TLDR:
- A shocking misconfiguration in popular enterprise cloud-based email spam filtering services puts organizations at risk.
- The bypass attack can happen when there is a mismatch between the filtering server and the email server.
A recent study has revealed that a vast majority of enterprises using cloud-based email spam filtering services are vulnerable to attacks due to widespread misconfigurations. Computer scientists have identified a prevalent flaw that allows for an exploit through popular cloud-based email spam filtering services, such as those offered by Proofpoint, Barracuda, and Mimecast. The exploit allows attackers to bypass these filters in at least 80% of major domains examined.
The attack occurs when the email hosting provider is not configured to reject messages that are not coming from the email filtering service. This misconfiguration is particularly risky as it leaves organizations open to email-borne cyber threats, especially phishing attacks. Google and Microsoft servers have different behaviors when it comes to accepting emails, leading to potential vulnerabilities due to misconfigurations.
The study found that the risk is higher when using cloud vendors, with the misconfiguration rate reaching alarming levels for Google-based and Microsoft-based email systems. The high failure rates are attributed to confusing documentation on how to set up filtering and email servers, as well as corporate email managers prioritizing message delivery over security, resulting in permissive and insecure configurations.
To mitigate these risks, enterprise email administrators are advised to strictly configure their email servers to only accept emails from their filtering services and ensure the correct implementation of SPF, DKIM, and DMARC protocols. Additionally, email filtering applications can enhance security by including Authenticated Receiver Chain (RFC 8617) email headers. Collaboration between departments managing filter and email servers is crucial to prevent errors and strengthen email security.
While various email-filtering vendors offer support and deployment services to help prevent misconfigurations, organizations are urged to conduct regular security audits and health checks to identify vulnerabilities. By taking proactive measures and following best practices in email configuration, enterprises can significantly reduce the risk of falling victim to email filtering bypass attacks.