SMTP Relay Email Spoofing Technique



SMTP Relay Email Spoofing TechniqueResearchers at Avanan have observed a surge in phishing emails that abuse a flaw in SMTP relay services to bypass email security filters.

“An SMTP relay service can be a valuable service for organizations that like to send out mass emails,” the researchers explain. “Essentially, businesses use SMTP relay services--of which there are many-- to send marketing messages to a vast database of users without being blocklisted. Utilizing trusted SMTP relay services ensures messages get delivered. Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google.”

Attackers can use this feature in Gmail to impersonate legitimate Gmail tenants, making their phishing emails more likely to go undetected by security technologies.

“However, these relay services have a flaw,” Avanan says. “Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate....Phishingemail@phishing[.]com wouldn’t want to send their email from that domain. They would want the legitimacy of a major brand. So, using this service, they instead send their email from, say, paypal.com (assuming paypal.com uses Gmail). Email scanners see that it’s coming from Gmail’s trusted relay service–and for good measure, often a trusted brand–and it sails right through to the inbox.”

The researchers warn that attackers have increasingly adopted this technique over the past month.

“Starting in April 2022, Avanan researchers have seen a massive uptick of these SMTP Relay Service Exploit attacks in the wild, as threat actors use this service to spoof any other Gmail tenant and begin sending out phishing emails that look legitimate,” Avanan says. “Over a span of two weeks, Avanan has seen nearly 30,000 of these emails.”

New-school security awareness training can enable your employees to thwart phishing emails that bypass your technical defenses.


Discover dangerous look-alike domains that could be used against you! 

Since look-alike domains are a dangerous vector for phishing attacks, it's top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now.

DomainDoppelgangerResults-1Here's how it's done:

  • Get detailed results of look-alike domains found similar to your primary email domain
  • You can now quiz your users with your look-alike results
  • Get a summary PDF that contains an overview of the look-alike domains and associated risk levels discovered during the analysis
  • It only takes a few minutes to discover your “evil domain twins”!

Find Your Look-Alike Domains!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/domain-doppelganger

Subscribe To Our Blog


Anti-Phishing Guide ebook




Get the latest about social engineering

Subscribe to CyberheistNews