Top Security QuickFails: #4 No SPF

1. November 2021

#4 No SPF

The attack

Half past six in the morning in Germany. Bianca at MedienBude GmbH starts her workday by checking her e-mail inbox.
There you will find an urgent email from your boss asking you to check the last statement.

After 30 minutes Bianca still hadn’t found the error, but decided that it was time for a Knoppers…

What happened?

After the attacker selected his target, the attacker checked whether an SPF record had been set for the target’s domain. Here he noticed that no SPF record was set. This means that the MedienBude e-mail server cannot check whether the sender is authorized to transmit this e-mail.

This enabled him to forge any internal sender addresses and to suggest to the victim that the e-mail came from the boss.

The countermeasure

Check if your company has already set an SPF record. The easiest way to do this is with online tools such as SPF-Record.de

Here you will get such a result (if SPF is set):

Otherwise, it looks like this:

At the latest now you should inform yourself which systems on the Internet should/are allowed to send e-mails on your behalf. Then you create a simple TXT record for your domain. How this works exactly you will learn with the help of Dr. Google “SPF set up providerXY” 🙂

Have fun

PS: There are other security features in email that further raise the hurdle for attackers. Namely these are DMARC and DKIM, but since these often have an impact on production, you should read more here 😉

Safety gain

Medium

*From the blog series Top Security QuickFails

You are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information

Similar posts

The prehistory In recent years, we have conducted an extremely large number of penetration tests at companies of all sizes [...]

6. June 2021

#1 Standard Office Macros Settings The attack Our employee of the month Peter Lustig receives [...]

6. June 2021

#2 Domain admins everywhere The attack It is a Monday morning and Kevin Vielzutun starts his monthly server check in [...]

15. June 2021

#3 The “invisible” network shares The attack It’s Wednesday morning, the sun is shining and all ImmerGrün AG employees are [...]

26. August 2021