In the vast landscape of online communication, mailing lists have been a staple for collaboration and information exchange. Google Groups, an evolution of traditional mailing lists, offers a platform where users can share messages, documents, and discussions. However, as the digital landscape evolves, so do the threats. Let’s delve into the history of mailing lists, the security vulnerabilities associated with Google Groups, and the compelling reasons for organizations to exercise caution when using them.
History of Mailing Lists and Google Groups
Mailing lists have a rich history dating back to the early days of the Internet, providing a structured means for group communication. Over time, Google Groups emerged as a popular platform, integrating email and web-based discussions seamlessly. However, with the conveniences came unforeseen security challenges.
Issues with Legitimate Emails and Mailing Lists
Legitimate emails sent from domains with enforced DMARC policies (p=quarantine or p=reject) were flagged as suspicious or blocked when routed through mailing lists. The enforcement mechanism intended to protect against phishing inadvertently categorized these genuine communications as potential threats.
To mitigate these challenges and ensure the uninterrupted functioning of mailing lists, providers, including Google Groups, implemented a crucial adjustment. When an email from a domain with an enforced DMARC policy reached a mailing list, the provider would rewrite the “From:” address. This rewriting process ensured that the email appeared to come from the mailing list itself, overcoming the DMARC policy constraints imposed by the sender’s domain.
The Security Hole: DMARC Exploitation
Targeting Google Group Addresses
Cybercriminals cleverly used the re-writing process of the “From:” address to their advantage by specifically targeting setups that allowed anyone on the web to contact the group. Exploiting this opening, hackers carried out attacks by deftly manipulating how Google handled the “From:” address, especially when the sender’s domain enforced a DMARC policy of either p=quarantine or p=reject. This sly manipulation allowed them to launch attacks and navigate through the established security measures.
The Exploit Unfolded
- Acquisition of a New Domain: Hackers acquire a new domain and enforce a DMARC policy of either quarantine or reject.
- Sending Spoofed Emails: Attackers send emails from their domain to Google Group addresses.
- Google’s Address Rewriting: Upon receipt, Google rewrites the “From:” address to match the domain of the Google Group recipient.
- Deceptive Reply-To Address: The Reply-To address reflects the original sender’s domain, i.e., the hacker’s email domain.
- Authentication Success: SPF and DKIM processes pass successfully for the Google Group address.
- BIMI Impact: In cases where the targeted domain has Brand Indicators for Message Identification (BIMI) in place, visual indicators are automatically displayed.
In the above example, we did research on our domain by trying out this loophole to show you the outcome.
1. We created a public Google Group address named [email protected]
2. We sent an email from a personal email ([email protected]) to [email protected]
Note: khatchoian.com got an enforced DMARC policy of p=reject
3. Upon email arrival, we saw how Google Groups rewrote the address to one of the Google Group addresses, by additionally adding the Display Name
4. We saw how SPF and DKIM were passed with the Group Google address domain, even though it was sent by another person
5. We saw how BIMI was also showing, even though it was not sent by someone within EasyDMARC
Why Organizations Should Exercise Caution with Google Groups
Public Mailing Lists and Security Implications
Maintaining a public mailing list where anyone can send an email poses inherent security risks. The exploit discussed reveals the potential for malicious actors to manipulate the communication channel, posing threats to organizational security.
Avoiding Critical Email Channels as Google Group Addresses
Organizations are strongly advised to refrain from using critical email channels, such as Sales, Support, Billing, or any other important communication channels as Google Group addresses. This proactive measure mitigates the risk of exploitation and safeguards crucial communication channels from malicious activities.
Conclusion
It’s important for organizations to grasp the background of mailing lists and be aware of the security risks linked to platforms such as Google Groups as they navigate the intricate realm of online communication. Taking careful steps, enforcing strict access controls, and avoiding the exposure of vital email channels can help organizations strengthen their defenses against ever-changing cyber threats.