FakeBehalf: Imperceptible Email Spoofing Attacks against the Delegation Mechanism in Email Systems

Authors: 

Jinrui Ma, Lutong Chen, and Kaiping Xue, University of Science and Technology of China; Bo Luo, The University of Kansas; Xuanbo Huang, Mingrui Ai, and Huanjie Zhang, University of Science and Technology of China; David S.L. Wei, Fordham University; Yan Zhuang, University of Science and Technology of China

Abstract: 

Email has become an essential service for global communication.In email protocols, a Delegation Mechanism allows emails to be sent by other entities on behalf of the email author. Specifically, the Sender field indicates the agent for email delivery (i.e., the Delegate). Despite well-implemented security extensions (e.g., DKIM, DMARC) that validate the authenticity of email authors, vulnerabilities in the Delegation Mechanism can still be exploited to bypass these security measures with well-crafted spoofing emails.

This paper systematically analyzes the security vulnerabilities within the Delegation Mechanism. Due to the absence of validation for the Sender field, adversaries can arbitrarily fabricate this field, thus spoofing the Delegate presented to email recipients. Our observations reveal that emails with a spoofed Sender field can pass authentications and reach the inboxes of all target providers. We also conduct a user study with 50 participants to assess the recipients' comprehension of spoofed Delegates, finding that 50% are susceptible to deceiving Delegate information. Furthermore, we propose novel email spoofing attacks where adversaries can impersonate arbitrary entities as email authors to craft highly deceptive emails while passing security extensions. We assess their impact across 16 service providers and 20 clients, observing that half of the providers and all clients are vulnerable to the discovered attacks. To mitigate the threats within the Delegation Mechanism, we propose a validation scheme to verify the authenticity of the Sender field, along with design suggestions to enhance the security of email clients.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299854,
author = {Jinrui Ma and Lutong Chen and Kaiping Xue and Bo Luo and Xuanbo Huang and Mingrui Ai and Huanjie Zhang and David S.L. Wei and Yan Zhuang},
title = {{FakeBehalf}: Imperceptible Email Spoofing Attacks against the Delegation Mechanism in Email Systems},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {1243--1260},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/ma-jinrui},
publisher = {USENIX Association},
month = aug
}

Presentation Video