FakeBehalf: Imperceptible Email Spoofing Attacks against the Delegation Mechanism in Email Systems

Email has become an essential service for global communication.In email protocols, a Delegation Mechanism allows emails to be sent by other entities on behalf of the email author. Specifically, the Sender field indicates the agent for email delivery (i.e., the Delegate). Despite well-implemented security extensions (e.g., DKIM, DMARC) that validate the authenticity of email authors, vulnerabilities in the Delegation Mechanism can still be exploited to bypass these security measures with well-crafted spoofing emails.

This paper systematically analyzes the security vulnerabilities within the Delegation Mechanism. Due to the absence of validation for the Sender field, adversaries can arbitrarily fabricate this field, thus spoofing the Delegate presented to email recipients. Our observations reveal that emails with a spoofed Sender field can pass authentications and reach the inboxes of all target providers. We also conduct a user study with 50 participants to assess the recipients' comprehension of spoofed Delegates, finding that 50% are susceptible to deceiving Delegate information. Furthermore, we propose novel email spoofing attacks where adversaries can impersonate arbitrary entities as email authors to craft highly deceptive emails while passing security extensions. We assess their impact across 16 service providers and 20 clients, observing that half of the providers and all clients are vulnerable to the discovered attacks. To mitigate the threats within the Delegation Mechanism, we propose a validation scheme to verify the authenticity of the Sender field, along with design suggestions to enhance the security of email clients.