Warning: Attackers Are Using DKIM Replay Attacks to Bypass Security Filters

iStock-1156765043 Cybercriminals are abusing legitimate invoices and dispute notifications from popular services to send scam emails that bypass security filters, according to researchers at Kaseya’s INKY. The attackers have used this technique to impersonate PayPal, Apple, DocuSign, HelloSign, and others.

“These platforms often allow users to enter a ‘seller name’ or add a custom note when creating an invoice or notification,” the researchers write. “Attackers abuse this functionality by inserting scam instructions and a phone number into those user-controlled fields. They then send the resulting invoice or dispute notice to an email address they control, ensuring the malicious content is embedded in a legitimate, vendor-generated message.”

Since the emails themselves are sent from legitimate sources, they’re more likely to land in users’ inboxes. Humans are also more likely to fall for the scam if they see that the messages were sent from trusted vendors.

“Since the message originates directly from the vendor, such as PayPal, and is cryptographically signed, it easily passes DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) checks,” INKY says.

“After receiving the legitimate email, the attacker simply forwards it on to their intended targets. The result is a message that looks authentic, passes email authentication, and arrives in inboxes with little to no warning.”

This technique is known as a “DKIM replay attack,” and allows the emails to bypass security controls.

“A DKIM replay attack occurs when a bad actor captures a legitimate, DKIM-signed email and then ‘replays’ that same message to additional recipients,” the researchers explain. “Since the original headers and message body remain unchanged, the DKIM signature continues to validate. As a result, the email passes DMARC authentication even though it is being redistributed by an attacker rather than delivered by the original sender. To avoid breaking DKIM, attackers intentionally do not modify the message after it has been signed.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Kaseya has the story.

The world's largest library of security awareness training content is now just a click away!

In your fight against phishing and social engineering you can now deploy the best-in-class simulated phishing platform combined with the world's largest library of security awareness training content; including 1000+ interactive modules, videos, games, posters and newsletters.

You can now get access to our new ModStore Preview Portal to see our full library of security awareness content; you can browse, search by title, category, language or content topics.

The ModStore Preview includes: