Mailsploit: The DMARC Sky is not Falling

If you are in the email business, the big story today is Mailsploit, a collection of email client bugs that threatens to undermine DMARC and render Secure Email Gateways (SEGs) obsolete. In other words, the end of the world is upon us, and we should all go back to using smoke signals or march forward and find a replacement for email. Before we all become tinfoil milliners, let’s take a step back and try to understand what this collection of bugs really means. Mailsploit is not really a new attack at all; it’s a potentially dangerous refinement to one of the oldest and easiest email attacks. Mailsploit does not circumvent DMARC, though it will surely help fraudsters navigate around any SEG that relies on content inspection.

The Mailsploit bugs amount to a clever extension of the age-old display-name attack. The address fields in an email message such as From:, To:, Cc:, Reply-To:, etc. have a specific format that includes a display part and a technical part. DMARC is an industry standard designed to prevent spoofing of the technical part of the address field. Mailsploit does not circumvent DMARC any more than “PayPal Service <[email protected]>” circumvents DMARC. In their default configuration, most mail clients would render the address field above as “PayPal Service,” and many recipients of such a message would not bother to look at the underlying technical address to notice that it’s not actually from paypal.com. Sadly, many recipients wouldn’t know or care that PayPal doesn’t use a Gmail address, but that’s a completely different problem that I’ll tackle some other time.

So what’s different about Mailsploit? If you are using one of the affected mail clients, a bad actor could send you a message that will display “[email protected]” in the place where the technical part of the address field should appear. Worse, the affected mail clients are tricked into hiding the true technical part of the address, causing even email experts to believe the message was indeed “From” [email protected]. Since paypal.com publishes a DMARC p=reject policy, such a forgery should be blocked and would never make it to the recipient's spam folder, never mind the inbox. Unfortunately, the actual technical portion of the email address is hidden, so the end user would never see the actual identity verified by DMARC. 

Mailsploit has another trick up its sleeve. Some mail clients can be co-opted into rendering parts of the display name as HTML code. This would enable a clever hacker to place extra UI elements on the page, such as a script tag designed to download and execute a malicious payload. Horrible as this may sound, this is simply one more exploit among many thousands available to hackers. If somebody with sufficient resources decides to target you, they are going to get you. That was true before Mailsploit, and that will continue to be true long after the last Mailsploit-susceptible mail client is patched.

What about your anti-spam, anti-virus filter, aka Secure Email Gateway or SEG? Well, most SEGs are focused on the content of the email message. If the message contains a link to a known phishing website, your SEG will either quarantine the message or defang the offending URL. If the message contains a known virus, your SEG will similarly protect you. If a bad actor uses the XSS part of Mailsploit, there’s a very good chance your SEG will let the message through, since few SEGs bother to scan the address headers for malicious links. Depending on how your SEG decodes and analyzes the From: header for potential identity deception, it may or may not detect the deception. For the record, Agari Enterprise Protect is not susceptible to display name impersonation attacks, including those done using Mailsploit’s techniques. 

Just because the attack isn’t really new doesn’t mean you shouldn’t be careful. So what should you do to protect yourself? Please check today to see if your mail client is susceptible. If it is, consider switching to something that’s resistant, such as the Gmail web client. If your favorite mail client is vulnerable to the XSS part of Mailsploit, don’t just consider switching...do it now and thank me later. Yes, we are going to see a bunch of criminals and pranksters using the Mailsploit techniques in the coming days, weeks, and months. So long as your mail client isn’t affected, today is no more dangerous than yesterday.