Avanan researchers have identified a new attack form whereby adversaries leverage reputable Email Delivery Services (EDS) to launch and obfuscate their attacks against Microsoft 365. In this particular case, attackers leveraged an EDS called Mailgun.
In a span of four days, Avanan researchers saw more than 3,000 distinct phishing campaigns coming from IP addresses belonging to Mailgun. What’s unique about Mailgun that makes it a very compelling phishing platform for hackers is that the service allows users to set a different field in the “From” and “Sender” fields of the email headers. This is one way the attack confuses and gets past Microsoft. This is excellent for carrying out impersonation attacks.
Companies rely on EDS providers to deliver business emails to their target audiences, and frequently, these emails will be marketing and sales-related. Due to the nature of marketing and sales emails, the emails will often get caught by email filters. EDS solutions offer a way around this by lending their credibility to the emails sent out to the target audiences. Credibility can be in the form of a high domain history, valid IP reputations, valid SPF/DKIM checks, and a general recognition from Email Security solutions, like Microsoft’s EOP and ATP, that these are trusted sources. This is where we run into our problem.
Attackers are either compromising accounts with weak passwords or just buying Mailgun’s services and then sending out phishing emails, knowing that Mailgun’s emails have a higher chance of getting into an inbox than if the attackers used their own infrastructure.
The emails themselves do not indicate that they are from Mailgun. Only when you look up the sender’s IP address do you see that the IP address is registered to Mailgun. The clients who were the most heavily affected by these attacks relied on Mailgun’s services to send operational emails (such as dev-ops alerts) and had the IP addresses of Mailgun in their allow-lists.
How the Attack Works
Here’s what the typical email’s headers look like:
Note that the “From” address has been spoofed to make it appear it’s coming from within the company. Only when you check the “Sender” address do you see that it’s coming from a spoofed domain and in this case, that domain is click-recruit.co.uk and the actual sender email address is CEO=company.com@click-recruit.co.uk. This is what makes this attack unique and makes Mailgun a very compelling platform for hackers. Mailgun allows their clients to set a different field in the “From” and “Sender” fields of the headers.
company.com@click-recruit.co.uk is a valid Mailgun address and therefore, it will pass Microsoft 365's SPF check. Accordingly, the email will be considered legitimate by the Microsoft 365 security layers. But the end-user will be presented with a different “From”, making it a perfect phishing impersonation attack, as seen in the screenshot below taken from the default MacOS email client:
The use of a malformed “Sender” field, replacing the “@” with an equal sign (“=”) further obfuscates the attack by confusing certain mail clients from displaying emails correctly. Outlook, for example, displays the phrase “... on behalf of…” when the “Sender” address doesn’t match the “From” address as seen in the screenshot below. However, the “Name” in the preview pane in the customer’s inbox does not reflect this difference; the preview pane still shows the fully impersonated name.
All emails that were detected were promptly reported to Mailgun’s abuse hotline, and the accounts sending out those emails were suspended.
