Work that DACS boffin (The Register’s words, not ours) Mattijs Jonker contributed to has recently made headlines on well-known IT news site The Register. In the work, with lead author Enze Liu from UC San Diego, the authors investigate four scenarios in which e-mail forwarding or re-sending can be abused to send spoofed messages. While the perils and pitfalls of e-mail are well-known, the seriousness of these new vulnerabilities is underscored by multiple bug bounties being awarded to the research team, among which from Microsoft. The eggheads (again, El Reg’s words, not ours) demonstrate that they can trivially circumvent protection mechanisms such as SPF, DKIM and DMARC to send, for example, a spoofed e-mail on behalf of bush@state.gov to unsuspecting victims with an Office 365 account. It is clear that this opens up possibilities for dangerous spear phishing campaigns.
You can read the full article on the register here: https://www.theregister.com/2023/02/19/forwarding_email_security. A pre-print of the paper (that will be presented at the upcoming IEEE Euro S&P conference held July 3-7 in Delft (https://eurosp2023.ieee-security.org/) can be found on arXiv here: https://arxiv.org/pdf/2302.07287.pdf.
