From external to the CEO, a modern approach to outlook mail spoofing, Ben Wilson - BSidesCbr 2024

um but right now from external to the CEO a modern approach to Outlook M beefing let's welcome Ben Wilson to the

stage thank you um yeah so this is my talk uh from external to the CEO uh focusing on Mal spoofing within Outlook um so a brief little overview o that is not great it's good on the other one uh I guess I'll roll with it for now um so um yeah so I'll start by going through some basics for SMTP uh then I'll go through um email protections a bit of a journey for how I discover these spoofing techniques if we've got time I'll go through some extra tricks and then I'll uh wrap it up at the end um so to start off about me I hate doing about me slides uh so in the

spirit of spoofing in this presentation I thought I'd get Sylvia to do an about me slide for me um so I'm a security consultant at tanteo security I'm in my final year as a computer science student I love physical security and overall I'm a really great guy but don't take my word for it take Sylvia's word for it so uh SMTP Basics what is SMTP well a brief history so smt TP uh was the simple male transfer protocol uh it was first devised uh as RFC 821 and it's had uh many extensions since then so you've got mime multi-purpose internet mail extensions so RFC uh 2045 and then the uh kind of extended SMTP and that was uh RFC uh

1869 um but that its core concept when it was devised it was a way for uh a user and a receiver or you know uh to have their own uh SMTP servers where the user would send an email go through their server pass through to the receiver's server and then to the file system uh so that's a very basic overview what this more looks like in in practice for the infrastructure is you've got your mail user agent down the bottom and that will send uh a email via SMTP uh on ports 465 or 587 which some of you may have been familiar with it'll go to the message submission agent which once the message submission agent

receives it pass it to a series of maale transfer agents running on uh passing those through on SMTP uh but this time through Port 25 and then finally once it's reached uh the final transfer agent it will go to The Delivery Agent which will then pass it through uh to the uh receiver's mail user agent via the IMAP and POP protocols so how do you kind of I guess send an email or interact with these SMTP servers well you have to use uh what are called commands so uh there's a few there's quite a few uh commands these are just a list of some of the basic ones so you always start off with your uh your hallo um kind of

identifier uh which is basically saying to the server this is who I am uh this is where I'm sending from uh then you'll go into the mail from which will be the uh senders address uh so your address that you'll be sending from then you'll specify your recipient in your uh recipient to uh then the data that's the main content of the message so uh you'll put in that's where you put your like SMTP headers and your uh message body uh which will be terminated by a full stop and and then finally you'll uh send the quit command to uh end the transaction finish the email and send it off so in practice uh this might look like the

following so we've got a uh you know one agent here the sender uh the name is Jane and a receiver server so you're sending and receiving server so Jane will start off by executing that hello command so hmail.com hello my name is Jane I'm sending an EMA email from gmail.com and my IP is 10101010 and then uh your receiving server will be you know oh yeah that's good that's fine by me I'm ready to receive your email you'll have your mail from so Jane will say Oh My My email is Jane gmail.com then that's no worries with that uh Jane will say hey I want to send to John so John outlook.com uh receiving servers yep that's

fine and then Jane will pass her data in there so that starts with uh your data command and then anything following that data command uh will be interpreted as the message content so you've got your for example some basic SMTP headers from to subject and then your message body down there you know hello John and again once again terminated with that full stop and then the server will will go yep that's fine I'll cue that and I'll send it off when I'm ready and so then Jane can then quit that transaction to end it uh and you know that will be closed now uh when you actually send a message it's broken into I guess two

main components you've got your SMTP envelope which is uh basically those commands you saw earlier so at the top in my little graphic here you can see I've got a hmail.com mail from Jane and recipient to John so that's your envelope and then you've got your actual message content which is inside that data command and that will be the SMTP headers so here I've got from to and the subject and then the actual message body so I've just got hallo John and again that full stop uh at the bottom it's a little bit small but it's there I promise um so message headers or SMTP headers um so an important distinction between SMTP commands and U SMTP headers is that

those SMTP headers are not actually responsible for routing the email uh that's the SMTP command job so when you specify that uh recipient to that will be uh who receives the message and these kind of headers here are more for I guess display uh you could say so there's a couple of basic ones which I've got here so you got from which will be the author of the message your two address which is your address of your primary recipient the subject being the topic of the message content type so here there's a number of them I've got just plain text and the content transfer encoding scheme uh which is you know if you wanted to encode your message uh

