SOLVED

Vulnerability in My Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-1609737%22%20slang%3D%22en-US%22%3EVulnerability%20in%20My%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1609737%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20there%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CP%3EI%20got%20an%20email%20from%20one%20of%20the%20security%20researcher%20saying%20that%20their%20is%20a%20big%26nbsp%3Bvulnerability%20in%20our%20mail%20server%3C%2FP%3E%3CP%3Ei%20observe%20this%20when%20i%20send%20a%20email%20from%26nbsp%3Buser%40mydomain.com%26nbsp%3Bthrough%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Femkei.cz%2F%26nbsp%3Bto%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Femkei.cz%2F%26nbsp%3Bto%3C%2FA%3E%20email%26nbsp%3B%26nbsp%3B%20%26nbsp%3Bmy%40gmail.com%26nbsp%3B(or%20to%20any%20other%20email%20account)%26nbsp%3Band%20after%20that%20i%20check%20my%20gmail%20i%20received%26nbsp%3Ba%20email%20from%26nbsp%3Buser%40mydomain.com%26nbsp%3B%2C%20this%20is%20due%20to%20Server%20Security.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESteps%20to%20reproduce%3A%3C%2FP%3E%3CP%3E1)%20Open%20this%20url%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Femkei.cz%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Femkei.cz%2F%3C%2FA%3E%3CBR%20%2F%3E2)Type%20In%20''From%20email''%20field%26nbsp%3Buser%40mydomain.com%26nbsp%3Bor%26nbsp%3Bany%20email%20of%20your%20website.%3C%2FP%3E%3CP%3E3)%20After%20That%2C%20Send%20to%20the%20victim%20an%20email%20like%20my%40gmail.com%26nbsp%3Bin%20the%20''To''%20field.%3C%2FP%3E%3CP%3E4)%20Write%20other%20details%20about%20what%20you%20want%20and%20send%20it%20to%20the%20victim%20email.%3CBR%20%2F%3E5)%20Victim%20will%20receive%20an%20email%20from%26nbsp%3B%26nbsp%3Bmydomain.com.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20my%20SPF%2C%20DKIM%2C%20DMARC%20are%20in%20place%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20we%20fix%20this%26nbsp%3Bproblem%3F%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1611899%22%20slang%3D%22en-US%22%3ERe%3A%20Vulnerability%20in%20My%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1611899%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F767847%22%20target%3D%22_blank%22%3E%40Sumesh1980%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShort%20answer%3A%20This%20is%20an%20issue%20with%20email%20security%20in%20general%20and%20not%20a%20security%20flaw%20with%20Office%20365%20itself.%20Check%20that%20your%20DMARC%20record%20is%20set%20to%20at%20least%20quarantine%20or%20reject%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELonger%20answer%20(sorry%20for%20rambling)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20isn't%20really%20a%20security%20issue%20with%20Office%20365%20in%20and%20of%20itself%2C%20but%20with%20how%20email%20fundamentally%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20base%20email%20protocol's%20do%20not%20have%20any%20built%20in%20mechanism%20for%20authentication%20-%20in%20fact%2C%20open%20relays%20weren't%20too%20uncommon%20in%20the%20early%20days.%20In%20addition%2C%20there%20are%20some%20legitimate%20uses%20for%20spoofing%20email.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20website%20you%20posted%20has%20no%20interaction%20with%20Office%20365%20whatsoever%20-%20it%20does%20not%20try%20to%20log%20in%2C%20relay%20or%20have%20anything%20to%20do%20with%20Office%20365%2C%20so%20there%20isn't%20a%20security%20vulnerability%20in%20that%20sense.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20website%20simply%20sends%20out%20an%20email%20saying%20it%20is%20from%20%3CA%20href%3D%22mailto%3Auser%40company.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Euser%40company.com%3C%2FA%3E%26nbsp%3B-%20it%20can%20do%20that%20because%20as%20mentioned%20there%20are%20no%20authentication%20protocols%20in%20base%20email.%20Anyone%20could%20set%20up%20their%20own%20server%20to%20do%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20in%20this%20case%20is%20that%20the%20receiving%20server%20-%20in%20this%20case%20gmail%20-%20is%20accepting%20the%20email.%20I've%20tested%20that%20website%20to%20spoof%20and%20email%20from%20gmail.com%20from%20my%20O365%20address%20and%20while%20it%20did%20give%20a%20warning%20that%20it%20does%20not%20look%20like%20the%20email%20was%20legitimate%2C%20it%20still%20delivered%20it%20to%20my%20inbox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20what%26nbsp%3B%3CEM%3Eshould%3C%2FEM%3E%20happen%3F%20Well%2C%20the%20receiving%20server%20should%20get%20the%20email%20and%20run%20through%20SPF%2C%20DKIM%20and%20DMARC%20and%20see%20if%20the%20email%20passes%20these%20tests.%20Is%20the%20sending%20IP%20listed%20in%20the%20SPF%20record%3F%20Do%20the%20DKIM%20keys%20match%3F%20What%20should%20it%20do%20with%20the%20email%20if%20it%20fails%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20up%20to%20the%20configuration%20of%20the%20receiving%20server%20on%20how%20it%20will%20deal%20with%20an%20email%20with%20these%20tests%20that%20have%20failed.%20While%20it%20is%20excellent%20that%20you%20have%20set%20up%20SPF%2FDKIM%2FDMARC%2C%20many%20others%20have%20not%20so%20lots%20of%20organisations%20do%20not%20enforce%20the%20checks%20because%20they%20might%20miss%20out%20on%20legitimate%20email.%20SPF%2FDKIM%2FDMARC%20only%20really%20work%20best%20when%20everyone%20is%20using%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20made%20a%20quick%20change%20on%20my%20DMARC%20record%20-%20the%20policy%20was%20set%20to%20none%20but%20I've%20changed%20this%20to%20%22%3CSPAN%3Ep%3Dquarantine%22%20and%20resent%20the%20email%20via%20that%20website%20-%20now%20it%20has%20gone%20directly%20into%20spam%2C%20so%20it%20seems%20that%20Google%20is%20respecting%20my%20domains%20DMARC%20record%20instructions.%20If%20I%20want%20to%20completely%20avoid%20doubt%2C%20I%20could%20set%20it%20to%20reject%20but%20this%20might%20interfere%20with%20some%20third-parties%2C%20so%20I%20would%20want%20to%20double%20check%20this%20before%20applying%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EApologies%20for%20the%20big%20wall%20of%20text%20-%20hope%20this%20has%20been%20useful.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMark%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1611936%22%20slang%3D%22en-US%22%3ERe%3A%20Vulnerability%20in%20My%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1611936%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20a%20very%20good%20way%20to%20explaining%20how%20things%20work%20at%20Office365%20server.%20I%20will%20try%20to%26nbsp%3B%3CSPAN%3Eset%20the%20DMARC%20policy%20from%20none%26nbsp%3B%20to%20%22%3C%2FSPAN%3E%3CSPAN%3Ep%3Dquarantine%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ELet's%20see%20if%20this%20gives%20us%20a%20fair%20warning%20about%20the%20legitimate%20of%20the%20mails%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1621268%22%20slang%3D%22en-US%22%3ERe%3A%20Vulnerability%20in%20My%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1621268%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F767847%22%20target%3D%22_blank%22%3E%40Sumesh1980%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20my%20advice%20of%20changing%20your%20DMARC%20record%20to%26nbsp%3B%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3Ep%3Dquarantine%22%20fix%20your%20issue%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi there 

