Summary
The UPS SPF scam was a multi-faceted attack that exploited vulnerabilities across several email authentication protocols. The core issue was UPS's overly permissive SPF record, which allowed Microsoft 365 users to send emails appearing to originate from @ups.com. This was compounded by Microsoft's failure to adequately verify domain ownership and prevent abuse. Gmail's display of BIMI logos based solely on SPF passing provided a false sense of security, while relaxed DMARC settings (or misconfiguration of DMARC alignment) allowed spoofed emails to bypass DMARC validation. The return path configuration, using a Microsoft IP covered by UPS's SPF record, further contributed to the success of the scam. The incident highlighted a known flaw in DMARC's reliance on SPF alignment and that the UPS security lapse happened despite repeated warnings about DMARC vulnerabilities. Fixes were swiftly implemented by both Gmail and UPS to address the exploit. Poorly implemented SPF records, generally, create easily abused mechanisms and should be avoided. DMARC relies on correct SPF and DKIM setup to be effective otherwise spoofing can happen.
Key findings
- Overly Permissive SPF: UPS's overly permissive SPF record was the primary vulnerability, allowing unauthorized email sending.
- Microsoft's Role: Microsoft's failure to prevent abuse and verify domain ownership was a contributing factor.
- BIMI Misleading Display: Gmail's display of BIMI logos based solely on SPF passing provided a false sense of security.
- DMARC Bypass: The scam bypassed DMARC due to misconfiguration of DMARC alignment and the handling of return paths.
- Ignored Warnings: Repeated warnings about DMARC vulnerabilities were ignored.
- Rapid Remediation: Gmail and UPS quickly implemented fixes to address the exploit.
Key considerations
- SPF Hardening: Implement restrictive SPF records to limit who can send email on behalf of your domain.
- Domain Verification: Platforms must enforce strict domain ownership verification to prevent abuse.
- Robust DMARC Configuration: Properly configure DMARC to ensure SPF and DKIM are working correctly and alignment is enforced.
- Vendor Security Assessment: Assess the security practices of vendors allowed to send email on your behalf.
- DMARC Alertness: Pay attention to warnings and best practices regarding potential security vulnerabilities in email authentication.
- SPF/DKIM Maintenance: Maintain and regularly review SPF and DKIM records to ensure they accurately reflect authorized sending sources.
What email marketers say
9 marketer opinions
The UPS SPF scam worked by exploiting a combination of factors: UPS had an overly permissive SPF record, allowing Microsoft 365 users to send emails appearing to be from @ups.com. Gmail displayed BIMI logos even when only SPF passed, which gave the spoofed emails a veneer of legitimacy. This, combined with relaxed DMARC settings, allowed phishers to send authenticated emails impersonating UPS. Subsequently, both Gmail and UPS implemented fixes to address the vulnerability.
Key opinions
- Permissive SPF: UPS's overly permissive SPF record was a primary vulnerability.
- Microsoft 365 Abuse: The vulnerability allowed Microsoft 365 users to send email as @ups.com.
- BIMI Display: Gmail's display of BIMI logos based solely on SPF passing contributed to the perceived legitimacy.
- DMARC Weakness: Relaxed DMARC settings, or a misunderstanding of how they function with SPF, allowed the scam to succeed.
- Swift Fixes: Both Gmail and UPS quickly implemented fixes to close the exploit.
Key considerations
- SPF Record Management: Careful management and restriction of SPF records are crucial to prevent unauthorized email sending.
- DMARC Implementation: A robust DMARC implementation, which correctly leverages both SPF and DKIM, is essential.
- BIMI Implications: Reliance on SPF alone for BIMI display can be risky and should be carefully considered.
- Email Authentication: Ensure email authentication methods are strong and properly configured to mitigate spoofing risks.
- Vendor Security: It's vital to ensure that any vendor or service allowed to send emails on your behalf is also employing stringent security measures.
Marketer view
Email marketer from LinkedIn explains how the UPS spoofing vulnerability worked: It involved a combination of factors, including Microsoft 365 users being able to send as @ups.com, UPS having a very open SPF record, and Gmail displaying BIMI logos even when only SPF passes. This allowed phishers to send authenticated emails impersonating UPS.
16 Jul 2023 - LinkedIn
Marketer view
Email marketer from Twitter shares how Gmail rolled out a fix for the BIMI exploit where phishers were able to spoof emails.
13 Apr 2022 - Twitter
What the experts say
6 expert opinions
The UPS SPF scam worked by exploiting several vulnerabilities. Microsoft's failure to prevent customers from using domains they don't own was a key enabler. UPS had an overly broad SPF record. This, combined with relaxed DMARC settings and how the return path was configured (using a Microsoft IP covered by UPS's SPF record), allowed spoofed emails to pass DMARC validation. Experts had warned about this DMARC hole for a while, but their warnings were ignored. Poorly implemented SPF records are a significant risk, and DMARC relies on proper SPF and DKIM setup; otherwise, it can fail to prevent spoofing. It was also lucky it was not worse.
Key opinions
- Microsoft's Role: Microsoft's allowing customers to use domains they don't own contributed to the scam.
- Overly Broad SPF: UPS's overly broad SPF record was a key vulnerability.
- DMARC Bypass: The scam bypassed DMARC due to the configuration of the return path and relaxed DMARC settings.
- Ignored Warnings: Warnings about the DMARC vulnerability were ignored.
- SPF Implementation: Poor SPF implementation creates vulnerabilities.
- DMARC Reliance: DMARC relies on proper SPF and DKIM; otherwise, it can fail.
Key considerations
- Domain Ownership Verification: Platforms need to verify domain ownership to prevent abuse.
- Restrictive SPF Records: Use restrictive SPF records to limit who can send email on behalf of your domain.
- DMARC Configuration: Properly configure DMARC to ensure SPF and DKIM are working correctly.
- Heed Warnings: Pay attention to warnings about potential security vulnerabilities.
- SPF/DKIM Maintenance: Maintain and regularly review SPF and DKIM records.
Expert view
Expert from Email Geeks explains that the return path was something@ups.com, forwarded via an MS IP covered by the ups.com SPF record, which relaxed alignment with the bogus subdomain in the 822.From, making the DMARC valid.
10 Jul 2021 - Email Geeks
Expert view
Expert from Email Geeks explains that Microsoft is at fault for allowing customers to use domains that don’t belong to them, enabling the spoofing of emails like those from UPS. They have a responsibility to prevent their customers from using domains that don’t belong to them.
14 Mar 2022 - Email Geeks
What the documentation says
4 technical articles
The UPS SPF scam exploited vulnerabilities in email authentication protocols. While strong authentication aims to identify and stop spam and build trust, it was bypassed. The key issue was that DMARC checks were passing despite the spoofing. DMARC builds upon SPF and DKIM, but its effectiveness hinges on proper implementation. An overly broad SPF record at UPS allowed unauthorized servers to send emails as if they were from UPS. A narrower SPF record would have prevented the hack. The incident highlights a flaw in DMARC's implementation when SPF alignment is too relaxed, as detailed in IETF RFC 7489.
Key findings
- Bypass of Strong Auth: Email authentication, designed to stop spam, was bypassed.
- DMARC Passing: DMARC checks passed despite the spoofed emails.
- Broad SPF Vulnerability: An overly broad SPF record at UPS was a key vulnerability.
- DMARC Implementation Flaw: The incident exposed a flaw in how DMARC is implemented with relaxed SPF alignment.
Key considerations
- Robust DMARC: Email Security needs a robust configuration.
- Email Security: Enforce strong email security.
- Targeted SPF: Define and Target Email to servers for email sending.
Technical article
Documentation from Google explains that strong email authentication helps users and email security systems identify and stop spam, and also enables senders to leverage their brand trust, however this was exploited by phishers.
17 Sep 2024 - Google
Technical article
Documentation from IETF RFC 7489 specifies how DMARC is intended to work. The UPS incident shows a flaw in how DMARC is implemented when SPF alignment is too relaxed.
24 Nov 2023 - IETF
Against which domain is SPF checked?
Are SPF, DKIM, and DMARC as important in B2B as in B2C email marketing?
Besides Spamhaus, what blocklists are important for email marketers to monitor?
Can a sender modify SPF records to alter SPF checking behavior?
Can a trademark owner authorize a third party to use their logo for BIMI?
Do SPF and DKIM records need to be aligned for all email service providers?
How can a phishing email pass SPF and DKIM authentication checks?
How can email senders and users prevent and identify phishing emails?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