here I've just you know quoted printable which is essentially plain text a little bit different but uh now one thing to note is with each of these headers they have to be terminated with a carriage return and a new line character uh so you'll see after the from header you've got that carriage return new new line then the two header carriage return new Line If you don't include those they won't be interpreted as valid headers and sometimes can mess up the whole content of your email and it won't send correctly and nobody wants that so uh quickly on the message body so as I've said you can have uh different content types so um you know a

number of them being text multi-part message uh so text comes in plain text HTML your multipe your multiart message is more for what a lot of common uh mail clients send now where they want to send like a HTML and a plane text so you can send two of them and the mail client will interpret which one depending on if they have support for HTML content and then you've got your message which is not often used but it's more one of example is if you attach like an EML if you actually attach the email to another email that will be sent with a message content type uh where that email F will be included in the content and then you

got some encoding schemes so quoted printable um that's essentially plain text it's got a little bit uh extra encoding but pretty much plain text then b64 which is self-explanatory and binary encoding if you wanted to do that as well um so now I'm just going to dive into some email protections uh so essentially you've got two I guess categories you've got generic ones and then there's ones which are Microsoft specific which is more what I'm going to look into so for your generic protections these are probably the most uh wellknown so you've got SPF which is a list of ips which are allowed to send from a domain uh you got dkim which is the digital

signature to verify that an Emil you know is still the same hasn't been altered and then you've got d Mark which is a really long stupid acronym if you ask me but domain based message authentication reporting and conformance uh which uh will basically check that the uh domain used in SPF and dmar matches that one in the from header and it has a number of policies you can configure so if um Demar fails you can apply the relevant policy uh on failure so this is one more I'm going to be focusing on is Microsoft specific and I've broken it up into three main categories which you know are easiest to digest so youve got your male flow rules

you've got uh Native external tagging and then anti- fishing policies which is a huge subtopic there um but I'll get into each one so male flow rules are are essentially rules that are applied to messages whilst they're in transit so uh it's got plenty of conditions exceptions and actions you can take on an email and it's often used to implement external tagging so this tagging can be in the form of the subject or the message body and uh basically what happens is If the message is detected as outside the organization it will apply the necessary tag so in this example I've got in the subject uh and I've also got a follow-up example of what it might look like in

the message body uh basically just warning users that hey this message wasn't from someone within your organization so just you know be on the lookout for suspicious stuff um so then there's native external tagging which is the newer more modern way to do it uh it's exclusive to exchange online so any kind of on Prem uh infrastructures won't be able to configure this but within exchange online you can uh as I said it's the new recommended way to identify external uh senders the main reason being that it doesn't actually obstruct the message or alter the message so uh it basically inserts its own uh little I guess warning outside the message uh so you know you can't the idea is that you

can't alter it um so there's this little warning here saying okay Jane Smith's from outside my organization and then you get the little external tag there in uh the message uh as well in the preview Pane and yeah so throughout this talk I'm going to show you mainly just the email here and then also a little screenshot of the preview pane cuz both of them are important when you're uh constructing a fishing email so anti- fishing policies uh this is a big one so you got spoofing detection impersonation protection mailbox intelligence safety tips and fishing thresholds uh and I'll go through each one really quickly um but yeah there's a lot to cover under this so spoofing

detection uh that also known as spoof intelligence it's basically reporting on sender and domain spoofing attempts so if you're trying to spoof a a specific sender or a specific domain it will report whether or not it has detected that and it also provides uh unauthenticated sender indicators uh which I've got a little uh picture of here and basically most commonly this occurs if you've sent an email and you're going to fail SPF uh it will still in some cases depending on how you've configured your email arrive and in the inbox of the user uh but it will just come in with this unverified sender warning uh to let the user know hey you know this person is

probably not the domain or the person they're saying they are so just like watch out uh and again it'll give it that little unverified tag there

um impersonation protection so this uh is a service where you can apply almost like an extra protection to specific email addresses or domains so uh it's in you know you got a little configuration panel where you can uh say Okay I want this sender within my organization say a list of Executives to have some extra impersonation checks or I want everything from my internal domain to go through extra impersonation check uh and uh if that impersonation is detected it will apply a specific action similar to DeMark like do I want it to go to the junk do I want it to be quarantined or deleted uh and then there's mailbox intelligence um which basically it uses

