Overview
Explore 18 types of attacks that bypass email sender authentication in this 40-minute Black Hat conference talk. Delve into vulnerabilities affecting popular email providers and clients, including techniques to impersonate senders and forge DKIM-signed emails. Learn about inconsistencies in SPF, DKIM, and DMARC protocols, and understand the complexities of email transmission and authentication flows. Discover how attackers exploit parsing inconsistencies, inject authentication results, and leverage email service accounts for spoofing. Gain insights into potential defense strategies against these sophisticated email security threats.
Syllabus
Intro
How Do You Verify the Email Sender?
Background: Email Transmission
Sender Policy Framework (SPF)
Domain Message Authentication, Reporting and Conformance (MARC)
Overview of Email Authentication Flow
Key Idea of Our Attacks
Inconsistencies b/w SPF and DMARC
Inconsistencies b/w DKIM and DNS
Exp. 3a: DKIM Authentication Results Injection
a: Multiple From Headers
From Sender Ambiguity
Complex From Header Syntax
h: Exploiting Parsing Inconsistencies
Spoofing via an Email Service Account
Thinking on Defense
Taught by
Black Hat