Cisco considers a new attack technique revealed last week called “SMTP Smuggling” a feature, not a bug, leaving their email users exposed. The vulnerability was promptly patched by GMX and Microsoft according to research by Timo Longin. The vulnerability allows hackers to send fake emails that look like they’re coming from real companies or people, all through bypassing authentication mechanisms.
What is SMTP Smuggling?
SMTP stands for “Simple Mail Transfer Protocol.” It’s the system that routes emails over the internet. SMTP Smuggling tricks email routing programs by disguising dangerous messages as legitimate mail. Then the spoofed emails bypass security checks, allowing them to be delivered. “Threat actors could abuse vulnerable SMTP servers worldwide to send malicious e-mails from arbitrary e-mail addresses, allowing targeted phishing attacks,” according to the researcher’s findings.
The attack was demonstrated by sending spoofed emails coming from the address “admin(at)outlook.com”. Further testing found the technique allows an attacker to send emails from roughly 1.35 million potential domains. Attackers can spoof even highly trusted sites, including Microsoft, Amazon, PayPal, OpenAi, GitHub, Outlook, Tesla, and Mastercard.
Two Out of Three Ain’t Bad?
Last June, the researchers identified three companies that were vulnerable to the attack: GMX, Microsoft, and Cisco. GMX fixed the issue within 10 days of learning about it. Microsoft classified it a moderate risk and released a security patch in October.
Cisco, on the other hand, didn’t consider it a vulnerability. In fact, according the researchers, Cisco responded by calling the bug a “feature,” leaving their email services exposed to SMTP Smuggling. The researchers confirm that the attack still works against the default configuration of Cisco Secure Email instances.
“Threat actors could abuse vulnerable SMTP servers worldwide to send malicious e-mails from arbitrary e-mail addresses, allowing targeted phishing attacks”
SEC Consult Vulnerability Lab, Timo Longin (@timolongin)
Is Cisco Phishing for Trouble?
As we’ve discussed before, phishing poses a major threat to the cybersecurity of all organizations. Phishing exploits human error by taking advantage of busy, distracted, and trusting employees. This approach can be much more effective than attacking a system directly. When an employee receives an email from a seemingly trusted sender, even the most cautious personnel may click on a hazardous link or download an infected file.
Researchers note that spam filters may still catch spoofed emails based on content and other red flags. However, this is still a real threat to Cisco users. The good news is that Cisco email settings can be changed to prevent SMTP Smuggling.
Workarounds for your company’s email security can be found on Postfix.org by clicking HERE.
Shooting Phish in a Barrel
Again, although Microsoft and GMX have patched this issue promptly, SMTP smuggling sent to Cisco Secure Email instances (cloud and on-premise) is still possible if you use the default configurations.
Obviously, Cisco users will want to apply the recommended fixes. But this latest issue is just one of a long line of examples that illustrate the importance of regular cybersecurity training for employees.
Human error is common, and it happens to all of us. Various factors like fatigue, stress, inadequate training, and lack of attention to detail can lead to costly security mistakes. These errors will occur at all levels in an organization, from front-line employees to senior management. While it’s impossible to completely eliminate human error, much of it is avoidable with the right risk management policies and training.
Attackers constantly adjust their methods. Companies interested in their cybersecurity need to constantly update their awareness. If you haven’t already, consider employing an expert cybersecurity team to keep you prepared.
