Aug 11, 2023 - Technology

Exclusive: An email security vendor is leaving 2M domains open to phishing hacks, study finds

Illustration of a tiny man holding up a giant email icon

Illustration: Sarah Grillo/Axios

A security researcher has uncovered a way to spoof at least 2 million email domain names for phishing attacks that requires little or no expertise to use, according to research shared first with Axios.

Why it matters: Phishing, which often relies on spoofed email addresses, remains one of the top entry points for malicious hackers looking to install malware or conduct social engineering campaigns.

Driving the news: Marcello Salvati, an independent security researcher, is presenting his findings at the DEF CON hacking conference in Las Vegas on Friday.

The big picture: Salvati's research focuses on email security vendor MailChannels, which offers tools for organizations looking to send automated emails to their customers, such as newsletters.

  • Typically, companies providing such services require customers to prove they own a domain before they can send an email using it.
  • MailChannels doesn't do that — in part, because the company caters primarily to web-hosting companies that need to send emails on behalf of their clients, like a password reset email or email signup confirmation.
  • Instead, MailChannels relies on spam detection tools that measure users' past behavior and IP address reputations. It also scans portions of the message before sending it out.

Details: Salvati's research found that those anti-spam tools are relatively easy to bypass.

  • Salvati built a tool that allows someone to send an email from whatever MailChannels' customer domain name they want without verifying if they own the domain.
  • In one example, Salvati was able to spoof the domain name for the Black Hat hacking conference, which also took place in Vegas this week.
  • As long as the message seems harmless, malicious actors' emails most likely won't get flagged by the company's chosen security features.
  • Someone wanting to do this themselves would just need $80 to sign up for a basic MailChannels account and gain access to the system.

Yes, but: MailChannels has security tools in place and doesn't consider this issue a security vulnerability.

  • MailChannels CEO Ken Simpson told Axios in a LinkedIn message after this story's publication that Salvati's research points out a broad flaw in the DMARC standard — an email authentication protocol — "that is well known."
  • "MailChannels sends email for 30 million different domains that are hosted behind over 600 web hosting provider networks," Simpson said. "We cannot force every domain owner to verify the ownership of their domain because domain owners do not even authenticate domain ownership with their own hosting provider."
  • Simpson and Salvati also spoke a few times about the research in the months leading up to the DEF CON presentation.
  • Simpson also pointed Axios to a new feature called "Domain Lockdown" — which the firm rolled out in June in response to Salvati's research — that details a new, anti-spoofing security tool for customers.

The intrigue: MailChannels has a partnership with CloudFlare under which it validates emails coming from CloudFlare's Workers customers.

  • The partnership would mean that it's highly probable that anyone with a free CloudFlare account could spoof any of MailChannels' customers, Salvati said.
  • MailChannels now requires CloudFlare customers to turn on the "Domain Lockdown" feature before sending emails.

Threat level: MailChannels has roughly 40% of the global market share among companies sending emails on behalf of domain owners, the company said in a press release last year.

  • Some of the spoofable domains seemingly include those belonging to city governments, lottery websites and mobile phone companies.
  • MailChannels has also adopted a relatively new email authentication protocol known as ARC that allows emails to more easily bypass spam filters.

Of note: Salvati, a former researcher at cybersecurity firm Rapid7, worked with his ex-colleagues to verify his findings.

What they're saying: "In all of our testing, none of our emails were blocked, and I've personally tried once or twice to send myself a phishing email with a link to an executable and that wasn't blocked either," Salvati told Axios.

  • "There are existing hard security controls that other vendors have that don't allow you to spoof the emails in the first place," he added.

Be smart: Salvati's presentation concludes with a cheeky, but necessary disclosure for those attending his talk: "Don't do crimes, plz."

  • "Only test on domains you own/control and have permission," he adds.

Editor's note: This story has been updated with additional comment from MailChannels.

Go deeper