Security researchers at PayPal have uncovered three new SMTP smuggling attack techniques that exploit misconfigurations and design flaws in at least 50 email-hosting providers. These techniques allow attackers to spoof emails from over 20 million trusted domains, bypassing essential security protocols like SPF, DKIM, and DMARC. As a result, malicious emails can be sent from domains owned by reputable Fortune 500 companies and government agencies, posing a significant threat to email security.
The researchers will present their findings at the Black Hat USA conference, revealing how these vulnerabilities stem from domain-authentication issues, RFC violations, and the abuse of DKIM signatures and SPF records.