We Finally Know How Hackers Exploited Gmail

After years of watching ThioJoe, I’m convinced he lives a secret double-life as an elite hacker, and his RUclips channel is simply a distraction and fun side hustle.

DMARC only requires one of SPF and DKIM to pass with alignment. The "relaxed" and "strict" only refers to matching of the domain where relaxed allows subdomains. (RFC7489 section 4.2)

The only reason I can think of for UPS removing Microsoft 365's SPF records is because they don't send directly from Microsoft 365 any more but through ProofPoint which is an email filtering service. Technically speaking if you're using an email filtering service you would want to also configure your email service to send through that filtering service and only that service so makes sense why UPS would remove the Microsoft SPF records.

I'm watching this video literally hours after setting up my own mailserver and running through all the DMARK and other hoops to get things working. If one thing, it made me realize that the entire e-mail sending needs a serious redesign. It is horribly complicated to setup and to prevent spam. Isn't it about time someone should re-design this 50-year old technology?

Damn, missed the opportunity to send "Hello this is Bill Gates, send me your credit card info and I'll give you a free PS5"

It’s totally legit to override the spf-checks. Microsoft is right, it’s a known issue and SPF has a lot more. That’s the main reason why DKIM was developed.
Microsoft just could implement a check for the sender domain of the customers.

This being patched in the future is gonna break a LOT of peoples' setop

I'm seeing a lot of people scammed/hacked by the ways you stated a year back!!
I always recommend them your channel
You are always ahead of others!!

I think this is a similar scenario like the "lock icon check" in browsers. This corporations want to make things "easier" by misusing this type of things. So not techie people then tend to "only check the indication" and not the source of the risk, so an impersonation could be more dangerous in this type of cases because the victim trust "the authority" of the control indication and may go forth blindly.

Hackers be like Dangit ThioJoe exposed us AGAIN!

Good job on 3 mil!! Hope you have a good day my dude

Microsoft generally implements protocols as they are written. Which is actually the right way to do it. The problem is that everywhere else it is accepted to do otherwise.

A very good follow up report… thanks Joe for sharing this in a very digestible format.

Dang!!! Joe is simply brilliant in the way he translates complex and detailed info.

Not Microsoft's fault. The reason they allow it, like many email providers, is that you would be surprised how many domains and email servers are misconfigured, which means a lot of Microsoft customers would complain they are not receiving mails from other companies. Hence, they allow settings to be turned off. And as mentioned, this is not a strict requirement, gazillion of domains and email servers still use none. This is basically Google's mistakes for assuming emails coming from Microsoft are automatically safe and mismatching them to another source like UPS because they failed to check the senders headers properly.

Hey ThioJoe! Thanks! Ive subscribed to ya for being so helpful for me and Windows 11.

Love ❤️ the channel!
Thank you 👑

Not the blue check mark thing but,
This is what happened to our own domain emails last 2 years ago I think, after setting up Microsoft account for our Sharepoint requirements, it created a exchange server within our domain address (which I had no idea that will happen at that time) which thus, our users can't even receive their emails without knowing it was Microsoft's email service handles all our email transactions. I had to create a connector within Microsoft to our email domain after that to fix that issue.
Which if, I created a microsoft email exchange server for a certain company email, maybe I can do some illegal transactions. 😅

i think its time to have 2 factor authentication in emails where you authorize certain site to only be able to email with exact "tokens" like tokenizing emails themselves or have total private email where you can by design only receive emails from certain emails addresses

wow a video that posted 1 minute ago that I am watching yay. with long waits and persistence I get to cross that out of my bucket list. btw love you videos ;)

I saw one of those spams with the checkmark and it was the first time I'd seen such a mark at all. At first I thought it was a thing the spammers added somehow but then I wasn't convinced. What I did know was it certainly didn't belong on that Email if it were a legit symbol. You did an excellent job explaining DMARC, DKIM and SPF. I set all these for my clients when setting up their domains. It's a pain but if it means their mail gets delivered, it's worth it. I've had far less issues with clients having problems sending mail since these three protocols came about than in the several years previous.

You are the Best these video's are so helpful Thank you so much for doing them!!!!!!!!!!!!!!!!!!!!!!!!

DigiCert, if I'm not mistaken, also issues BIMI certs, so there is a possibility that the certs can be phished out and then used for BIMI emails :/

Honestly, I think google is fully at fault. Why would you initially accept a mail whose dkim signature fails alignment, this alone is a sign, that the mail is definitely insecure, worse than missing dkim sign. In the end i think the blue check mark should only be applied if dmarc passes with full spf and dkim alignment

Oh wow this video has proper subtitle indeed. Appreciate it man, really useful for non native (or even deaf people?)

love your content thio joe

Thank you. Their mistakes had caused me to scratch my head about why my DNS settings weren't working.

Thanks for your sharing

Waoooooooooo......thanks for the information and explanation!

