Phishers exploit Google’s SMTP Relay service to deliver spoofed emails

Phishers are exploiting a flaw in Google’s SMTP relay service to send malicious emails spoofing popular brands. Avanan researcher Jeremy Fuchs says that starting in April 2022, they have seen a massive uptick of these SMTP relay service exploit attacks in the wild, as threat actors use this service to spoof other Gmail tenants.

SMTP relay exploit takes advantage of DMARC unenforcement

Google’s SMTP relay service is used by organizations for things like sending out promotional messages to a huge number of users without the risk of their mail server getting blocklisted.

“Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google,” Fuchs explained.

“However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.”

So, email security solutions are bypassed – as Gmail’s SMTP relay servers are generally trusted – and recipients see a legitimate-looking email address in the “From:” field. Only by checking the messages headers users will be able to notice something’s off.

Fuchs notes that this brand impersonation technique will work only if the impersonated company/brand company has not enabled its DMARC reject policy.

DMARC is a DNS-based authentication standard. Implementing it shields organizations from impersonation attacks by preventing malicious, spoofed emails from reaching targets.

Any phisher – indeed, anyone who uses the internet – can check whether the DMARC reject policy has been enabled for a specific domain, by using tools like MXToolbox. Fuchs noted that, for example, Trello and Venmo haven’t, while Netflix has.

Fixing the problem and avoiding the danger

Fuchs says that they’ve notified Google of how phishers were using their SMTP relay service on April 23rd, 2022.

“Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security.

Also, he notes, any SMTP relay out there could be vulnerable to this type of attack.

The overarching answer to this known security problem is for companies to use the DMARC protocol – as Google advises.

But until that becomes the norm, recipients are advised to check the headers of unsolicited email messages and refrain from opening attachments or clicking on links in those messages if they aren’t able to check whether they are malicious or not.

UPDATE (May 3, 2022, 11:05 a.m. ET):

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.

Don't miss