How did the UPS SPF scam work and what vulnerabilities did it exploit?

Key findings

• Overly broad SPF records: The primary vulnerability stemmed from UPS's SPF record being too inclusive, authorizing a wide range of Microsoft 365 IPs, which allowed unauthorized sending.
• Relaxed DMARC alignment: The scam exploited DMARC's relaxed alignment mode, where the visible 'From' address could differ from the 'Return-Path' domain yet still pass authentication if the Return-Path aligned with SPF.
• BIMI's amplification: Google's BIMI blue checkmark, intended to signal legitimate senders, inadvertently lent credibility to the spoofed emails, making them highly convincing. This is because BIMI relies on DMARC passing.
• Microsoft 365 as a relay: The attackers used a legitimate Microsoft 365 service as a relay, which was covered by UPS's SPF record, enabling the fraudulent emails to be sent through an authenticated path.
• XSS vulnerability exploitation: Beyond the email authentication, some phishing campaigns also leveraged cross-site scripting (XSS) vulnerabilities on the UPS.com website to host malicious content, further enhancing their deceptive nature.

Key considerations

• Stricter DMARC policies: Organizations should move towards DMARC policies of p=quarantine or p=reject to prevent unauthenticated mail from reaching inboxes.
• Precise SPF configuration: Avoid overly broad SPF records. Explicitly list all authorized sending IPs and services.
• DKIM alignment emphasis: Prioritize DKIM alignment for DMARC, as it offers stronger cryptographic assurance than SPF alone, especially in cases of relaxed alignment.
• ESP responsibility: Email service providers must implement robust domain ownership verification to prevent unauthorized users from sending emails on behalf of others.
• Ongoing vigilance: The incident underscores the need for continuous monitoring and adaptation of email security practices as new threats emerge.

Key opinions

• Erosion of trust: Many marketers worried that the scam, especially with the visible checkmark, could diminish consumer trust in authenticated emails, undermining security efforts.
• Google's product rollout: There was a sentiment that Google rushed its BIMI checkmark product to market without adequately addressing known underlying authentication vulnerabilities, potentially creating a marketing misstep.
• Microsoft's policy: Marketers also criticized Microsoft for allowing users to send emails from domains they did not own, which was a critical enabler for the spoofing attack.
• BIMI's readiness: The incident led some to question if BIMI was truly ready for prime time given the exploitability of the underlying DMARC mechanism when SPF records are permissive.
• SPF's diminishing relevance: The scam reinforced the idea that SPF alone is becoming less relevant for robust email authentication, pushing the emphasis towards DKIM alignment.

Key considerations

• Prioritize DKIM for alignment: Marketers should focus on ensuring DKIM alignment as the primary mechanism for DMARC pass, as it offers a more secure cryptographic signature.
• Demand better ESP security: Advocate for email service providers to implement stricter domain ownership verification processes.
• Educate about BIMI: Understand that BIMI is an enhancement, not a standalone security measure, and communicate its true purpose to consumers.
• Stay informed on threats: Marketers must continually update their understanding of evolving email security threats and adapt their strategies accordingly.
• Comprehensive security posture: The UPS scam underscores the need for a multi-layered security approach, combining authentication with other protective measures.

Key opinions

• Microsoft's responsibility: Several experts squarely blamed Microsoft for allowing unauthorized users to send emails from domains they did not own, which was a core enabler of the spoofing.
• Inherent DMARC vulnerability: The issue was identified as a long-standing vulnerability within DMARC's relaxed alignment settings, particularly when combined with broad SPF records, rather than a flaw with BIMI or Google's implementation.
• SPF's diminishing role: There was a strong sentiment that SPF is becoming less effective on its own, with a growing need for DKIM alignment to be the primary authentication method for DMARC.
• BIMI as an amplifier: While BIMI did not cause the vulnerability, its visual checkmark amplified the perceived legitimacy of the spoofed emails, making the attack more impactful.
• Industry collaboration: Experts noted that mailbox providers and industry working groups are actively discussing and collaborating on solutions to address these types of vulnerabilities.

Key considerations

• Stricter domain verification for ESPs: Email service providers like Microsoft must implement more stringent domain ownership verification to prevent abuse.
• Prioritize DKIM for DMARC alignment: The industry should move towards requiring DKIM alignment for DMARC passes, as it offers a more robust authentication method.
• Address DMARC loopholes: The DMARC standard may need to evolve to address the vulnerabilities inherent in relaxed SPF alignment, especially in complex sending environments.
• Evolve security advice: Email security professionals must continuously update their recommendations to clients, adapting to new threats and the changing landscape of email authentication, including considerations for Microsoft environments.
• Learned lessons: Incidents like the UPS scam, while problematic, are necessary for identifying weaknesses and driving the development of stronger email security protocols.

Key findings

• SPF functionality: SPF (Sender Policy Framework) is designed to verify the sending IP address against a list of authorized IPs published in the sender's DNS records.
• DMARC relaxed alignment: DMARC (Domain-based Message Authentication, Reporting, and Conformance) includes an option for 'relaxed' alignment, allowing the 'From' domain to be a subdomain of the SPF or DKIM domain, rather than an exact match, which can be exploited.
• BIMI requirements: BIMI (Brand Indicators for Message Identification) mandates that DMARC be enforced (via p=quarantine or p=reject) and requires a Verified Mark Certificate (VMC) to display a brand logo next to authenticated emails.
• Known SPF limitations: SPF primarily authenticates the 'Return-Path' (or 'MailFrom') address, not the visible 'From' address, making it susceptible to 'display name spoofing' if DMARC alignment is relaxed.
• Cross-site scripting (XSS): Some phishing methods, as documented, involve exploiting XSS vulnerabilities on legitimate websites to inject malicious scripts, making phishing pages highly convincing.

Key considerations

• Strict DMARC enforcement: For maximum spoofing protection, documentation implies a p=reject DMARC policy should be the ultimate goal, ensuring that non-aligned emails are blocked.
• Understanding DMARC tags: A thorough understanding of DMARC tags and their meanings is crucial for proper configuration and policy management.
• Prioritize DKIM for alignment: While DMARC can pass with either SPF or DKIM alignment, DKIM offers a more robust cryptographic signature for sender identity, making it the preferred method for strong authentication.
• Phishing awareness: Official security guides consistently advise users to be wary of suspicious links and attachments, even from seemingly legitimate sources, as phishing tactics evolve.
• Iterative policy deployment: Documentation often recommends starting with a p=none DMARC policy to monitor traffic before moving to more restrictive policies.