Maybe it has to do with how the forwarding was allowed, but MS365 doesn't usually allow you to send as an address that isn't associated with your mailbox, let alone a domain not associated with your MS365 organization/tenant

Can confirm we had a similar systems to the scammers for sending out our accounts, printer emails etc emails
We had to add our local server to the spf records yesterday due to ms changing how they verify emails and us ending up being blocked

God bless you thanks for telling us!

There are users that want you to ignore the SPF policy becase they have some weird email forwarding that block their message if you configure a strict SPF policy. Some mailiong list for example will distribute the ail in the name of the sender and not in the name of the mailing list server, breaking SPF (you cannot include just any possible mailing list server in your SPF policy)

There is another horrible thing from Microsoft Exchange: if you set up a Forwarding Address and also make a blacklist of domains, the servers will foward the message BEFORE checking the blacklist. So you end with junk messages on your forwarded email address despite trying to avoid it.

Love your channel. 🖤🔥

Wait, are you saying there's actually a way for DMARC to require both SPF and DKIM alignment?

Relaxed versus strict DMARC alignment only affects whether to allow wildcard subdomains. Strict alignment just means you need an SPF policy and DKIM key record for each subdomain in your DNS. I believe the original UPS spoof used a nonexistent subdomain, but this attack works the same with the root domain. Strict alignment would not have stopped this attack.
DMARC only requires one of either SPF or DKIM to align. This is hard coded into DMARC and its RFC specifications. Even with both SPF and DKIM set to strict alignment under DMARC, only one needs to pass. This is actually necessary because email forwarders outside of the sender's control usually break SPF alignment.
Potentially helpful aside, DMARC aligns different aspects for SPF than DKIM. SPF alignment checks the envelope from in the header against the visible from. SPF can be spoofed, and is often broken by legitimate handling. DKIM alignment checks a signed key against the visible from. DKIM allows multiple signatures in case there's complicated routing, and is difficult to spoof without control of a domain's DNS.

Love the AI prompts!

This is with this kind of event that the industry profess as a whole. Hope the where no severe consequences

Great Video!!

My capability theory sensibilities say that the only reliable verification protocol would have to be either "hey verified domain, did you send this (hash+timestamp) email" or "does the pubkey fetched from the site verify the signature on the email", and anything less is full of holes.

Hey, I don't know how but one of my accounts keeps getting emails (replies) from mail delivery system saying that the email couldn't be sent or there was a delay in sending the email, now the email to which these replies are coming are apparently sent by me. So, my gmail keeps sending to hundreds of weird addresses. What is happening I can't figure it out, I've changed my password, logged out of every device, except my phone, and I'm using passkeys now and also I found my account logged into a mac(unknown device) and I've never used a mac in my whole life.

Yeah, I had to set up SPF, DKIM and DMARC on my personal website emails. It was frustrating as I don't have a lot of resources or in-depth knowledge, but suffice it to say, the standards do allow methods to relax the enforcement, some of which gets pretty sophisticated. So on the one hand I'm not surprised someone figured out a way to game the system, but on the other, as you say, there is some culpability on MS and Googles part - which again I can understand because little tweaks they can make could have huge knock on effects and implications for people in my situation. The one thing you didn't cover is that these technologies have the provision for mail processing companies like Google to send reports, like DMARC reports, on mail that has failed, softfailed or passed the checks. These are quite enlightening. You would think that companies like Google and MS would have alternate ways to check up on their handling services just to make sure that what they thought should/was happening, was actually happening.
Many thanks though for making these videos. You fill an invaluable niche between the tech impossible to understand and those who need to know what is going on but doesn't have the god-background the techies have.

The reason to allow it is simple, it is so you can see the attack attempts, and be ready for them. Not for most email users, but for the security crew.

A better analogy for the signatures than the check would be to say that you create a check, but before you sign it you laminate it and sign the check on the laminate, so now the check cannot be modified without damaging the laminate and thus the signature.

It at all possible you should set the strictest policy for all your domains. I get reports weekly on scammers trying to use our domains for something.

Now i know what i did wrong, to have someone use my debit card, of $300.
I had a USPS delivery yrs ago that never got delivered. & recently had a spoofed mail (similar to the UPS one in the vid.), from USPS, saying i need to pay $3 for shipping. In hopes of getting my product, thinking its in USPS storage, i put my full card number, & all info, while something in the back of my head telling me something is off

Congrats for 3 Million subs (soon)

If Microsoft disable overriding security policies it would break a huge number of completely valid workflows. It is extremely common. Google is the only one giving the checkmark for a not entirely validated mail flow. They are 100% to blame.

SMTP was a protocol that was invented 50 years ago now. Many of those venerable protocols are suffering. They were designed for simplicity in the event of a catastrophic situation and not for what we are using them for today. I remember the days before SPAM became the issue it is today. I spun up my own SMTP server (which is dirt simple for a basic configuration) back in the early 90s. I was spoofing my friends and family with emails from Santa Claus or the Easter Bunny. This was right before Gmail came on the picture, so it was mostly sending to Yahoo accounts ;). Gmail in the early days wasn't even a shadow of what it is today either. It was invitation only at first and I was able to get an invite.