AI to detect uh email pattern uh and it'll apply specific action if it detects an irregular email pattern uh so junk quarantine delete similar to the uh protect uh addresses and domains uh safety tips so safety tips are quite common the most common of those being the first Contact safety tip uh which occurs you know when you get basically an an email from an irregular sender uh but they've also got user impersonation domain impersonation and one for unusual characters which I've never been able to trigger and I don't know how it works um and these are all inserted into the email body so as you can see here uh it it's I'm sure many of you probably seen that

little gray box above an email at some stage uh it essentially says hey you know you don't often get email from this sender uh so you know just a little subtle alert and it also appears in the little preview pane uh on the side as the first text that you'll see uh and fishing thresholds so that's on a scale from uh to four one being standard which is the default and four being the most aggressive uh as the sensitivity um basically the sensitivity increases as the threshold is is raised and this threshold is based off uh confidence indicators so each email that goes into your organization will get its own uh fishing and spam confidence level

score uh the fishing ones are scored from uh 1 to 3 or 4 to8 so 1: 3 being a neutral score and 4 to8 being suspicious uh and the spam level confidence score goes from 0 to 9 0 is low nine is high and so as you up that fishing threshold those lower scores will get treated as if they were higher scores so it'll basically be extra scrutiny on each email to make sure that it's not malicious uh so an important note before I go any further is all of these protections have a sole focus on analyzing the from header in the from SMTP header which means that other headers are often overlooked uh which is

mainly the you know the talk the whole premise of the talk it's a bit of foreshadowing there um so keep that in mind uh and I'll go into the journey uh to

spoofing so I set up a little victim organization I'm going to call it the Tanto testing organization uh which basically was just a design as proof of concept to show all of these uh techniques in practice so there's two employees uh you got John Doe which is the victim and James Bond will be the impersonation Target so the person that who who we will be impersonating uh and I've configured a number of protections so I've got my native external tagging first Contact safety tip impersonation and spoofing protection and I've set the fishing threshold to the most aggressive setting uh on the attacking side I'll be sending from the Tanto mail.com domain which is essentially a domain that I set up with

SPF and dmar Records uh pointing to my IP to make sure that I'm going to pass those checks and not get sent to junk uh so the idea is that this was designed as an Overkill environment to be like a bit of a proof of concept like if you can get a good fishing email here you can get a good fishing email anywhere uh so so a current state of what our emails might look like now there's a number of things we're going to have to deal with so external tags those safety tip warnings uh and uh plain email addresses which I'll show you in a second uh so the first thing I really want to look into is most common

in emails all emails now have a display name when you're sending the email so it's not just the address that shows up it's like a little name rather than I'm just John at outlook.com I'm actually John Smith uh and then in little brackets it'll have John at outlook.com so I figured okay let's start with that let's try and add a uh display name however um so this is what it looks like without a display name so you got jamesbond at tantor.com and you can see we're getting that you know the external tag we're getting the first Contact safety tip so I added a display name and interestingly I noticed it went to junk um and I first was confused as that

might be uh and then I realized I did configure James Bond as a protected sender so what was happening was uh Outlook was looking at the display name James Bond and saying look this is very similar to the legitimate James Bond uh this is probably an impersonation attempt so it would sent it to uh the junk which is what I had configured um now it'll it also added that impersonation safety tip so uh this person appears to be someone similar who previously sent you an email email but may not be that person uh and yeah sent to junk which is not what we want um so I decided to you know see if we could

maybe do a little bit better so going into the RFC uh based on that sole focus of analyzing the from header I wanted to look at what other origination headers might be available um so when I was looking at that I discovered the sander header which is not a secret header At All by the way if you haven't heard of it um it's described as the mailbox of the agent responsible for the transmission of the message which is quite a mouthful um but in order to explain it uh probably best uh the RFC does provide a little nice diagram so say we've got uh John Doe who who might be an executive and Michael Jones who might be John's

secretary and so John uh writes a message but he doesn't actually want to send that email himself cuz he's got a secretary to do that for him so he writes up the message and then he passes it on to Michael and Michael sends it on his behalf to Mary uh and so then Michael would be the mailbox responsible for the transmission of the message but John was the actual original author of the message so that's probably the best way to explain it so this sender header uh when you include it in your emails it actually does change the format of what it looks like from a recipient's point of view uh so your email will

arrive uh and it'll come up as sender on behalf of the from so what I mean by that is it'll show as okay James Bond jamesbond legit.com on behalf of james. bond atom.com our actual Center and interestingly uh there's no validation here of the display name or the domain so I don't own at legit.com I just included that and you know there's nothing just works um and interestingly as I said I can put that display name back uh and there's nothing stopping me from including it it's not going to junk or anything like that um so the first thing I thought about okay well if there's no validation what happens if I include an internal domain like does

