From external to the CEO, a modern approach to outlook mail spoofing
2024-09-26 , Main Track

As part of a recent client engagement, I was tasked with crafting phishing emails. These phishing emails were to focus on impersonating users to extract information from employees. This inspired me to investigate the current capabilities of email spoofing in 2024 and revealed some interesting quirks within both Outlook Web and Desktop.

When sending emails from external domains to internal Microsoft Organisation email addresses, the recipient will be inundated with security warnings identifying the sender as outside the organisation. This provides an easy way for the user to identify which emails originate from inside the company. By interacting with the SMTP protocol directly, I found a way to augment these emails so that they do not receive external tagging.

Outlook implements another feature called the "first contact safety tip" to alert users to emails from new addresses. These alerts are inserted into the email body and identify the sender as uncommon. I found that by including some characteristics of encrypted emails, I was able to fool Outlook into thinking the email was encrypted and prevent these security messages from being added onto the email.

My next topic for investigation focused on how different email providers handle and display messages to the user. I discovered that by taking advantage of these differences I could spoof emails from personal addresses which passed verification checks. Using similar techniques, I was also able to force Outlook to display any email address to the user.

Finally, using the knowledge I had gained so far, I uncovered a technique to spoof emails from any address to an Outlook inbox whilst passing verification checks. These emails were not labelled as external and even rendered the profile pictures of the users' I was impersonating.

This presentation aims to highlight how a combination of these techniques can allow attackers to impersonate individuals and send convincing phishing emails which users are expected to fall for.

Ben Wilson is a Security Consultant working at Tanto Security. He is interested in physical security and red teaming. You can get in touch with him on LinkedIn at https://www.linkedin.com/in/ben-wilson-b01811208