AL2022_27 Google SMTP relay service abused for sending phishing emails (03rd May 2022)

Description 

With Gmail and Google Workspace users can utilize Google's SMTP (Simple Mail Transfer Protocol) relay service to route outgoing emails. Businesses utilize this service for a variety of reasons.  

Summary  

Threat actors can use this service to spoof other Gmail tenants without being identified if those domains do not have a DMARC policy defined with the 'reject' directive. DMARC (Domain-based Message Authentication Reporting and Conformance is an email authentication system that allows domain owners to designate what should happen if an email spoofing their domain is received). 

How it works  

A specific DMARC DNS record is created by domain owners, which includes a directive that tells a mail server what to do. These directives are: 'none' - do nothing with the faked email, 'quarantine' - put email in spam folder, or 'reject' - do not accept email at all.  

For the attack to take place the DMARC policy is set to “none”.  The emails bypass spam detections because all Gmail tenants who utilize this relay, would have likely set up SPF records that include Google's SMTP relay service to their domain's trusted sender list. The SPF record is passed and given that DMARC is not set to 'reject,' it is delivered to the targeted user's inbox successfully. The attack's ultimate purpose is to deceive users into visiting a malicious link or downloading a malicious file in order to steal their credentials. 

PDF Download: Google SMTP relay service abused for sending phishing email.pdf

Recommendations   

  • Using strict DMARC policies to prevent threat actors from spoofing domains is a recommended security practice. 

  • If in doubt, check the complete headers. Checking the sender's address isn't enough to notice a malicious spoofing effort, so if you're not sure, check the entire header or call the sender to verification. 

  • It is advised that instead of clicking on links embedded in the message body, hover over them to check the destination. 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary. 

References