Phish & Furious: Unraveling Campaign Builder Vulnerabilities in a Blink-and-Breach World

[Music] thank you so much Chris it's great to be here at our Vin Diesel appreciation Club Meetup uh who am I I am Ray Wolfram I am a senior product manager at Microsoft I help build out our man Security Services I am a lifelong New Yorker as Chris shared I did bring the earthquake 2024 yesterday and apparently a fire today at the hotel many portense of Doom to get here uh but I am very excited to to chat with you today about uh fishing H and drawing parallels between Fast and Furious uh and why is that why is there a connection well uh like Dom Toretto and his crew I mean they live and die by

trust right so they need to adapt quick quickly um to um uh think fast and act fast to overcome their adversaries which is very similar to what we do as cyber security practitioners we need to evolve quickly we need to um strategize and we need to address threats uh in a way that Mak sense um and they're more holistic in nature um because we are existing in a very interconnected world and our digital Community uh is constantly evolving and we need to to stay ahead of um The Bad actors that um focus on on targeting us so in terms of the basics here when we think of fishing right we're impersonating a trusted Source um

to uh to collect um or um acquire um content and information from us we need to to focus on a couple of items right so we look at the three pillars of email security or authentication so the first layer the Bedrock is going to be SPF which is the sender uh policy framework and that's essentially a list of trusted um uh servers that can send email on our behalfs we next look at dkim which is uh domain Keys identified mail and that's essentially ensuring that the content of the email has not been tampered with and it's maintaining the integrity and the last uh dimension of this uh Trifecta is DeMark and that is uh essentially um

domain based message authentication reporting and conformance and it ties everything together um and it's essentially a policy that handles emails or messages that have have failed the SPF check as well as dkim and then reports back out to the organization with the information in terms of the the sender and the contents Etc and this is really important just to understand the framework and the world that we're operating in right so when we we think of fishing we need to figure out who's actually sending uh the the campaign the nefarious or Sinister email uh and then identify you know what we can do the controls that we can Implement set in place to thwart that or or prevent

it so this is a fishing Saga in four parts right so we're going to to start with the uh acquisition or obtaining the domain credentials of the domain that we're going to spoof or attack and the second element of this is to set up a campaign Builder um we're essentially used MailChimp for research purposes you can use uh another platform but MailChimp is particularly interesting um because they're they put a bee in my Bonnet and they they're not necessarily as um engaged or um good pract they don't follow good practices of um uh cyber citizenship and then we're going to execute or send that campaign blast and then we can wreak havoc at scale and

so when we think of this fishing campaign it could be exploited in a myriad of ways it could uh be identity theft financial fraud malware distribution just um eroding uh brand reputation Etc so uh there are four key components of this fishing attack uh and they could be manipulated in various ways uh but all to say that they stem from the um email campaign Builder as really the force amplifier of this attack and so historically as of November 2023 we were able to leverage or harness the MailChimp uh system and platform to uh basically spoof any uh email on that domain whether it existed or not so we can sign up with I signed up with my

University email information and I was able to execute uh or deploy send uh spoof messages as admin at the Domain and it looked legitimate and there were no controls in place except for uh having to verify the initial email account so the account that I signed up with uh which was the the domain address and once that was verified it was Off to the Races we can send it as admin at domain we could send it at burer at domain another person specifically at domain um really there were no limits here now we jump ahead to 2024 I'm finalizing my research um and putting the finishing touches on the presentation for bsides and holy canoli

the the exploit that I was going to report on uh is not functioning as expected it actually cracked down and they short up their gaps in MailChimp in particular even though we had a particular email address that was verified we would have to send as that verified email address we were not able to send as any other uh email address on that domain uh and that was because of this push of this new uh requirement that Google and Yahoo have been spearheading so as of February 2024 um organizations need to implement a roll out Demar which is that domain-based uh messaging authentication reporting and conformance so that means it brings together the SPF record which

