During a red team assessment I was checking the SPF record of the target and noticed that they included SPF records of third party companies. This means that mails which are originating from that third party service mail servers and have a sending mail address from the target will pass the SPF check and be received as legitimate mail. These companies provide a web interface to send mails and I got the idea to check if I could use the same third party service to send spoofed mails on behalf of the target. To my surprise one of the third party services named Flexmail did not verify if I was the owner of the domain or sending mail address which made it super easy to just send spoofed mails via the web interface.
How to do it:
- Go to the Flexmail website
- Start free 30 day trail by registering with your disposable mail
- Create a list of recipients
- Create your phishing mail in the online web interface
- Start a new campaign and select a mail address of your target as sending mail address
- Send to targets
To solve this issue the third party service should verify if the user is the owner of the domain or sending mail address. In other marketing and mass mailing services they do this by a verification mail from the chosen sending mail address. A different option could be to proof that you are owner of the domain via a temporary DNS txt record. Also before selecting a third party service to send mails and include their mail servers in your SPF record a risk assessment should be performed and check if the third party service has all the necessary security controls in place.
8 April 2018: Reported the vulnerability to Flexmail
28 June 2018: Asked for an update on the fix from Flexmail
27 September 2018: Vulnerability still present
13 December 2018: Fixed by Flexmail