How did the UPS SPF scam work and what vulnerabilities did it exploit?

Summary

The UPS SPF scam was a multi-faceted attack that exploited vulnerabilities across several email authentication protocols. The core issue was UPS's overly permissive SPF record, which allowed Microsoft 365 users to send emails appearing to originate from @ups.com. This was compounded by Microsoft's failure to adequately verify domain ownership and prevent abuse. Gmail's display of BIMI logos based solely on SPF passing provided a false sense of security, while relaxed DMARC settings (or misconfiguration of DMARC alignment) allowed spoofed emails to bypass DMARC validation. The return path configuration, using a Microsoft IP covered by UPS's SPF record, further contributed to the success of the scam. The incident highlighted a known flaw in DMARC's reliance on SPF alignment and that the UPS security lapse happened despite repeated warnings about DMARC vulnerabilities. Fixes were swiftly implemented by both Gmail and UPS to address the exploit. Poorly implemented SPF records, generally, create easily abused mechanisms and should be avoided. DMARC relies on correct SPF and DKIM setup to be effective otherwise spoofing can happen.

Key findings

  • Overly Permissive SPF: UPS's overly permissive SPF record was the primary vulnerability, allowing unauthorized email sending.
  • Microsoft's Role: Microsoft's failure to prevent abuse and verify domain ownership was a contributing factor.
  • BIMI Misleading Display: Gmail's display of BIMI logos based solely on SPF passing provided a false sense of security.
  • DMARC Bypass: The scam bypassed DMARC due to misconfiguration of DMARC alignment and the handling of return paths.
  • Ignored Warnings: Repeated warnings about DMARC vulnerabilities were ignored.
  • Rapid Remediation: Gmail and UPS quickly implemented fixes to address the exploit.

Key considerations

  • SPF Hardening: Implement restrictive SPF records to limit who can send email on behalf of your domain.
  • Domain Verification: Platforms must enforce strict domain ownership verification to prevent abuse.
  • Robust DMARC Configuration: Properly configure DMARC to ensure SPF and DKIM are working correctly and alignment is enforced.
  • Vendor Security Assessment: Assess the security practices of vendors allowed to send email on your behalf.
  • DMARC Alertness: Pay attention to warnings and best practices regarding potential security vulnerabilities in email authentication.
  • SPF/DKIM Maintenance: Maintain and regularly review SPF and DKIM records to ensure they accurately reflect authorized sending sources.

What email marketers say
9Marketer opinions

The UPS SPF scam worked by exploiting a combination of factors: UPS had an overly permissive SPF record, allowing Microsoft 365 users to send emails appearing to be from @ups.com. Gmail displayed BIMI logos even when only SPF passed, which gave the spoofed emails a veneer of legitimacy. This, combined with relaxed DMARC settings, allowed phishers to send authenticated emails impersonating UPS. Subsequently, both Gmail and UPS implemented fixes to address the vulnerability.

Key opinions

  • Permissive SPF: UPS's overly permissive SPF record was a primary vulnerability.
  • Microsoft 365 Abuse: The vulnerability allowed Microsoft 365 users to send email as @ups.com.
  • BIMI Display: Gmail's display of BIMI logos based solely on SPF passing contributed to the perceived legitimacy.
  • DMARC Weakness: Relaxed DMARC settings, or a misunderstanding of how they function with SPF, allowed the scam to succeed.
  • Swift Fixes: Both Gmail and UPS quickly implemented fixes to close the exploit.

Key considerations

  • SPF Record Management: Careful management and restriction of SPF records are crucial to prevent unauthorized email sending.
  • DMARC Implementation: A robust DMARC implementation, which correctly leverages both SPF and DKIM, is essential.
  • BIMI Implications: Reliance on SPF alone for BIMI display can be risky and should be carefully considered.
  • Email Authentication: Ensure email authentication methods are strong and properly configured to mitigate spoofing risks.
  • Vendor Security: It's vital to ensure that any vendor or service allowed to send emails on your behalf is also employing stringent security measures.
Marketer view

Email marketer from LinkedIn explains how the UPS spoofing vulnerability worked: It involved a combination of factors, including Microsoft 365 users being able to send as @ups.com, UPS having a very open SPF record, and Gmail displaying BIMI logos even when only SPF passes. This allowed phishers to send authenticated emails impersonating UPS.

June 2024 - LinkedIn
Marketer view

Email marketer from Twitter shares how Gmail rolled out a fix for the BIMI exploit where phishers were able to spoof emails.

September 2021 - Twitter
Marketer view

Email marketer from scmagazine.com shares how Gmail have rolled out a fix.

February 2022 - scmagazine.com
Marketer view

Email marketer from Email Marketing Forum discusses that the UPS incident highlights a flaw in BIMI's reliance on DMARC when SPF is the only validating factor. It emphasizes the need for stronger authentication methods.

June 2022 - Email Marketing Forum
Marketer view

Marketer from Email Geeks explains the UPS spoofing was successful due to the alignment of a BIMI record, an overly broad SPF record, and an email relay. He also said that UPS allowed anyone on Microsoft365 to send mail on their behalf.

November 2023 - Email Geeks
Marketer view

Email marketer from Email Marketing Forum talks about it being crucial to understand that DMARC relies on SPF and DKIM. An overly permissive SPF record, such as UPS had, undermines the whole DMARC security.

December 2022 - Email Marketing Forum
Marketer view

Email marketer from Reddit discusses that the underlying issue was UPS's overly permissive SPF record, which allowed Microsoft 365 servers to send email on their behalf. Combined with relaxed DMARC settings, this enabled the spoofing.

