“An SMTP relay service can be a valuable service for organizations that like to send out mass emails,” the researchers explain. “Essentially, businesses use SMTP relay services--of which there are many-- to send marketing messages to a vast database of users without being blocklisted. Utilizing trusted SMTP relay services ensures messages get delivered. Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google.”
Attackers can use this feature in Gmail to impersonate legitimate Gmail tenants, making their phishing emails more likely to go undetected by security technologies.
“However, these relay services have a flaw,” Avanan says. “Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate....Phishingemail@phishing[.]com wouldn’t want to send their email from that domain. They would want the legitimacy of a major brand. So, using this service, they instead send their email from, say, paypal.com (assuming paypal.com uses Gmail). Email scanners see that it’s coming from Gmail’s trusted relay service–and for good measure, often a trusted brand–and it sails right through to the inbox.”
The researchers warn that attackers have increasingly adopted this technique over the past month.
“Starting in April 2022, Avanan researchers have seen a massive uptick of these SMTP Relay Service Exploit attacks in the wild, as threat actors use this service to spoof any other Gmail tenant and begin sending out phishing emails that look legitimate,” Avanan says. “Over a span of two weeks, Avanan has seen nearly 30,000 of these emails.”
New-school security awareness training can enable your employees to thwart phishing emails that bypass your technical defenses.