Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

Mon, 05 Jun 2023 17:21:37 -0700

Last time it was reported to Microsoft, IIRC the individual got the response, "it's working as expected" as to the vulnerability that allows aligned SPF mail to be forwarded without SRS from any tenant.
Realistically, DMARC and BIMI are working as expected in this scenario. Email was (re)sent from an (at the time) authorized IP address and an aligned RFC5321.mailfrom header for ups.com. The fault lies partly with UPS for keeping the include for Exchange Online in their Hosted SPF macro (unnecessary because they don't send directly from O365), and partly with Microsoft for allowing and enabling this forwarding vulnerability to exist. 


O365 customers can mitigate this by ensuring they sign DKIM and remove 
the O365 include where feasible (only possible if O365 is not a domain's 
last hop), or by signing DKIM and making the O365 include a SPF neutral 
disposition.



The former is the easiest and least impactful, assuming one meets that 
criteria; The latter - it's a dirty fix - but current reality is anyone 
that uses O365 relying on their SPF include will be vulnerable to this 
until Microsoft fixes the root cause.


- Mark Alley



On 6/5/2023 6:06 PM, Al Iverson via mailop wrote:

How long until Google, Yahoo, others stop accepting that forwarded
mail from Microsoft, is another way to frame that.

Good to see it getting some attention. I'll be curious to see who
addresses it and how.

Cheers,
Al Iverson

On Mon, Jun 5, 2023 at 3:01 PM Alex Liu via mailop<mailop@mailop.org>  wrote:

Looks like the bad guys are exploiting Outlook's forwarding feature to bypass 
BIMI.

https://twitter.com/chrisplummer/status/1664075886545575941

We reported this issue in April:
https://www.sysnet.ucsd.edu/~voelker/pubs/forwarding-eurosp23.pdf

--
Regards,
Enze "Alex" Liu
PhD Student
Department of Computer Science and Engineering
e7...@eng.ucsd.edu
University of California, San Diego
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop



_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop






















					Reply via email to