A new phishing attack leveraging Google’s SMTP relay service has been detected delivering phishing emails to users. The attack has been observed by Avanan security researchers.
Google’s SMTP Service Abused
What is SMTP? This type of service helps businesses send marketing messages to large databases of users without being blocklisted, thus ensuring the messages will be delivered. Gmail, like many other organizations, offers this service, enabling outgoing non-Gmail messages to be sent flawlessly through Google. However, it turns out that the service does contain flaws.
“Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate,” Avanan explains.
What happened in this specific attack?
Attackers abused the service to send spoofed emails impersonating various brands. The key to the attack is using smtp-relay.gmail.com as the SMTP service, where the email is sent through one domain, but is delivered from venmo.com. The end goal of the attack is, as always, tricking users into opening a malicious link or downloading a malicious file to steal user credentials.
It should be noted that the attack will succeed only if the impersonated brand has its DMARC policy set to none. DMARC, or “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. This is because Google’s systems will identify an explicit mismatch on the email from headers when one is available.
For example, if phisher.com sends out a message from google.com, there will be an indicator of such discrepancy for downstream email systems to see. Most companies will have a DMARC=reject policy,” the researchers explained.
In conclusion, it should be noted that any SMTP relay could be prone to this type of attack. The researchers have observed “a massive increase in these attacks,” equaling to more than 27,000 phishing emails in only two weeks.
In May 2021, phishing operators were caught abusing cloud collaboration tools (mostly belonging to Microsoft and Google), such as Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase.