Learning about the SubdoMailing Exploit

Multiple folks have shared this along lately and though I’ve mentioned it in passing in a prior post, I thought it would be good to pull together an overview and roundup of what this actually is, what you should know about it, and what you should do about it. Let's talk about the SubdoMailing exploit.

What is this? In February 2024, security vendor Guardio shared research and analysis showing thousands of instances where spam was being sent through (SPF) authenticated subdomains of well known companies and brands. Dubbed “SubdoMailing,” Guardio indicated that this has apparently been ongoing since at least 2022. DMARC provider RedSift put together a SubdoMailing guide, and explained how they searched for and found instances of the SubdoMailing exploit among their client base.

As reported on by BleepingComputer and others, bad actors implemented this exploit by purchasing expired domains that had been previously referenced in SPF includes and CNAME records used by various companies and brands to enable email authentication for sending through different email platforms. If I understand this correctly, it feels like this exploit was mostly SPF-focused, but it sounds like some DKIM authentication could have been in play here as well. (But the way this exploit works so well in the context of SPF authentication just reinforces my belief that SPF is not enough.)

How does it work? It’s not hard to map out a simpler example of this exploit. Let’s say I had an SPF “include” in my email.spamresource.com subdomain that pointed to spf.esp2004.com, perhaps because I used this mythical ESP2004 as my email sending platform back in 2004. Maybe they’ve gone out of business since then (or changed names five times) and I’ve since changed providers. But if I didn’t delete that SPF include referencing esp2004.com, it’ll just sit there, hanging out, doing nothing. And then...the domain expires, because the ESP2004 provider stopped paying to renew it. A bad actor noticing this could see -- is esp2004.com available for purchase? If so, YES! Buy it and watch to see what DNS queries come in, see what domains/subdomains are trying to query this SPF record. The bad actor could now re-implement this SPF include, but with whatever servers they want -- meaning they can authenticate their mail while sending as MY domain. Spam away, and watch my domain reputation take a hit! Yuck!

My suspicion is that bad actors would want to try to do this in low volumes, spread across many domains, attempting to minimize detection by keeping volumes low. DMARC reporting and domain reputation data can sometimes be glitchy and noisy, and unless you see reliable and sizable data points, it can be easy for a user to ignore small, random glitches.

What should you do about this? Guardio has put together a SubdoMailing domain check tool that attempts to identify and warn you about domains affected by this exploit. It’s hard to say if they’ll have identified every single affected company or domain, but it’s probably still wise to check there first. And review the Red Sift guide for their additional suggestions. No matter what security or DMARC vendor you use, check for “dangling DNS” and be sure to review and re-vet the service providers linked to your DNS via SPF includes and CNAME records. Make sure they’re still valid companies and companies that your company still does business with.
Post a Comment