Skip to main content

Split Tunnel SMTP Exploit

A new attack, methodology has been discovered within the way email encryption appliances operate and has been disclosed with details of how it can be exploited to bypass malware scanning at security gateways.
Threat ID:
CC-1445
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Insecure network, Exploit
Published:
7 June 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new attack, methodology has been discovered within the way email encryption appliances operate and has been disclosed with details of how it can be exploited to bypass malware scanning at security gateways.

Threat details

The exploit is capable of delivering malware, phishing emails and spam that would have otherwise been blocked.

The exploit takes advantage of email encryption appliances having a publicly accessible IP address which is able to receive and transfer emails. Such devices are typically deployed beyond the enterprise firewall and are often used in conjunction with an email security gateway.

In some configurations, the email encryption appliance is deployed in front of the security gateway to decrypt encrypted mail, and to forward it to the security gateway, which then inspects the decrypted email for malware before sending it to the email server.

However - when the security gateway receives the message and inspects it for malware, it will typically do so using the encryption device's IP address and not the original sender's IP address.

If the email encryption appliance's IP is trusted by the security gateway and emails sent on from it do not undergo AV scanning. This gives an opening for an attacker to get messages containing malicious payloads and links past the email security gateway.

Remediation steps

Type Step
  • Multi Layers security designs could discover and prevents attacks such as these.
  • Ensure no route to internal mail servers is available without being evaluated by the Security gateway.
  • Ensure Security gateway is configured to analyses headers to ascertain true source IP.

Last edited: 17 February 2020 11:39 am