IKARUS mail.security detects SMTP smuggling

4. January, 2024

SMTP smuggling exploits the fact that emails can be split into multiple emails by the receiving server using certain encodings. If the newly created emails are not independently verified on the receiving server, effective authentication mechanisms such as SPM, DKIM or DMARC cannot be applied. This allows targeted phishing attacks to reach mailboxes that are supposed to be protected.

IKARUS mail.security is not and has never been vulnerable to SMTP smuggling.

SMTP smuggling bypasses authentication mechanisms

The vulnerability, disclosed in December 2023, allows attackers to exploit some SMTP implementations to “smuggle” emails with forged sender information. The method relies on the fact that the end of message (RFC) encoding is interpreted differently by different implementations.

A prepared email with non-RFC compliant encoding can be split into multiple emails by the receiving server. Attackers can add any header they like to the newly created emails – for example, the sender or recipient address – to spoof trusted domains. If these spoofed emails are not scanned and authenticated again, they become deceptively genuine phishing emails.

IKARUS mail.security detects SMTP smuggling

If IKARUS mail.security receives an email with a non-RFC compliant tag, it is not automatically accepted. All content is subjected to all the usual scans – from various authentication checks and malware checks to content and link analyses. Emails with forged sender data are blocked by IKARUS mail.security.

To protect their own identity, IKARUS mail.security users can also issue S/MIME certificates for their mailboxes. A missing or invalid certificate indicates to the recipient that the incoming message may not be authentic.

Protective measures against SMTP smuggling

Major companies such as GMX and Microsoft have already patched the vulnerability in their services. Cisco Secure Email users will need to update their settings manually.

As the vulnerability has only recently been discovered and has not yet been fully researched, researchers cannot rule out other vulnerabilities related to SMTP smuggling. Traditional warnings to never blindly trust emails therefore remain valid, even with protective measures in place.

IKARUS will continue to monitor developments and respond immediately to any new vulnerabilities.

Links:

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-292569-1032.html

HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
Cyber-Risiken in der Ferienzeit

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download