IKARUS mail.security detects SMTP smuggling

4. January, 2024

SMTP smuggling exploits the fact that emails can be split into multiple emails by the receiving server using certain encodings. If the newly created emails are not independently verified on the receiving server, effective authentication mechanisms such as SPM, DKIM or DMARC cannot be applied. This allows targeted phishing attacks to reach mailboxes that are supposed to be protected.

IKARUS mail.security is not and has never been vulnerable to SMTP smuggling.

SMTP smuggling bypasses authentication mechanisms

The vulnerability, disclosed in December 2023, allows attackers to exploit some SMTP implementations to “smuggle” emails with forged sender information. The method relies on the fact that the end of message (RFC) encoding is interpreted differently by different implementations.

A prepared email with non-RFC compliant encoding can be split into multiple emails by the receiving server. Attackers can add any header they like to the newly created emails – for example, the sender or recipient address – to spoof trusted domains. If these spoofed emails are not scanned and authenticated again, they become deceptively genuine phishing emails.

IKARUS mail.security detects SMTP smuggling

If IKARUS mail.security receives an email with a non-RFC compliant tag, it is not automatically accepted. All content is subjected to all the usual scans – from various authentication checks and malware checks to content and link analyses. Emails with forged sender data are blocked by IKARUS mail.security.

To protect their own identity, IKARUS mail.security users can also issue S/MIME certificates for their mailboxes. A missing or invalid certificate indicates to the recipient that the incoming message may not be authentic.

Protective measures against SMTP smuggling

Major companies such as GMX and Microsoft have already patched the vulnerability in their services. Cisco Secure Email users will need to update their settings manually.

As the vulnerability has only recently been discovered and has not yet been fully researched, researchers cannot rule out other vulnerabilities related to SMTP smuggling. Traditional warnings to never blindly trust emails therefore remain valid, even with protective measures in place.

IKARUS will continue to monitor developments and respond immediately to any new vulnerabilities.

Links:

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-292569-1032.html

Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
Cyber-Risiken in der Ferienzeit
passkey
Dynamische Cybersicherheit
NIS2
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest
NIS2
Infostealer
Cybercrime
Christoph Barszczewski
Cybersecurity Cinema Night von A1 und IKARUS

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download