This new cybercrime technique makes it easier for criminals to send fake emails

News
By published

Hackers can use a flaw in SMTP servers to spoof legitimate email addresses

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Security researchers have discovered a new technique that allows threat actors to send spoofed emails with false addresses. They can use this technique to deliver highly targeted phishing emails, while avoiding being spotted by email security solutions.

Timo Longin, a senior security consultant at SEC Consult, published a report on the technique, which he called SMTP smuggling. 

SMTP is short for Simple Mail Transfer Protocol, and is described as a TCP/IP protocol needed to send and receive email messages. Because outbound and inbound SMTP servers handle end-of-data sequences differently, hackers can “break out of the message data” and thus “smuggle” arbitrary SMTP commands, including entire email messages.

Non-issue for Cisco

Apparently, the vulnerability can be abused in servers from Microsoft, GMX, and Cisco, with SMTP implementations from Postfix and Sendmail also being affected. 

Microsoft and GMX have already addressed the issue, but some reports have claimed Cisco has decided not to. Discussing the matter, the company apparently said SMTP smuggling isn’t exactly a vulnerability, but rather “a feature and that they will not change the default configuration." 

Consequently, threat actors can still potentially smuggle emails to Cisco Secure Email instances with default configurations. SEC Consult concluded that the best course of action for Cisco users is to change their settings from “Clean” to “Allow”, as this will prevent spoofed emails with valid DMARC checks from making it into the inbox.

Phishing continues to be the primary attack vector for most threat actors out there. It is omnipresent, cheap, and can be automated. Threat actors can impersonate big brands, company managers, and similar, and use AI writers to draft emails with a sense of urgency. Victims often act on these emails (either by clicking a link or downloading an attachment) without considering the potential risks, resulting in endpoint compromise or data theft.

Via TheHackerNews

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
email
Hidden text "salting" is letting hackers craft devious email attacks to evade detection
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Latest in Security
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about Avengers: Doomsday's cast on YouTube, and I think it's going to be a long-winded reveal
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
More about security
Representational image depecting cybersecurity protection

Third-party security issues could be the biggest threat facing your business
Android Logo

Devious new Android malware uses a Microsoft tool to avoid being spotted
Garmin clippd integration

Garmin's golf watches just got a big software integration upgrade to help you improve your game
See more latest
Most Popular
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
Nissan 2026 line-up
Nissan is back to its bold best with new EV lineup that's led by a third-generation Leaf – and yes, it's an SUV
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
Image of Naoe in AC Shadows
Assassin's Creed Shadows best graphics settings for PS5, PS5 Pro, and Xbox Series X
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about Avengers: Doomsday's cast on YouTube, and I think it's going to be a long-winded reveal
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
Promotional image for Malcolm in the Middle featuring the original cast playing golf
Malcolm in the Middle's Disney+ revival gets underway as the series finds its cast – here's which characters are returning
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch