How did the UPS SPF scam work and what vulnerabilities did it exploit?
Summary
What email marketers say9Marketer opinions
Email marketer from LinkedIn explains how the UPS spoofing vulnerability worked: It involved a combination of factors, including Microsoft 365 users being able to send as @ups.com, UPS having a very open SPF record, and Gmail displaying BIMI logos even when only SPF passes. This allowed phishers to send authenticated emails impersonating UPS.
Email marketer from Twitter shares how Gmail rolled out a fix for the BIMI exploit where phishers were able to spoof emails.
Email marketer from scmagazine.com shares how Gmail have rolled out a fix.
Email marketer from Email Marketing Forum discusses that the UPS incident highlights a flaw in BIMI's reliance on DMARC when SPF is the only validating factor. It emphasizes the need for stronger authentication methods.
Marketer from Email Geeks explains the UPS spoofing was successful due to the alignment of a BIMI record, an overly broad SPF record, and an email relay. He also said that UPS allowed anyone on Microsoft365 to send mail on their behalf.
Email marketer from Email Marketing Forum talks about it being crucial to understand that DMARC relies on SPF and DKIM. An overly permissive SPF record, such as UPS had, undermines the whole DMARC security.
Email marketer from Reddit discusses that the underlying issue was UPS's overly permissive SPF record, which allowed Microsoft 365 servers to send email on their behalf. Combined with relaxed DMARC settings, this enabled the spoofing.
Email marketer from StackOverflow explains the core vulnerability was UPS failing to restrict who could send email on their behalf via SPF. The domain had an overly broad SPF record, and Microsoft servers were relaying the mail.
Email marketer from Twitter explains the BIMI exploit where phishers were able to spoof emails.
What the experts say6Expert opinions
Expert from Email Geeks explains that the return path was something@ups.com, forwarded via an MS IP covered by the ups.com SPF record, which relaxed alignment with the bogus subdomain in the 822.From, making the DMARC valid.
Expert from Email Geeks explains that Microsoft is at fault for allowing customers to use domains that don’t belong to them, enabling the spoofing of emails like those from UPS. They have a responsibility to prevent their customers from using domains that don’t belong to them.
Expert from Email Geeks responds to the discussion regarding the UPS issue, noting that many warnings about the glaring hole in DMARC have been repeatedly ignored.
Expert from Word to the Wise explains that DMARC relies on proper SPF and DKIM setup. If the SPF record is too open or relaxed (as in the UPS case) it can lead to DMARC passing even when it shouldn't, thus enabling spoofing.
Expert from Email Geeks shares that the UPS situation doesn't significantly affect Google's intended behavior, and suggests SPF will become less relevant compared to DKIM. Also mentions the attack was "lucky" and could have been much worse.
Expert from Spamresource.com explains that poorly implemented SPF records can create vulnerabilities if they are overly broad or include mechanisms that are easily abused. The UPS incident serves as an example of this, where a loose SPF record allowed a vulnerability to be exploited.
What the documentation says4Technical articles
Documentation from Google explains that strong email authentication helps users and email security systems identify and stop spam, and also enables senders to leverage their brand trust, however this was exploited by phishers.
Documentation from IETF RFC 7489 specifies how DMARC is intended to work. The UPS incident shows a flaw in how DMARC is implemented when SPF alignment is too relaxed.
Documentation from DMARC.org explains that DMARC builds on the existing SPF and DKIM protocols to add a layer of security and trust to email communication. The key issue with the UPS attack is that the DMARC checks were still passing.
Documentation from Microsoft explains that SPF records can be created to specify the mail servers authorized to send email on behalf of your domain. If UPS had a narrower SPF record, this would have prevented the hack.