Last time it was reported to Microsoft, IIRC the individual got the
response, "it's working as expected" as to the vulnerability that allows
aligned SPF mail to be forwarded without SRS from any tenant.
Realistically, DMARC and BIMI are working as expected in this scenario.
Email was (re)sent from an (at the time) authorized IP address and an
aligned RFC5321.mailfrom header for ups.com. The fault lies partly with
UPS for keeping the include for Exchange Online in their Hosted SPF
macro (unnecessary because they don't send directly from O365), and
partly with Microsoft for allowing and enabling this forwarding
vulnerability to exist.
O365 customers can mitigate this by ensuring they sign DKIM and remove
the O365 include where feasible (only possible if O365 is not a domain's
last hop), or by signing DKIM and making the O365 include a SPF neutral
disposition.
The former is the easiest and least impactful, assuming one meets that
criteria; The latter - it's a dirty fix - but current reality is anyone
that uses O365 relying on their SPF include will be vulnerable to this
until Microsoft fixes the root cause.
- Mark Alley
On 6/5/2023 6:06 PM, Al Iverson via mailop wrote:
How long until Google, Yahoo, others stop accepting that forwarded
mail from Microsoft, is another way to frame that.
Good to see it getting some attention. I'll be curious to see who
addresses it and how.
Cheers,
Al Iverson
On Mon, Jun 5, 2023 at 3:01 PM Alex Liu via mailop<mailop@mailop.org> wrote:
Looks like the bad guys are exploiting Outlook's forwarding feature to bypass
BIMI.
https://twitter.com/chrisplummer/status/1664075886545575941
We reported this issue in April:
https://www.sysnet.ucsd.edu/~voelker/pubs/forwarding-eurosp23.pdf
--
Regards,
Enze "Alex" Liu
PhD Student
Department of Computer Science and Engineering
e7...@eng.ucsd.edu
University of California, San Diego
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop