You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication

Our study demonstrates an unfortunate fact that even a conscientious security professional using a state-of-the-art email provider service like Gmail cannot with confidence readily determine, when receiving an email, whether it is forged.

We identified 18 types of attacks to bypass email sender authentication (including SPF, DKIM, and DMARC). Leveraging those techniques, an attacker can impersonate arbitrary senders without breaking authentication and even forge DKIM-signed emails with a legitimate site's signature. We evaluated our attacks against 10 popular email providers (e.g., Gmail.com, iCloud.com) and 19 email clients (e.g., Outlook, Thunderbird), and found all of them proved vulnerable to various attacks. We reported our findings to the affected vendors, who rewarded our report and are actively addressing them.

By Jianjun Chen, Vern Paxson, and Jian Jiang

Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefi...