Seen via the mailop mailing list: the security firm SEC Consult has uncovered “a novel technique for e-mail spoofing”
“Threat actors could abuse vulnerable SMTP servers worldwide to send malicious e-mails from arbitrary e-mail addresses, allowing targeted phishing attacks. Due to the nature of the exploit itself, this type of vulnerability was dubbed SMTP smuggling. Multiple 0-days were discovered, and various vendors were notified during our responsible disclosure in 2023. “
The TL;DR via their blog post is:
By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails – hence SMTP smuggling – while still passing SPF alignment checks. During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains (e.g., admin@outlook.com) to millions of receiving SMTP servers (e.g., Amazon, PayPal, eBay). Identified vulnerabilities in Microsoft and GMX were quickly fixed, however, SEC Consult urges companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration.