SMTP Relay Email Spoofing Technique

SMTP Relay Email Spoofing Technique Researchers at Avanan have observed a surge in phishing emails that abuse a flaw in SMTP relay services to bypass email security filters.

“An SMTP relay service can be a valuable service for organizations that like to send out mass emails,” the researchers explain. “Essentially, businesses use SMTP relay services--of which there are many-- to send marketing messages to a vast database of users without being blocklisted. Utilizing trusted SMTP relay services ensures messages get delivered. Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google.”

Attackers can use this feature in Gmail to impersonate legitimate Gmail tenants, making their phishing emails more likely to go undetected by security technologies.

“However, these relay services have a flaw,” Avanan says. “Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate....Phishingemail@phishing[.]com wouldn’t want to send their email from that domain. They would want the legitimacy of a major brand. So, using this service, they instead send their email from, say, paypal.com (assuming paypal.com uses Gmail). Email scanners see that it’s coming from Gmail’s trusted relay service–and for good measure, often a trusted brand–and it sails right through to the inbox.”

The researchers warn that attackers have increasingly adopted this technique over the past month.

“Starting in April 2022, Avanan researchers have seen a massive uptick of these SMTP Relay Service Exploit attacks in the wild, as threat actors use this service to spoof any other Gmail tenant and begin sending out phishing emails that look legitimate,” Avanan says. “Over a span of two weeks, Avanan has seen nearly 30,000 of these emails.”

New-school security awareness training can enable your employees to thwart phishing emails that bypass your technical defenses.

Discover dangerous look-alike domains that could be used against you!

Since look-alike domains are a dangerous vector for phishing attacks, it's top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now.

Here's how it's done: