Our most recent VRT Council led us through an interesting discussion, ultimately leading us to expedite the release of VRT 1.6. The release includes two major changes: revision to internal SSRF, and how we rate email spoofing, more specifically the baselines around SPF and DMARC. These changes are a direct result of how major email providers, such as Outlook, Gmail, and some others have moved away from the SPF standard and are relying more on DMARC. What this means is that if you don’t have DMARC set up on your email domain, spoofed emails will land in your inbox even if there’s SPF.
According to the Verizon Data Breach Investigations Report (DBIR) 2017, around 90% of breaches occur due to phishing. This is aided if an attacker can successfully spoof a legitimate domain. Companies that allow spoofed emails from their domain are more likely to fall victim to phishing attacks. We’ve been seeing this behavior for a while now but there was never any official documentation released describing it. After our recent research, there’s no denying that we need to address this promptly, and we are thankful to have one of our researchers bring it to our attention.
Previously, email spoofing (on the primary email domain) was listed as a P3, but missing DMARC was only a P5. Most of the vendors on Bugcrowd have SPF records but are missing DMARC or have misconfigured DMARC. If DMARC is missing or set to ‘p=none;’ it causes SPF to fail open. When a spoofed email is sent, the receiver checks the SPF, which fails, then looks at DMARC for what to do next, If DMARC doesn’t exist then the spoofed email is accepted, effectively invalidating SPF and resulting in email spoofing.
Researcher Jacob Wilkin (GreenWolf), connected with us about changing the classification level. Jacob is 26 years old and is a pen tester on a red team, who has witnessed the devastation of not taking email spoofing seriously. When he tried to push companies to follow his direction of changing the priority classification, he received pushback since email spoofing is easy to detect, but when it is not, it can lead to a terrible situation. Due to the pushback, Jacob decided that he would reach out to Bugcrowd. We are now updating our VRT to reflect his and the industry’s concerns with regards to the misconfiguration or missing DMARC and protection against email spoofing.
“By moving it to a P3/P4 issue, the taxonomy keeps up with how modern email providers are validating spoofing. Additionally, by firmly moving it into the ‘standard’ paid categories, companies will hopefully be inclined to take this issue more seriously, which will help bring up security standards across the board.” – Jacob Wilkin
We’ve decided on implementing the following classification, which is in line with how we view security risk around email spoofing and includes updates to the DMARC baseline rating:
- P3 – Server Security Misconfiguration > Mail Server Misconfiguration > No Spoofing Protection on Email Domain
- P4 – Server Security Misconfiguration > Mail Server Misconfiguration > Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain
- P5 – Server Security Misconfiguration > Mail Server Misconfiguration > Email Spoofing to Spam Folder
- P5 – Server Security Misconfiguration > Mail Server Misconfiguration > Missing or Misconfigured SPF and/or DKIM
To see the updated version of our VRT, click here. This release will go live into the platform at 9AM Pacific Time on Tuesday, November 27th.