08-24-2020 10:25 PM
08-24-2020 10:25 PM
I got an email from one of the security researcher saying that their is a big vulnerability in our mail server
i observe this when i send a email from email@example.com through http://emkei.cz/ to email firstname.lastname@example.org (or to any other email account) and after that i check my gmail i received a email from email@example.com , this is due to Server Security.
Steps to reproduce:
1) Open this url http://emkei.cz/
2)Type In ''From email'' field firstname.lastname@example.org or any email of your website.
3) After That, Send to the victim an email like email@example.com in the ''To'' field.
4) Write other details about what you want and send it to the victim email.
5) Victim will receive an email from mydomain.com.
All my SPF, DKIM, DMARC are in place
How do we fix this problem?
08-25-2020 12:55 PM
Short answer: This is an issue with email security in general and not a security flaw with Office 365 itself. Check that your DMARC record is set to at least quarantine or reject
Longer answer (sorry for rambling)
This isn't really a security issue with Office 365 in and of itself, but with how email fundamentally works.
The base email protocol's do not have any built in mechanism for authentication - in fact, open relays weren't too uncommon in the early days. In addition, there are some legitimate uses for spoofing email.
That website you posted has no interaction with Office 365 whatsoever - it does not try to log in, relay or have anything to do with Office 365, so there isn't a security vulnerability in that sense.
That website simply sends out an email saying it is from firstname.lastname@example.org - it can do that because as mentioned there are no authentication protocols in base email. Anyone could set up their own server to do that.
The problem in this case is that the receiving server - in this case gmail - is accepting the email. I've tested that website to spoof and email from gmail.com from my O365 address and while it did give a warning that it does not look like the email was legitimate, it still delivered it to my inbox.
So what should happen? Well, the receiving server should get the email and run through SPF, DKIM and DMARC and see if the email passes these tests. Is the sending IP listed in the SPF record? Do the DKIM keys match? What should it do with the email if it fails?
It is up to the configuration of the receiving server on how it will deal with an email with these tests that have failed. While it is excellent that you have set up SPF/DKIM/DMARC, many others have not so lots of organisations do not enforce the checks because they might miss out on legitimate email. SPF/DKIM/DMARC only really work best when everyone is using them.
I just made a quick change on my DMARC record - the policy was set to none but I've changed this to "p=quarantine" and resent the email via that website - now it has gone directly into spam, so it seems that Google is respecting my domains DMARC record instructions. If I want to completely avoid doubt, I could set it to reject but this might interfere with some third-parties, so I would want to double check this before applying
Apologies for the big wall of text - hope this has been useful.