A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations.
UK-based cybersecurity company 7 Elements identified the vulnerability while conducting incident response activities for a customer. An analysis of the attack revealed that the hackers had sent out phishing emails by leveraging a flaw related to how Rackspace SMTP servers hosted at emailsrvr.com authorize users.
The cybersecurity firm has shared few details about the threat group exploiting the vulnerability, but it told SecurityWeek that the cybercriminals focus on BEC attacks aimed at Office 365 users.
According to 7 Elements, the vulnerability allows an attacker who can authenticate to one Rackspace customer’s account to send out emails on behalf of any other customer that uses Rackspace’s hosted email services.
7 Elements researchers determined that an attacker could have sent out emails on behalf of government organizations (including in the US and UK), IT companies, news outlets, and high-profile individuals. They noted that the attack, which they dubbed “SMTP Multipass,” allows cybercriminals to bypass email filters and pass SPF email authentication controls.
SPF allows a mail server to check if an email coming from a specific domain is submitted by an IP authorized by that domain’s admins. The authorized hosts and IP addresses for a domain are published in its DNS records. In the case of SMTP Multipass attacks, there are two major issues.
“The first is the vulnerability within the Rackspace hosted email service that allows an authenticated user of the platform to send emails as any domain (including those that also use the service),” 7 Elements explained. “The second is in how DNS entries configured by legitimate customers of Rackspace specifically authorised the affected Rackspace SMTP servers (emailsrvr.com) for the purpose of sending emails on behalf of that domain. So, any email coming from that IP on behalf of that domain is de facto authorised.”
7 Elements said it reported its findings to Rackspace in August. The vendor notified customers in late October and a fix is expected to be rolled out starting Thursday, November 5. The cloud solutions giant has not responded to an email from SecurityWeek requesting additional information on the vulnerability and the patch.
According to 7 Elements, Rackspace already knew about the vulnerability back in August after being notified by a third party. The UK-based cybersecurity firm says it doesn’t know who else reported the issue to Rackspace, but believes it to be an individual.
“Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails, there’s obviously some serious questions to be answered by Rackspace if it was aware of this vulnerability and its exploitation resulted in reputational or financial loss for a business,” said John Moss, senior security consultant at 7 Elements.