In July 2020 7 Elements discovered a vulnerability in Rackspace that exposed all its global hosted email customers to the potential malicious use of their email domain by unauthorised actors. Malicious actors had the ability to leverage multiple accounts and pass security checks designed to detect spoofed emails. This was utilised in the wild to conduct targeted phishing attacks.
7 Elements has called this the “SMTP Multipass” attack.
The vulnerability was the result of how the SMTP servers for Rackspace (emailsrvr.com) authorised users. When this vulnerability is placed within the context of Rackspace’s guidance on customers specifically authorising these SMTP servers to send an email on their behalf via DNS entries (denoting the use of SPF records), it can be used to form a viable attack vector.
This allows an attacker, unauthenticated under one customer account to send emails as another customer. Those emails would be received by the recipient, pass email security checks, and be identified as a legitimate sender. Given this, malicious actors could use this to masquerade as a chosen target domain, causing reputational damage.
The vulnerability was discovered by the 7 Elements team through our incident response service back in July 2020. 7 Elements engaged with Rackspace, through our responsible disclosure process, at the start of August 2020.
The Incident
Whilst supporting a client’s internal investigation into a targeted email compromise incident, our team,....
Author
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- LiveSeptember 5, 2024"40 Steps" Satellite Security - Registration for LIVE WORKSHOP IS NOW ON!
- LiveAugust 21, 2024"40 Steps" Game Hacking - Registration for LIVE WORKSHOP IS NOW ON!
- BlogDecember 13, 2022What are the Common Security Weaknesses of Cloud Based Networks?
- BlogOctober 12, 2022Vulnerability management with Wazuh open source XDR