According to cybersecurity sleuths at Avanan, phishing actors have found a way to abuse Google’s SMTP relay service, which allows them to spoof any Gmail address, including those of popular brands. The novel attack strategy lends legitimacy to the fraudulent email, letting it fool not just the recipient but also automated email security mechanisms. “Threat actors are always looking for the next available attack vector and reliably find creative ways to bypass security controls like spam filtering,” Chris Clements, VP Solutions Architecture at Cerberus Sentinel, told Lifewire over email. “As the research states, this attack utilized the Google SMTP relay service, but there has been a recent uptick in attackers leveraging ’trusted’ sources.”
Don’t Trust Your Eyes
Google offers an SMTP relay service that’s used by Gmail and Google Workspace users to route outgoing emails. The flaw, according to Avanan, enabled phishers to send malicious emails by impersonating any Gmail and Google Workspace email address. During two weeks in April 2022, Avanan noticed nearly 30,000 such fake emails. In an email exchange with Lifewire, Brian Kime, VP, Intelligence Strategy and Advisory at ZeroFox, shared that businesses have access to several mechanisms, including DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM), which essentially help receiving email servers reject spoofed emails and even report the malicious activity back to the impersonated brand. “Trust is huge for brands. So huge that CISOs are increasingly tasked with leading or helping a brand’s trust efforts,” shared Kime. However, James McQuiggan, security awareness advocate at KnowBe4, told Lifewire over email that these mechanisms aren’t as widely used as they should be, and malicious campaigns such as the one reported by Avanan take advantage of such laxity. In their post, Avanan pointed to Netflix, which used DMARC and wasn’t spoofed, while Trello, which doesn’t use DMARC, was.
When in Doubt
Clements added that while the Avanan research shows the attackers exploited the Google SMTP relay service, similar attacks include compromising an initial victim’s email systems and then using that for further phishing attacks on their entire contact list. This is why he suggested people looking to remain safe from phishing attacks should employ multiple defensive strategies. For starters, there’s the domain name spoofing attack, where cybercriminals use various techniques to hide their email address with the name of someone the target may know, like a family member or superior from the workplace, expecting them not to go out of their way to ensure that the email is coming from the disguised email address, shared McQuiggan. “People shouldn’t blindly accept the name in the ‘From’ field,” warned McQuiggan, adding that they should at least go behind the display name and verify the email address. “If they are unsure, they can always reach out to the sender via a secondary method like text or phone call to verify the sender meant to send the email,” he suggested. However, in the SMTP relay attack described by Avanan trusting an email by looking at the sender’s email address alone isn’t enough since the message will appear to come from a legitimate address. “Fortunately, that’s the only thing that differentiates this attack from normal phishing emails,” pointed Clements. The fraudulent email will still have the tell-tale signs of phishing, which is what people should look for. For instance, Clements said that the message might contain an unusual request, especially if it’s conveyed as an urgent matter. It would also have several typos and other grammatical mistakes. Another red flag would be links in the email that don’t go to the sender organization’s usual website. “When in doubt, and you should almost always be in doubt, [people] should always use trusted paths such as going directly to the company’s website or calling the support number listed there to verify, instead of clicking links or contacting phone numbers or emails listed in the suspicious message,” advised Chris.