[Heads Up] SMTP Smuggling - How It Easily Circumvents Your Email Defenses

Stu Sjouwerman | Dec 28, 2023

SMTP Smuggling Technique Bypasses Email Authentications Establishing LegitimacyA newly-discovered technique misusing SMTP commands allows cybercriminals to pass SPF, DKIM and DMARC checks, allowing impersonated emails to reach their intended victim.

Earlier this month, Timo Longin, security researcher with cybersecurity consulting firm SEC Consult published details on what is now referred to as SMTP Smuggling. Simply put, he detected miscommunications using the SMTP protocol that allowed message content to be submitted to a receiving email server in a way that makes the protocol simply accept the message and process its delivery to the intended recipient.

While rather in the weeds in terms of how it works, in essence cybercriminals take advantage of what should be the end-of-data sequence near the beginning of the submission of an email message, entire emails are “smuggled” within the process, therefore bypassing normal steps that include checking SPF, DKIM and DMARC.

csm_SMTP_Smuggling-SMTP_smuggling_GMX__16__754993e69e

Source: SEC Consult

In the image above, you’ll note the initial short email with the email body of “lorem ipsum.”  But then there’s this extra email with the email body of “I am the admin now!”  The specific content is irrelevant (other than to provide an example of something benign vs. malicious in nature), but it shows how SMTP smuggling occurs.

According to Longin, this method can be used to impersonate emails from any high-profile brand. This is where it becomes a real problem.  Users that have not undergone security awareness training will be more prone to believing an email is actually from the company it claims to be, falling for the socially-engineered scam within.

The vulnerability was initially reported to vendors in late July.  Microsoft has since rolled out a patch, but other vendors, including Cisco, have yet to do so.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Discover Your Organization’s Exposed Email Attack Surface

Cybercriminals constantly scan the deep web and thousands of breach databases to find exposed employee identities, credentials, and passwords to launch targeted social engineering attacks. Run our free Email Exposure Check Pro (EEC) to safely uncover your at-risk users and see what your organizational structure looks like to an attacker before they exploit it.

Get Your Free Email Exposure Report

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.