September 2022 - Reddit
Marketer view

Email marketer from StackOverflow explains the core vulnerability was UPS failing to restrict who could send email on their behalf via SPF. The domain had an overly broad SPF record, and Microsoft servers were relaying the mail.

November 2023 - StackOverflow
Marketer view

Email marketer from Twitter explains the BIMI exploit where phishers were able to spoof emails.

June 2022 - Twitter

What the experts say
6Expert opinions

The UPS SPF scam worked by exploiting several vulnerabilities. Microsoft's failure to prevent customers from using domains they don't own was a key enabler. UPS had an overly broad SPF record. This, combined with relaxed DMARC settings and how the return path was configured (using a Microsoft IP covered by UPS's SPF record), allowed spoofed emails to pass DMARC validation. Experts had warned about this DMARC hole for a while, but their warnings were ignored. Poorly implemented SPF records are a significant risk, and DMARC relies on proper SPF and DKIM setup; otherwise, it can fail to prevent spoofing. It was also lucky it was not worse.

Key opinions

  • Microsoft's Role: Microsoft's allowing customers to use domains they don't own contributed to the scam.
  • Overly Broad SPF: UPS's overly broad SPF record was a key vulnerability.
  • DMARC Bypass: The scam bypassed DMARC due to the configuration of the return path and relaxed DMARC settings.
  • Ignored Warnings: Warnings about the DMARC vulnerability were ignored.
  • SPF Implementation: Poor SPF implementation creates vulnerabilities.
  • DMARC Reliance: DMARC relies on proper SPF and DKIM; otherwise, it can fail.

Key considerations

  • Domain Ownership Verification: Platforms need to verify domain ownership to prevent abuse.
  • Restrictive SPF Records: Use restrictive SPF records to limit who can send email on behalf of your domain.
  • DMARC Configuration: Properly configure DMARC to ensure SPF and DKIM are working correctly.
  • Heed Warnings: Pay attention to warnings about potential security vulnerabilities.
  • SPF/DKIM Maintenance: Maintain and regularly review SPF and DKIM records.
Expert view

Expert from Email Geeks explains that the return path was something@ups.com, forwarded via an MS IP covered by the ups.com SPF record, which relaxed alignment with the bogus subdomain in the 822.From, making the DMARC valid.

August 2022 - Email Geeks
Expert view

Expert from Email Geeks explains that Microsoft is at fault for allowing customers to use domains that don’t belong to them, enabling the spoofing of emails like those from UPS. They have a responsibility to prevent their customers from using domains that don’t belong to them.

June 2024 - Email Geeks
Expert view

Expert from Email Geeks responds to the discussion regarding the UPS issue, noting that many warnings about the glaring hole in DMARC have been repeatedly ignored.

April 2021 - Email Geeks
Expert view

Expert from Word to the Wise explains that DMARC relies on proper SPF and DKIM setup. If the SPF record is too open or relaxed (as in the UPS case) it can lead to DMARC passing even when it shouldn't, thus enabling spoofing.

December 2024 - Word to the Wise
Expert view

Expert from Email Geeks shares that the UPS situation doesn't significantly affect Google's intended behavior, and suggests SPF will become less relevant compared to DKIM. Also mentions the attack was "lucky" and could have been much worse.

June 2021 - Email Geeks
Expert view

Expert from Spamresource.com explains that poorly implemented SPF records can create vulnerabilities if they are overly broad or include mechanisms that are easily abused. The UPS incident serves as an example of this, where a loose SPF record allowed a vulnerability to be exploited.

July 2021 - Spamresource.com

What the documentation says
4Technical articles

The UPS SPF scam exploited vulnerabilities in email authentication protocols. While strong authentication aims to identify and stop spam and build trust, it was bypassed. The key issue was that DMARC checks were passing despite the spoofing. DMARC builds upon SPF and DKIM, but its effectiveness hinges on proper implementation. An overly broad SPF record at UPS allowed unauthorized servers to send emails as if they were from UPS. A narrower SPF record would have prevented the hack. The incident highlights a flaw in DMARC's implementation when SPF alignment is too relaxed, as detailed in IETF RFC 7489.

Key findings

  • Bypass of Strong Auth: Email authentication, designed to stop spam, was bypassed.
  • DMARC Passing: DMARC checks passed despite the spoofed emails.
  • Broad SPF Vulnerability: An overly broad SPF record at UPS was a key vulnerability.
  • DMARC Implementation Flaw: The incident exposed a flaw in how DMARC is implemented with relaxed SPF alignment.

Key considerations

  • Robust DMARC: Email Security needs a robust configuration.
  • Email Security: Enforce strong email security.
  • Targeted SPF: Define and Target Email to servers for email sending.
Technical article

Documentation from Google explains that strong email authentication helps users and email security systems identify and stop spam, and also enables senders to leverage their brand trust, however this was exploited by phishers.

July 2022 - Google
Technical article

Documentation from IETF RFC 7489 specifies how DMARC is intended to work. The UPS incident shows a flaw in how DMARC is implemented when SPF alignment is too relaxed.

May 2023 - IETF
Technical article

Documentation from DMARC.org explains that DMARC builds on the existing SPF and DKIM protocols to add a layer of security and trust to email communication. The key issue with the UPS attack is that the DMARC checks were still passing.

January 2024 - DMARC.org
Technical article

Documentation from Microsoft explains that SPF records can be created to specify the mail servers authorized to send email on behalf of your domain. If UPS had a narrower SPF record, this would have prevented the hack.

July 2023 - Microsoft