FOL%3E%3CP%3ELooking%20like%20its%20the%20real%20deal%20!!%20no%20junk%20folder%20this%20time....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20%3F%3F%3F%20I%20felt%20like%20this%20is%20a%20security%20flaw...%20but..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20nice%20lady%20from%20Microsoft%20just%20called%20me%20and%20we%20had%20this%20discussion...%20I%20said%20I%20think%20this%20is%20a%20security%20flaw%20and%20should%20be%20addressed%2C%20maybe%20an%20option%20to%20%22%3CEM%3Eonly%20forward%20verified%20messages%3C%2FEM%3E%22...%20But%20she%20said%20%22%3CEM%3Eno%20its%20not%20a%20security%20flaw.....%20The%20email%20should%20not%20go%20through%20the%20SPF%20again%20%2C%20once%20it%20is%20internal...%20The%20forwarding%20rule%20is%20doing%20its%20job%2C%20and%20is%20forwarding%20all%20emails%20to%20his%20main%20account%2C%20and%20that's%20why%20it%20is%20not%20flagged%20as%20spam.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei'd%20like%20to%20get%20some%20thoughts%20on%20this....%3C%2FP%3E%3CUL%3E%3CLI%3Eis%20this%20not%20a%20security%20flaw%20%3F%3C%2FLI%3E%3CLI%3Eshould%20it%20not%20hit%20junk%20mail%20folder%20on%20the%20main%20account%20%2C%20even%20though%20it%20was%20flagged%20as%20junk%20on%20shared%20account%20%3F%3C%2FLI%3E%3CLI%3Eetc...%20%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-352975%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

I think I found a security flaw. But maybe not.

I have reported it to Microsoft , but I wanted to raise this here and get some thoughts from real experts.

 

So one of my customers got in touch with me and had concerns that one of his "SHARED email accounts" had been hacked because he got an email "FROM" that shared email account saying "You have been hacked, please deposit bitcoin......... etc etc etc.. blablabla..."

 

To understand this post better lets call the shared email address "shared[at]example.com"

And his main account "main[at]example.com"

The hacker is sending from "hacking[at]hackerexample.com"

 

My first thought was "His account has been hacked"..... If the sender is not "designated
permitted sender hosts" the email should hit the "Junk mail folder" in his main account but it didn't in this case, it went straight into his Inbox......... Thats why I thought this is a real threat...

 

So I started my research inside the Exchange and also inside the "Shared mailbox" and found that his account was "NOT" hacked.....

 

"That's strange" I thought........... If the shared email account was not hacked,,, then why did the email not hit his main account junk mail folder.

 

I think its because he has a forwarding rule "FROM" his shared email account "INTO" his main email account.

 

  1. So the the hacker spoofs an email to be shared[at]example.com and sends it into shared@example.com.
  2. The email goes through the SPF DNS system and gets flagged as spam and hits the junk folder on the shared[at]example.com account.
  3. Then it is forwarded into the "main[at]example.com" but NOW it is not going through the SPF checks..... The email is sent directly into the Inbox of the main@example.com

Looking like its the real deal !! no junk folder this time....

 

What ??? I felt like this is a security flaw... but..

 

A nice lady from Microsoft just called me and we had this discussion... I said I think this is a security flaw and should be addressed, maybe an option to "only forward verified messages"... But she said "no its not a security flaw..... The email should not go through the SPF again , once it is internal... The forwarding rule is doing its job, and is forwarding all emails to his main account, and that's why it is not flagged as spam."

 

i'd like to get some thoughts on this....

  • is this not a security flaw ?
  • should it not hit junk mail folder on the main account , even though it was flagged as junk on shared account ?
  • etc... ?

Thanks.

0 Replies