Security Experts:

Connect with us

Hi, what are you looking for?



BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers

A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations.

A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations.

UK-based cybersecurity company 7 Elements identified the vulnerability while conducting incident response activities for a customer. An analysis of the attack revealed that the hackers had sent out phishing emails by leveraging a flaw related to how Rackspace SMTP servers hosted at authorize users.

The cybersecurity firm has shared few details about the threat group exploiting the vulnerability, but it told SecurityWeek that the cybercriminals focus on BEC attacks aimed at Office 365 users.

According to 7 Elements, the vulnerability allows an attacker who can authenticate to one Rackspace customer’s account to send out emails on behalf of any other customer that uses Rackspace’s hosted email services.

7 Elements researchers determined that an attacker could have sent out emails on behalf of government organizations (including in the US and UK), IT companies, news outlets, and high-profile individuals. They noted that the attack, which they dubbed “SMTP Multipass,” allows cybercriminals to bypass email filters and pass SPF email authentication controls.

SPF allows a mail server to check if an email coming from a specific domain is submitted by an IP authorized by that domain’s admins. The authorized hosts and IP addresses for a domain are published in its DNS records. In the case of SMTP Multipass attacks, there are two major issues.

“The first is the vulnerability within the Rackspace hosted email service that allows an authenticated user of the platform to send emails as any domain (including those that also use the service),” 7 Elements explained. “The second is in how DNS entries configured by legitimate customers of Rackspace specifically authorised the affected Rackspace SMTP servers ( for the purpose of sending emails on behalf of that domain. So, any email coming from that IP on behalf of that domain is de facto authorised.”

7 Elements said it reported its findings to Rackspace in August. The vendor notified customers in late October and a fix is expected to be rolled out starting Thursday, November 5. The cloud solutions giant has not responded to an email from SecurityWeek requesting additional information on the vulnerability and the patch.

According to 7 Elements, Rackspace already knew about the vulnerability back in August after being notified by a third party. The UK-based cybersecurity firm says it doesn’t know who else reported the issue to Rackspace, but believes it to be an individual.

“Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails, there’s obviously some serious questions to be answered by Rackspace if it was aware of this vulnerability and its exploitation resulted in reputational or financial loss for a business,” said John Moss, senior security consultant at 7 Elements.

Related: Email Attacks Using Cloud Services are Increasing

Related: Threat From Spoofed Emails Grows, While DMARC Implementation Lags

Related: Google Patches Email Spoofing Vulnerability After Public Disclosure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.