cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Vulnerability in My Office 365

Sumesh1980
Copper Contributor

‎Aug 24 2020 10:25 PM

‎Aug 24 2020 10:25 PM

Vulnerability in My Office 365

Hi there 

 

I got an email from one of the security researcher saying that their is a big vulnerability in our mail server

i observe this when i send a email from user@mydomain.com through http://emkei.cz/ to email    my@gmail.com (or to any other email account) and after that i check my gmail i received a email from user@mydomain.com , this is due to Server Security. 

 

Steps to reproduce:

1) Open this url http://emkei.cz/
2)Type In ''From email'' field user@mydomain.com or any email of your website.

3) After That, Send to the victim an email like my@gmail.com in the ''To'' field.

4) Write other details about what you want and send it to the victim email.
5) Victim will receive an email from  mydomain.com.

 

All my SPF, DKIM, DMARC are in place

 

How do we fix this problem?

1,410 Views
0 Likes
3 Replies
Reply
3 Replies
HidMov

‎Aug 25 2020 12:55 PM

‎Aug 25 2020 12:55 PM

Re: Vulnerability in My Office 365

Hi @Sumesh1980 

 

Short answer: This is an issue with email security in general and not a security flaw with Office 365 itself. Check that your DMARC record is set to at least quarantine or reject

 

Longer answer (sorry for rambling)

 

This isn't really a security issue with Office 365 in and of itself, but with how email fundamentally works.

 

The base email protocol's do not have any built in mechanism for authentication - in fact, open relays weren't too uncommon in the early days. In addition, there are some legitimate uses for spoofing email.

 

That website you posted has no interaction with Office 365 whatsoever - it does not try to log in, relay or have anything to do with Office 365, so there isn't a security vulnerability in that sense. 

 

That website simply sends out an email saying it is from user@company.com - it can do that because as mentioned there are no authentication protocols in base email. Anyone could set up their own server to do that.

 

The problem in this case is that the receiving server - in this case gmail - is accepting the email. I've tested that website to spoof and email from gmail.com from my O365 address and while it did give a warning that it does not look like the email was legitimate, it still delivered it to my inbox.

 

So what should happen? Well, the receiving server should get the email and run through SPF, DKIM and DMARC and see if the email passes these tests. Is the sending IP listed in the SPF record? Do the DKIM keys match? What should it do with the email if it fails?

 

It is up to the configuration of the receiving server on how it will deal with an email with these tests that have failed. While it is excellent that you have set up SPF/DKIM/DMARC, many others have not so lots of organisations do not enforce the checks because they might miss out on legitimate email. SPF/DKIM/DMARC only really work best when everyone is using them.

 

I just made a quick change on my DMARC record - the policy was set to none but I've changed this to "p=quarantine" and resent the email via that website - now it has gone directly into spam, so it seems that Google is respecting my domains DMARC record instructions. If I want to completely avoid doubt, I could set it to reject but this might interfere with some third-parties, so I would want to double check this before applying

 

Apologies for the big wall of text - hope this has been useful.

 

Mark

1 Like
Reply
best response confirmed by Sumesh1980 (Copper Contributor)
Sumesh1980

‎Aug 25 2020 01:02 PM

‎Aug 25 2020 01:02 PM

Solution

Re: Vulnerability in My Office 365

@HidMov 

 

Hey 

 

That's a very good way to explaining how things work at Office365 server. I will try to set the DMARC policy from none  to "p=quarantine"

 

Let's see if this gives us a fair warning about the legitimate of the mails 

0 Likes
Reply
HidMov

‎Aug 30 2020 01:18 AM

‎Aug 30 2020 01:18 AM

Re: Vulnerability in My Office 365

Hi @Sumesh1980 

 

Did my advice of changing your DMARC record to "p=quarantine" fix your issue?

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Sumesh1980 (Copper Contributor)
Sumesh1980

‎Aug 25 2020 01:02 PM

‎Aug 25 2020 01:02 PM

Solution

Re: Vulnerability in My Office 365

@HidMov 

 

Hey 

 

That's a very good way to explaining how things work at Office365 server. I will try to set the DMARC policy from none  to "p=quarantine"

 

Let's see if this gives us a fair warning about the legitimate of the mails 

View solution in original post

0 Likes
Reply