is the list that specifies the trusted senders on behalf of an organization it takes dkim which is uh domain Keys identified mail which is now uh validating or verifying that that email content has not been tampered with brings them together and and checks to see if they are in alignment and if they're not in alignment it provides a action to take or a policy that says well if they they fail these tests then either reject them alog together send them to spam Etc and because of this push because of this requirement that Google and Yahoo have led across the global Community mail has restricted um uh their sending to only verified email accounts uh for HT mail campaigns

however they have not restricted it to uh for plain text email c campaign so for plain text email campaign even if you have one ident verified email address you can still send messages uh from any other uh email account in that domain again whether it exists or not whether it's fictitious or not so uh even though we have a plain text message right it doesn't have any styling it doesn't have any images you can still be very effective and cause a lot lot of damage uh there are many reasons why organizations still use plain text we have uh calls to action we have emergency services um uh major updates newsworthy updates that don't necessarily warrant

um glossy marketing uh or anything of that nature so essentially it's just text and uh you can add URLs or links so for this uh uh exploit here we made it an emergency services uh email message plane text and then we dropped in a short link and that short link routed to uh Never Going To Give You Up Rick Rowling YouTube video and we have here how it appears on desktop right so what's super interesting about this is we we have the university help desk so it's help desk at the university.edu Domain we see that it also appends MailChimp at the end of it so that's that's a bit of a red flag that's a signal but what's fantastic uh

it gets even better is that uh for that short link mailchip has converted it has essentially masked that link to now include the ud the university domain and it appears that it's actually a legitimate uh email from a legitimate sender within that domain with a legitimate purpose click here take that action that we are pushing you toward uh so essentially MailChimp uh does much of the work for you on masking all of that URL information and then when we look at the mobile version of this we don't see any MailChimp appended to the from uh sender um we still see that masked URL which is fantastic and if I were to just get this on my mobile device and it seems so

realistic I might even be swayed to just click it here because it you know really is um playing on that that urgency and the legitimacy uh of the sender and so when we take a step back you know we want to participate in responsible disclosure so we report it and it was kicked back as out of scope and and and it was closed uh by the the responsible disclosure team we then reached out to the email campaign Builder service and they shared that yeah you know we did um bolster our security controls for the HTML campaign and we have not taken any action on Plain text but that's that's not really our problem it's a problem but it's

really uh on behalf of the organizations themselves to address um and then we reached out to the university to to let them know of this issue and they're actually uh taking strides to improve their security posture but it it really invites us uh to ask this question you know I is there any onus on the service provider to uh enhance or bolster security controls on behalf of the digital community at large especially when we see the efficacy of the the DeMark Push by Google and Yahoo uh and if we think about what MailChimp shared with us and their response and we don't hold the the support the immediate support team responsible for it but it's

basically you know we're told us to go control F ourselves like that's it's a problem but it's not our problem it's a you thing figure it out and that's really tough uh when you're a small team and your budget is tight or you're you don't have stakeholder buyin and you're pulled in many directions or you have Legacy applications that you need to address and consider in the broader ecosystem of the tools you're responsible for it may not be just a simple we will you know figure it out somehow um but we we can go back to the fundamentals right so there is the option of the service provider doing the right thing and enhancing their security

controls we saw it in in one module of their their service platform they could obviously extend that to to the other area where it's plain text emails right because they have it for HTML emails alternatively or in conjunction um we can have empower the organization to at least roll out at bare minimum you know SPF record checks we can have dkim in place and then DeMark to bring it together um there are uh other solutions that they could deploy that would do it on their behalf and it's obviously a lift to roll out um but these are kind of the the the fundamentals or the basics of uh security uh program and when we think of email controls this is

the the bread and butter um so you know this is important to have and and it's also important to know this is a real life scenario there's a there is a university that does not have any of this in place and this is not um something that is um seldom seen this is this is prevalent uh across the community and again when you think of resourcing when you think of um burnout this is something where we as a community can come together so not just the organizations having that responsibility uh to to address their own security program but we can also look at essentially The World At Large to do their part and and participate in

good cyber citizenship and obviously we always want to be empowering our our end users obviously internally with our our programs but uh again at a global scale and and just think more critically around um the emails that they are getting and the implications of their actions and the the cascading effects so these are um really uh I think uh thorny uh problems uh but they are persistent and we can come together as uh a Global Group and think creatively around how to address them and how to have more meaningful impact uh across the board so this is this is essentially the presentation this is the call to action uh to to think creatively to to know

that just because it's a service and it's widely um it's visible it's high-profile it can be exploited and it could be uh a vector of attack in your organization and could cause adverse impacts if it gets in the hands of a threat actor and you know there obviously steps that we can take uh to make sure that we again as a global Community um have our um end user empowerment awareness and trainings and and also tools and controls that we can potentially roll out uh as requirements across the board that can minimize the threat uh of these uh attack vectors so thank you for for coming to the presentation and I hope it added um

value to [Applause]

understand yeah uh I I yeah that's actually um so I I would say yes if they were to receive an email with an external sender Banner that would at least provide a moment of pause and say huh this is coming allegedly or sensibly coming from the University help desk why is there also a banner associated with it that's saying this is outside of our domain right uh I think even those small cues could have a big impact uh in benefiting you know addressing those vulnerabilities from from actually occurring yeah do you see much W culture to add problem fing created team Channel and almost became a game to say hey if you see a fish if you

see something that looks like a fish drop it in this team Channel and so we start everybody seeing what everybody is and now it becomes a game where people are so moreper they gamification is huge and I think that there's such uh opportunity there um it's uh typically I mean if it's done at the organizational level I think that's super impressive usually from what I've seen so far it's more vendor Le and that that's that makes sense they have the resources and the the Cycles to dedicate um but G like folks love to to win right they like they love a challenge uh and I I think if the organizations can find Space within their own their program responsibilities

that would be a great way to drive it forward and promote um Ed and user awareness and training in a fun way that'll stick

yeah think reasons team they

or F addresses like is there is there AER of this where in Obvious off

Poss yeah that that is a really great question and I would say that there are situations where it would make business sense to have uh somebody crafting an email on on behalf of the O organization at large and you maybe want to associate uh a group mailbox with it not necessarily the individual themselves is personally um creating that message and you want to drive large campaigns and and promote um and user engagement that would um still be able to be feasible in in the world where an email um marketing campaign Builder provider forced email verification you can still absolutely um support uh the the development and the deployment of these email blasts with that email

verification step it's not um creating barriers to using either the platform or to sending out the campaign overall H and that's why I really put a B in my Bonnet to be honest when the response was like yeah we did it for HTM because Yahoo and Google are making us but for plain tax we we didn't and that's up to the organization like obviously there there's acknowledgment that this is a risk uh and it ties into again the three pillars of email authentication SPF dkim and Demar um and now it's just great to see parody across the the different types of messaging campaigns which is you know HTML as well as plain Tex so thank you for the

question

yeah I I personally tried other uh campaign Builders and they required email verification across the board which I found really interesting um the ones I tried they they required the email verification so but that there's still more to be done in this realm so I think that is a good question thank you is there is there anyone else yeah okay yeah I I'd imagine you you know again I have not tested the entire universe uh but it's still worth you know kicking the tires on again because there are gaps here right because as of December of 2023 you could exploit HTML campaigns and quite honestly you can still exploit the HTML campaign for the historical

account that was created the admin at dom.edu you just can't make new new oneoff email addresses um but as of right now that one has been patched essentially and now you can really only exploit plain tax but for other ones I think campaign monitor is coming top of mind you you need to verify the email sender yeah yeah I'd love to hear it

yeah wow like so actual legal implications from this kind of okay okay yeah it's it's no joke right like so it's just it's just an email what's the problem right or like oh it's what it's it's very unlikely that somebody is going to click on an email uh and cause damage that's not the ca there are literally institutions and organizations that are like legitimate and not five 10 person shops like they entire entire universities that simply just don't have the basics implemented and I come from a world I'm a lifelong New Yorker or if you see something you say something and there they're very basic uh uh efforts that we can take and apply that'll Shore

