Unfiltered: Measuring Cloud-based Email Filtering Bypasses

Published: 23 Jan 2024, Last Modified: 23 May 2024TheWebConf24 OralEveryoneRevisionsBibTeX
Keywords: Email, Filtering, Security, Measurement, SMTP, SPF
TL;DR: We propose a multistep methodology to infer if a cloud-based email filtering system that scans incoming emails can be bypassed by an adversary, and discover that 80% of popular edu and com domains using such systems are vulnerable to a bypass attack.
Abstract: Email service has increasingly been outsourced to cloud-based providers, and so too has the task of filtering such messages for potential threats. Thus, customers will commonly direct that their incoming email is first sent to a third-party email filtering provider (e.g., Proofpoint or Barracuda) and only the "clean" messages are then sent on to their email service provider (e.g., Gmail or Microsoft Exchange Online). However, this loosely coupled approach can, in theory, be bypassed if the email service provider is not configured to only accept messages that arrive from the email filtering service. In this paper, we demonstrate that such bypasses are commonly possible. We document a multi-step methodology to infer if an organization has correctly configured its email service provider to guard against such scenarios. Then, using an empirical measurement of $edu$ and $com$ domains as a case study, we show that 80% of such organizations making use of popular cloud-based email filtering services can be bypassed in this manner. We end by discussing potential reasons why such misconfigurations can occur and outlining the complexities and challenges in hardening the binding between email filtering providers and email service provider.
Track: Security
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: Yes
Submission Number: 1142
Loading