 

I got an email from one of the security researcher saying that their is a big vulnerability in our mail server

i observe this when i send a email from user@mydomain.com through http://emkei.cz/ to email    my@gmail.com (or to any other email account) and after that i check my gmail i received a email from user@mydomain.com , this is due to Server Security. 

 

Steps to reproduce:

1) Open this url http://emkei.cz/
2)Type In ''From email'' field user@mydomain.com or any email of your website.

3) After That, Send to the victim an email like my@gmail.com in the ''To'' field.

4) Write other details about what you want and send it to the victim email.
5) Victim will receive an email from  mydomain.com.

 

All my SPF, DKIM, DMARC are in place

 

How do we fix this problem?

3 Replies

Hi @Sumesh1980 

 

Short answer: This is an issue with email security in general and not a security flaw with Office 365 itself. Check that your DMARC record is set to at least quarantine or reject

 

Longer answer (sorry for rambling)

 

This isn't really a security issue with Office 365 in and of itself, but with how email fundamentally works.

 

The base email protocol's do not have any built in mechanism for authentication - in fact, open relays weren't too uncommon in the early days. In addition, there are some legitimate uses for spoofing email.

 

That website you posted has no interaction with Office 365 whatsoever - it does not try to log in, relay or have anything to do with Office 365, so there isn't a security vulnerability in that sense. 

 

That website simply sends out an email saying it is from user@company.com - it can do that because as mentioned there are no authentication protocols in base email. Anyone could set up their own server to do that.

 

The problem in this case is that the receiving server - in this case gmail - is accepting the email. I've tested that website to spoof and email from gmail.com from my O365 address and while it did give a warning that it does not look like the email was legitimate, it still delivered it to my inbox.

 

So what should happen? Well, the receiving server should get the email and run through SPF, DKIM and DMARC and see if the email passes these tests. Is the sending IP listed in the SPF record? Do the DKIM keys match? What should it do with the email if it fails?

 

It is up to the configuration of the receiving server on how it will deal with an email with these tests that have failed. While it is excellent that you have set up SPF/DKIM/DMARC, many others have not so lots of organisations do not enforce the checks because they might miss out on legitimate email. SPF/DKIM/DMARC only really work best when everyone is using them.

 

I just made a quick change on my DMARC record - the policy was set to none but I've changed this to "p=quarantine" and resent the email via that website - now it has gone directly into spam, so it seems that Google is respecting my domains DMARC record instructions. If I want to completely avoid doubt, I could set it to reject but this might interfere with some third-parties, so I would want to double check this before applying

 

Apologies for the big wall of text - hope this has been useful.

 

Mark

Best Response confirmed by Sumesh1980 (Occasional Contributor)
Solution

@HidMov 

 

Hey 

 

That's a very good way to explaining how things work at Office365 server. I will try to set the DMARC policy from none  to "p=quarantine"

 

Let's see if this gives us a fair warning about the legitimate of the mails 

Hi @Sumesh1980 

 

Did my advice of changing your DMARC record to "p=quarantine" fix your issue?