that does does that raise any alarm Bells uh no it turns out um so this was kind of my first little step around uh I found a little bypass for those for that external tagging so by including that sender header with the internal domain uh it the external tag isn't applied so as you can see in the the bottom right we've dropped that external tag and it's no longer uh got that warning message in the email body either uh and so it can look a bit more like the email was sent internally cuz doesn't have an external tag and even um interestingly if you hover over the uh send a header if you set it to uh a person who exists within

that organization so James Bond in this case it actually brings up their profile when you hover over it so adds even a little bit more legitimacy uh however I've still got safety tips in the email uh so that's not ideal so I wanted to look into that maybe I could get around that um so I decided to analyze the safety tips so I was dive straight into the email source so Ina if you didn't know like email if if you uh you know especially in Outlook you can like click on a little uh menu and you can download the email Source or view the email Source uh and it'll show you all the SMTP headers

and the actual content of the message so I just I did this and what what I noticed uh this is the message content here is that the safety tip when it's inserted it's uh prepended to the top of the the message body in a table and our content that they might include is inserted in a div underneath so you can see like we've got this table here uh and it'll give you the message you don't often get email from james. bonded tant mail.com and then I've got my actual message you know hello John can you send me the company card so I can renew our contracts for this year uh so the user is always going to see that uh warning

first and that's always going to be used for the preview of of the message which isn't ideal so my first idea was uh can we control the safety tip with CSS so considering it is in the email body we have control of the email body what if we just include some style tags to hide this tip um so was like okay the TR element so I'll go back the TR element here doesn't have any style attached to it so was initially I was like okay what if I added my own style tag in line to apply you know display none as I've I've set here so I'd add that to the top of my message body and my question was does

that prevent the warning from rendering well initially yes but now no so silently this was fixed as I was making these slides uh and it was a fantastic fix from Microsoft um I'd probably make it look like this so uh you know it wasn't displaying correctly in in CSS what does Microsoft do well they just slap an important tag on there uh and I'll um I'll let us all kind of appreciate the inline CSS in which Microsoft wrote uh if you try and insert and change the style they've just said oh what if we just include every CSS tag with important so that it's impossible for you to change it um which is quite amusing

uh so what did they do they added revert important to every style in line which if you didn't know basically will set the the uh the style of that element back to the original intended Style with the highest priority so revert reverts it back important means that it will override everything and because it's included in line it's it's like the top level uh you know can't be U overridden at least not that I know of so uh now I was like okay now I'm going to find a way around it cuz we're not going to let that stop us so I became interested in uh end to-end encryption within emails so I thought okay well if what about those

encrypted emails like if the safety tip is being inserted into the email body what if we encrypted our email body would that still insert these safety tips in there how are they handled do they show up differently uh so looking into it there's uh basically two main types you got pgp and esime I going to focus on pgp because it's the easiest to implement doesn't require certificates uh setting those up and configuring them in different email clients uh that's where I started so pgp uh based on public key cryptography uh there's two methods again for how to use pgp in emails the original old method is called inline pgp which is basically where the encrypted

email is included directly in the message body uh under like a plain text content type uh and then interpreted by the email client at the other end um the new way that it's done now is with multi-art my messages so now you'll have like different content UPS you have your encrypted part which will contain your encrypted message then maybe you'll have your signature as well um so there's now it kind of abstracts it away from the user a little more so I decided I'm going to focus on inline that's really easy and uh you know I don't have to worry about trying to emulate all this fancy multipart messages uh I can just do it in

line so yeah here's a little quick diagram of what inline pgp looks like so you'll have you know SMTP headers then you'll have a little Gap then when you have your message content it starts with this begin pgp message indicator you put your content in there and then you have your n pgp message and then terminate it with a full stop like you do all other uh messages so my idea was uh there is actually no requirement that the content for pgp messages to be encrypted as the text in the content will render as per the content type header so if I specify plain text in content type and then I put you know my uh pgp indicators begin

pgp message end pgp message I can put anything in between those uh and you know the email is still going to send cuz it's still uh plain text content so my thought was okay what if I send an unencrypted message inside those pgp indicators uh how does the mail client uh process that email uh if it's looking for those indicators what happens does it does it change the way the email is displayed does it change the way it's processed uh so I decided to have a look into that and I found a little uh a little thing um so I found that adding that pgp syntax does actually remove the safety tips so they're not only uh

hidden they're never inserted into the email in the first place uh so it appears that when you send emails with this begin pgp message Outlook looks through the email finds that and goes okay it's encrypted we're not going to worry about it it's fine um and they just ignore it entirely um so uh and also these can be placed anywhere in the email so you could have begin pgp message at the very bottom of the email and as long as it's in there it'll still work uh and it also works with an HTML content type so it means that you can actually put your begin pgp message inside an HTML comment and it means it's

never displayed to the user and it's completely removed from the email uh and they have no idea what's going on so this is just an example of me including the begin pgp message uh just as text and as you can see the first Contact safety tip is no longer inserted and it's no longer overriding the message preview in in that preview pane so if I include begin pgp message inside a HTML comment it will show the hello John as the first text in the email in the preview rather than having that warning text be the first text in the

preview so as a bit of of a review of where we are now we're now able to hide those external the external tagging and the safety tips however the attacker's domain is still visible in the email preview so we've still got the attacker domain visible at the end and we've also got this weird syntax sender on behalf of the from so you know you've got your spoof sender in there James Bond but it's weird being James Bond on behalf of James Bond like if people are looking at that they're going to think something weird is going on there's no profile picture as well I'd really love James's profile picture that would add a level extra level of

legitimacy and in the preview pane as well it still only shows the email of the attacker that's most key it still shows the attacker's email so there's still a problem there so I decided to dive a little bit into the syntax of from headers uh so I looked into uh I found a talk from black hat USA it's a really good talk called you have no idea who sent that email 18 attacks on email sender authentication uh really good comprehensive talk which presents a number of different novel techniques for spoofing emails but the gist of that talk is every male user agent has its own passer and these passers are rarely compliant with the RFC that the from

header was uh devised for and so this leads to complex from header syntax and every male client having a different interpretation of the real address uh that it was sent from and which will lead to something I like to call from header confusion so as a bit of an example this here is a legitimate from header so you can have display name comments a route portion and then your address and the mail user agent has to look through that and pick the address as the correct section of the email and go yep that's who sent the email and you'll find uh a lot of times uh this isn't the case uh and sometimes you can get away with some interesting

stuff so from header confusion I'll expand on that a little bit more but basically it's when male clients disagree on the real address of the sender and it's exploiting those inconsistencies in message passing and it's really powerful between two different male user agents so if you're going to send between Gmail and Outlook uh you might exploit sending an email from Gmail and it arriving in Outlook to exploit these inconsistencies and this will be the example that I'll uh quickly run through so we'll devise a message as follows so uh we got our hello from Gmail our mail from is from attacker gmail.com recipient will be John outlook.com and we start our from header and we're going to include two addresses

in there so from header will be start with spoofed at gmail.com then attacker gmail.com and you two header again to John subject hello and with a little message of hello John now when Gmail looks at this it's going to look and verify the last address here matches the mail from which it does and it's also going to verify that we are attacker at gmail.com and that we don't that we own that uh Gmail account and we're not just you know making it up that that's us and you know it's all fine uh so Gmail will look at that and it will go yep those match you own attacker gmail.com you can send this message now when it arrives in Outlook

Outlook will look at the first me the first email included in the from header here's where the problems begin so Outlook will look at that and go okay I can verify through dmark that gmail.com and the mail from and the from header match so Outlook will look at those and go Yep they're both from gmail.com nothing to worry about there and Outlook obviously can't verify the user portion because it has no access to knowing whether or not you are attacker gmail.com or whether you are spoofed gmail.com uh so out doesn't care about that it only cares about the domain and so as long as that domain matches up it's all fine so this email will then

successfully arrive in your Outlook email inbox so as I've said here the result of that is spoofing Gmail addresses to an Outlook inbox and this is not just limited to Outlook and Gmail this is any two mail agents which might have different interpretations on the uh on which section is actually the from address so that's a key thing to note like it's not just Outlook and Gmail can be really any uh and this will also pass verification checks because we're not spoofing a domain we're sending from gmail.com which can anyone can do so as I yeah as I've said here we get the authentic results we're going to pass SPF and we're going to pass dmar

there's nothing wrong with that and you'll get an email here which arrives and looks like this now it's it's going to show these warning messages cuz I haven't hidden them but uh the point is we can send now from spoof gmail.com from the Gmail address to an Outlook inbox we have no control uh you know we don't have no control over the spoofed user this can be anyone uh and Outlook will receive and go yeah that's all fine uh nothing wrong with that so so I decided okay this this is interesting concept and I wanted to take it a little bit further to see if it was possible to use any domain CU that's that's the real

Crux of it you know that's the cream of the crop spoofing from any domain so I decided to look into the allowed characters you can include in headers so there's a number of different syntax options here although uh email addresses are often included inside carrots uh they can be comma separated to separate multiple addresses and they're always in the form of user at domain email or mailing groups can be defined with a com a colum display names can be included inside quotes um and mainly initially in the original spec it's only as key characters this was extended upon uh in RC 1342 however I decided for this you know I'm just going to focus on asy

characters and if I need to I'll then expand out to non-as key characters so I got a little list on the side here which from is from the RFC which kind of describes these different characters um as I've talked about so empty addresses was uh an interesting thing which I decided to kind of experiment with so what is an empty address well an empty address was including an empty address before the real address in the from header so the example I've got here is you just include those two carrots with a comma in the middle and you put that before the from address uh and that will be an empty address uh with no no actual email in there um now

when you send an empty address in the email it will arrive and it will hide the address from view of the recipient so as you can see I've sent from test with the empty address then james. Bond Tanto mail.com and when it arrives the user can only see test there they can't see the actual address that's come from um a couple of interesting things uh I noted uh that a display name must be present in this so if you don't include a display name it will uh it will fail and go to junk and also if you have to include a comma in between the uh carrots uh if you don't it will fail and

go to junk and what I suspect might be the case is potentially someone had reported something similar in in the past and going hey I can put this like you know two carrots and you know I can hide the address and Microsoft went okay let's just prevent people from doing that and there has to be something in between the two carrots uh and so if you put a comma in there it still works so it's uh kind of interesting so the next thing I wanted to look into now that I've got that empty address funkiness uh I decided okay if I have to put a display name maybe I can find a way to put a display

name which isn't rendered by the client so so I looked into a key control characters which are if you don't know are the first 32 characters of the as key table and these are accepted as valid in SMTP headers because they're as key characters so what I decided to do is okay let's send one of these control characters so in this case like um back/ x1f let's put it in the middle of the display name uh and I'll see whether or not it actually renders on the the uh client uh so I sent this off and as you can see when it arrives it arrives and it looks as if it's just from test uh

James test james. Bond tantor.com and there's no indication to the user that a hex character was ever inserted or was ever present in the email now it's important to note like not all characters will display this way I tested basically all 32 of these characters and found that uh back/ x1f isn't rendered on both the web and Des of clients some of the characters will render as that uh you know rectangular box uh and some of them will be hidden you just kind of have to play around with an experiment so now that I had those two techniques the empty addresses and hiding the display name I decided to put them together so I thought okay well

let's put the empty address in let's put just this one control character and what's going to happen to the email now if it's meant to be if it's meant to be only displaying the display name due to the empty address if it's going to hide that real address and there's nothing to display because it's a hex character what's Outlook actually going to show so I combined the addresses I combined the techniques so in the from header I put the empty address and I put the hex character and I included the sender address as mentioned before with my uh spoofed user and I sent it off to see what would happen lo and behold it actually renders the sender address

as the address in which the email was sent from and includes a profile picture of James Bond which I was originally very surprised with at first I was very happy with the finding uh and I thought it was very interesting uh but yeah as you can see we've dropped that external tag we've dropped the first Contact safety tip we've dropped the weird funky syntax it now only shows this was from James Bond here's his profile and this is the email he sent

you so it's important to note as well I did some testing with some third party email security products and uh during my testing none of these products actually picked up on this technique so they all ared through um just fine uh kind of been trying to work with some of the vendors to get that fixed um we'll see how that goes uh but for now yeah it it it's not picked up so a little demo I do have a pre-recorded demo cuz I didn't want to take the spin the live demo roulette um I just hope that it's going to work the pre-recorded one okay there's no sound okay cool so it might be a bit

small uh but essentially on the left here I've got a script which is basically sending uh those email headers so you've got hello command mail from recipient to then your content and it's got the SMTP headers there and it's got the SMTP uh message body afterwards I'm including uh the begin pgp message in an HTML content I'm including the empty address and the uh hex characters and I'm including the sender address so I'll send that off to our victim John do it takes a little second here and then you'll see on the right it arrives in joho's inbox so James Bond with his profile there um James can click on this email and it shows up here James Bond

with his profile the message there and there's really no indication from his point of view that this was not from James Bond he would have to look through the uh message headers of an email uh to to realize that this wasn't from James Bond so a couple of extra tricks which I think we have some time for um so fake recipients so as I've mentioned before those uh SMTP commands are what's used to Route the email and determine who receives it so you can exploit this as only addresses in the recipient to actually receive the email so it allows you to create some fake recipients by only including those addresses in the two header now this sort of behavior is quite