up th those vulnerabilities and mitigate the risk and it's not a ding on the organization right it it takes the community it takes a village uh and that's what we see here where you know Google and Yahoo said listen this is like we are doing this we are enforcing this this is a requirement organizations need to have DeMark in place in order to leverage these Services because it's not just the organization that's going to get hit there's going to be cascading effects globally and there is that interconnectedness piece that we need to to think critically about so um I I see that this is really the Advent of something very powerful and and thank you for sharing your example because

it's like it's just an email but it's really not like you're you can have very real world uh impacts and fall out from that

yeah anti- spam you know filtering Solutions yeah so again there like there are tools designed for this to address it h there are just fundamental things you can do but it requires time it requires money not every organization has that and so that that is a very important question to ask and that's why we have you know these pushes to require things like Demar so like well if you want if you have enough budget and time to leverage a MailChimp then you have enough budget and time to implement your DeMark record and make sure that that your program makes sense so I think that that that is a great thing to see and it's a step in the right direction and

and hopefully we can have vendors uh follow suit in a more meaning way so not necessarily follow just the letter of the law but the spirit and intention of that law or law and quotes um and then you know support or organizations implementing those controls as much as we can and so it it does take a global village to make it happen

yeah yes yeah for sure there different levels of complexity yeah SPF would be the the the easiest yep uh I love that uh but the you know when we think of dkim and and D mark they be a little bit more more complexity there it will take more time it's more of a lift but yes to your point like the those organizations are most vulnerable um to to the exploitation of this so uh again to see the requirement of DeMark make sense and potentially there will be service disruption um because how do you uh connect and execute those Outreach programs and solicit engagement and you know donations Etc without that kind of a platform without that kind of

automation but again maybe it'll Force vendors to to say huh it's not it's not just the HTML campaign that needs to be short up or improved uh or more secure maybe you know we need to roll this out more holistically and apply it across the

board yes

yeah yeah um so we have like Insider threats it do you know it doesn't you can absolutely as long as one account is compromised and it could just be a bad actor within the organization it's like hey this I you know am no longer part of the organization they informed me today now I'm going to take my revenge and they they can do it in that way so um this is not just uh as long as one account is compromised in an environment that is riddled with vulnerabilities at the most fundamental level the you know services like MailChimp present a very real risk yeah I like sign up for MailChimp with a email address and then

valid Addy access that's a really interesting use case I haven't personally uh tried it but it' be a great Evolution a great evolution of the research yeah okay yeah

yeah yeah

yeah no

it's yeah no for sure I mean it just highlights that we you know I think a lot of the you know the the news around breaches or attacks is like the responsibility or onus or burden is put on the organization and that's understandable but I think especially if a service provider is also in the mix and that was like accelerating the the attack or amplifying the attack in some way their responsibility also lies with them right and so here when we think of like even just the wording of theer pray well use MailChimp as an example don't worry about it it's fine like if you didn't do this you're you're good to go ignore it like I think we need to be a

little bit more Vigilant right like maybe you maybe you want to actually talk to you the the actual help desk because even though I'm you know in this scenario we're saying the email came from help desk this individual does not have access to the help desk information right like they're not actually reading their emails they're just saying that the the campaign is coming from help Des but it's that's not actually the case so maybe you want to have out of band confirmation those processes uh in order to mitigate the the damage here that something like this exploitation could cause yeah oh Fe um I I would say the the first one I don't know I just like the

the um origin story of it all um and then the return of Han I forget which one but like when Han was taken out that was very tough for me but when we learned that he was he was resurrected and he was actually fine I was like Gohan uh so yeah so forgive me I don't know the numbers quite you know off the top of my head but that that's my my my hot take there all right well thank you so much thank you to organizers [Applause] [Music]

[Music]