Config error left 190 Australian organisations open to phishing attacks

An "extremely over-permissive" Sender Policy Framework record left 190 organisations in Australia at risk of business email compromise and phishing, allowing attackers to spoof authenticated sender addresses.

The Sender Policy Framework (SPF) is an anti-spam and authentication measure that lets sending organisations list in the Domain Name System (DNS) which Internet Protocol addresses recipient email systems can expect legitimate emails to arrive from.

Sebastian Salla of security vendor Can I Phish in Sydney discovered that an unnamed city council in Queensland had added every IP address that Amazon Web Services reserves for the Elastic Cloud Compute instances in Australia to its SPF record.

This amounted to over a million IPv4 addresses, threatening a large number of organisations'  email supply chain, Salla said.

Salla explained how such an over-permissive SPF record could be abused.

"Each of the affected 190 organisations and their downstream customers are at an extreme risk to business email compromise and phishing-related attacks," Salla wrote.

"Anyone with a credit card can sign-up for an AWS account, spin up an EC2 instance, request AWS to remove any SMTP restrictions and begin sending SPF authenticated emails as though they are any of these organisations," 

In Salla's testing, he was able to send SPF authenticated emails that passed all checks.

By analysing the SPF record, Salla was able to track down that it had been used for customers of an Australian managed service provider and web development company.

He added that the managed service provider had remedied the vulnerabilities discovered.

However, Salla discovered that the over-permissive SPF record was created nearly three years ago, leaving the organisations affected by the vulnerability at risk all that time.