useful if you want to almost apply a bit of peer pressure to an individual so if you wanted to include a number of different addresses especially higher ups in a specific email uh and you didn't want them to actually receive the email but you wanted to make the recipient believe they did or you can use it for individual uh tracking links so if you wanted to send a group email to a number of recipients but uh you wanted an individual link for each person in that group you can use fake recipients to to actually send an individual email to each recipient but make it look like from their perspective that only one email was ever

sent so what this might look like is I've got Jane Smith in here Jane Smith never actually received the email but you can you can see she's in the two- header you can hover over brings up her profile so from John's point of from James's point of view oh no sorry from John's point of view there's no indication that she never received the email uh mail flow rules uh as I talked about earlier so these can be hidden as well uh if they're inserted into the email body you can hide them with CSS interestingly the um first Contact safety tip thing hiding with CSS was patched but doing the same thing with male flow rules wasn't so you can hide

it with this # footer display none and uh you can also change the uh if it's inserted into the subject you can actually change the preview text on some clients as well by including an input of Type image with alt text which sometimes is inserted before the mail flow orle preview text uh redirecting replies as well so there's a another SMTP header called reply to which can be used to redirect email replies so this can be used to ensure that targets don't actually alert your impersonation victim um if you don't include this uh what can often happen and what I've experienced is the emails are so legitimate that people start reaching out to the actual person

saying I can't make this meeting you know and then this person's like what meeting I never organized the meeting um and so if you want to try and avoid that uh you can uh include this reply to header to prevent them from being alerted unless they sent a direct email uh and again it can be useful if you're redirecting to an attack controlled address it can be useful to track which recipients might have responded to a fishing email um you know so if you wanted that kind of reporting in there as well you can uh meeting invites uh this is almost another talking of itself cuz it's very complicated uh lots of different syntax you can have in there it's simple at

heart but there's a lot of potential with it um but essentially each meeting invite which is very common nowadays is just an IC file with a special content type and each IC file also has a whole range of fields with its own RFC of how what you can do with it uh but the same technique can apply to these meeting invites just different fields to look at so you got attendees and organizers so uh by setting uh rsbp false uh to attendees it means that if they're accepting a meeting uh the notification emails won't go to the organizer similar as the uh redirecting replies and if you wanted to include HTML content you can use the X Al

description to set that content which also conveniently bypasses safety tips and mail rules as a feature like they're just not inserted into the text in the meeting invite which is interesting uh but yeah these are very common Microsoft teams meeting and you can use this same spoofing as you can see I've spoofed the organizer as James Bond and one of the attendees is John dop and if John RSVPs to this meeting it won't automatically send James an invite saying that John accepted a meeting that he never organized so uh now probably my favorite one which is a bit of a fun one is the anonymous sender so in this whole thing where outlooks failing to pass that from

header it doesn't know what to show the user so it shows the sender header what happens if you don't give it that option of the sender header you include those hex characters and the empty address but you don't give it that extra fallback option well it means that outlook's unable to render any sender information and the email displays as unknown which does create some interesting opportunities for a bit of fun so it's the perfect uh perfect platform to insert your favorite uh saw quote or taken speech and send an email off to someone hello John I don't know who you are I don't know what you want uh and you can freak him out a little bit cuz

John has no idea where he came from um so as a bit of a wrapup disclosure so I reported this to Microsoft and they recently got back to me and basically said that this case doesn't meet msc's current bar for immediate servicing so I guess they're not going to do anything with it uh but maybe they'll have another opinion after this talk we'll see but I don't know you know see what happens uh looking forward so what's quite clear and many people have said the same thing is that um SMTP is a problem because security wasn't designed in there by default and also this inconsistent SMTP passing is going to be an on ongoing problem since no vendors

seem to be able to follow the RFC uh and you know they just kind of like I'll do what I want um future research again you can look into other email providers I'm sure you'll find something pretty similar Google Apple Yahoo there some examples proton mail as well uh and each of these email providers there's also your own like user agent so for example you could have be using Gmail for uh your email services but then you might be using say if you're on Linux you might be using Thunder as your male client so there's two potentials there for looking at Gmail and then also looking at Thunderbird cuz each of those are going to have their own idea of who's the

email actually sent from uh and then there's also probably some extra research of bypassing link and attachment scanning so one thing that you'd want to do often with fishing emails is send some malicious links or send some malicious attachments and so it'd be really handy if you found a way to bypass that sort of scanning and so that might be something I'll look into in the future uh but yeah that's pretty much it uh thank you for [Applause]

listening do we have any questions in the

audience just any one of our Runners out to answer that question well take the question okay there's a

few hey there um great presentation um really interested in the reply to aspect of that um I know you can set the reply to field so that it goes in the right direction what cosmetically does it look like does that give a clue to the Target that there might be something funky going on or does Outlook magically make the Cosmetic stuff beautiful for you uh it it's probably something that I should look into a little bit more if you just basically include another address in the reply to if the address is outside the victim organization then it will alert that person that that email is going to go to someone outside the organization in practice I've found that a lot of

people just don't realize that um so I've been able to in a number of engagements include that reply to header and get emails back and people don't usually realize that it's going somewhere else or even they might uh in you know realize oh it's going to go it's not going to this person I I might as well include their actual email as well and include my my attacking email and their and the person's real email uh and not even realize oh maybe I shouldn't be sending this email somewhere off something weird but yeah at the moment it shows up as external but potentially you could maybe come up with some way to send it off and not

have it as external uh would be really interesting uh do we have any more questions in the audience yep another question here uh so two-part question I was wondering how long have you been uh doing this research for like that was an absolute ton of work it really great and uh second part uh did you find any differences between parsing on mobile and desktop uh yeah there is some differences so T your first question that was kind of a couple of months of work it really spanned off I did a fishing uh engagement for a client and uh then I began looking at what's the possibilities were and I looked and dived deeper and deeper into the rabbit

hole and it was there's a lot that isn't in this presentation that was just failed things that didn't work um between uh desktop and web there are a couple of differences so the easiest one to talk about would be say those hex characters so web and desktop sometimes have different opinions on whether they'll show the hex character whether they'll show us little rectangle box um between web and desktop usually the uh in Outlook at least the uh passing of the from header seems to be the same so Outlook web and desktop will both agree on who to show the from header for um but uh there are some other inconsistencies around including say when I talked about the U message uh the

mail flow rules like if I can maybe go back I don't know we'll see um so yeah so male flow rules so one thing I've noted is if you've got mail flow rules and you're in say Outlook desktop including this input at the bottom with a type of image and ALT text will hide the preview text but in uh the Outlook web it actually doesn't work it actually I think sometimes will render that preview text instead of hiding it so there are some slight inconsistencies most of the time it seems pretty similar though um so yeah have a question over here as well yeah awesome um that was really cool by the way did you try to use any like

lookalike characters like cilic characters to bypass the um tags yeah that would be that would have been something like that I'm really interested in uh including potentially some Unicode characters um especially as say I know some vendors or some email security vendors are trying to come up with patches for this stuff and so they've started to look at the sender header and look for a domain that might be that might match the uh clients or victims domain so that could be a potential uh for lookalike characters to be inserted so that the domain will still look like the victim domain but not actually be the victim domain uh so there's definitely some potential for a bit of

research in that area as

well um so with the uh Unicode characters that you put in the sender is there anything that the Gateway products can detect pardon me detect like mcast or Defender um well I guess Unicode characters I mean you could probably say that most of emails if we're going off like what's a legitimate email most email addresses aren't going to include Unicode characters so from my perspective I could see that if an Unicode character was found inside an address that it should be marked as suspicious at the very least since I can't really see any legitimate use case for it um yeah that that would be my uh my thinking do we have any last questions in the

audience hey um for your test case where you impersonated James Bond um I was just wondering so do you have is this impersonating someone who's outside the organization like your organization that you set up and the sender of that spoof email he would need to have the access to that actual domain right like it would have to be like the sender IP address still has to correspond to the sender um header that you spoofed uh so when I'm doing my impersonation um the from domain is the part that I need to control so the Tanto mail.com domain is one that I own that I have records set up for anything in the sander header is basically as Microsoft

views it Anything Goes um you can put any domain or any user in there and there's no extra checks or verifications there um in these attacks uh James Bond is an actual uh employee or or I guess user within the client uh tenant that I set up so there's J John Doe as our victim James Bond as as another uh user who I was impersonating so I don't need to have access to anything that uh James has I can just include his email there um spoof him in the sander header and as long as I've got a domain that I own within the from header that matches what I've put in the mail from command then it's all

fine we'll have to stop questions there H up Ben outside but let's thank Ben one more time for a great talk