I think the takeaway should be never trust any email. Don't click on links in emails. Go directly to the website in question.

"They had their whole thing configured correctly and standard." I'd argue that if your security configuration allows for spoofing, you have not configured it correctly, or to any worthwhile standard. They left everything on defaults. Those were bad defaults (clearly). Sadly, a lot of software defaults are bad or insecure. I'd describe the situation as "They set up DMARC but never bothered to configure it for their use case."

There may come a day where we will be absolutely safe on line. I don't intend to hold my breath.

That's basically how Minecraft legacy authentication worked a few years ago, it was exploited for a cracked client, for about 2 days, and then it got fixed. xD
It essentially allowed someone to log into a Minecraft account, if that account is currently logged in somewhere, without the need to know the session ID or password.

Funny enough, I had to resetup these security things for my mail server this morning

I miss the days when you sent emails by telnetting to port 25 of your friend's SMTP server, entering a few keywords-HELO, MAIL FROM, RCPT TO, DATA-and typing away, ending with QUIT.
You read your emails in a similar fashion: telnet to port 110 of your own email server; USER; PASS; LIST; RETR; DELE; QUIT.

oh wow a video with nice subtitles did you do that manually?

A PoC would be great.

Next video we see from ThioJoe, he would have hit the 3Million mark!

You should submit this to googles bug hunt, could potentially be worth thousands of dollars :D

with your ai image prompts i fin it fun to look for borked hands

I have a question no one has answered. My email address that others use to write to me has changed. I had nothing to do with it. That is an extra @ was added along with 3407. Who is generating this? It makes me wonder are people reading what I wrote or someone else did and why did it and my name change?

5:53 We set all ours no matter who our client is to fail at this stage we will not use relaxed mode

I see that UPS wanted to send some emails by Microsoft because they could partially use Exchange instances hosted by Microsoft and partially theirs.

hi (good update video)
Informative

your the man
i feel hacked for years
what about backboard wake ups and instagrammshare ips files in iphone

thanks!

If i were to go dogmatic, I would say this shows the problems of having centralized services.

I understand that there are times where it is necessary for an email sender to be verified. My personal experience, though, is that the CONTENT of the email is often (but not always) enough to conclude that the email is total BS regardless of any blue checkmark.

THX❤

If DKIM now becomes the norm to passing alignment, doesn't that mean that all the emails in the world should from now on be enforced to make sure they have a valid DKIM signature? I'm surprised organizations such as UPS didn't have have to rely on DKIM signatures.

The last time I set up email forwarding from a Microsoft account to a Gmail, it required confirmation in both directions; I had to show that I had control of both inboxes.

I dunno about UPS..I always set policy to strict..Just seemed like a dumb idea to do anything else..Even for my side project test app I was setting up last night, strict.

"Bimmy isn't even a real name" -double dragon 3 NES game

Google has a blue checkmark like twitter has/had? I don't think I've ever noticed. I often read the email address it's self to find out it makes zero since vs what it's claiming to be.

As soon as you said they made a Microsoft email server I knew what was happening

the icloud and apple mail thing is probably just the email provider and an email client respectively

It's all very strange.

Never look for blue check marks

ALMOST 3 MILLION !!!!

It is hard to blame Microsoft for letting a user accept email however the user wants to do it.

If headers on emails clearly say failed headers that’s where Microsoft and UPS jobs end. Note that we are talking about SMTP protocol. However showing authenticated on a the final Gmail is the issue here. Even then can’t fully fault Gmail. We need to remember the display of the email on the header is another.

@ThioJoe -- can you perhaps go into details with spoofing Phone Numbers, and IF there is some way to fully stop this nonsense as i've been getting a lot of phone calls that should originate in my home country, but are often spoofed from innocent peoples phone numbers instead, and really come from a call center in India or something to that effect.

nice video my dude

I have never seen this blue check mark in gmail

This is the first time I've been told there is something like a blue star in the first place.

I've never even seen an e-mail with a blue check mark.

strict dkim means only domains, not subdomains. relaxed accepts subdomains which is where the ups e-mail came from.

Hmmm, I don't have an e-mail with microsoft............I originally had a youhoo e-mail, but after hearing their problems, I changed to G-mail, but I think for now I'll just keep G'mail. What would you suggest ThioJoe ?????

There are thousands of poorly configured spf, dkim, dmarc records that if you impose strict rules very little email would make it to your inbox. Don't blame the companies but the onus is on the user to configure everything correctly. Email by default is the most insecure method of collaboration and always will be. It relies on open trust rather than encrypted trust.

I have not even watched it but I know its good. That means something.

I think that list of servers should be replaced with something similar, yes it still includes the servers but should also include a pre-hashed 1024bit token to verify against, if the e-mail to be sent does not include that token for the server then it straight up gets deleted, if the target server finds fault with the token then again it gets deleted, no questions asked, instead a replacement email get's sent to both sender & receiver notify the email was deleted under that rule and whatever arrangements need to be made should be made instead or after the sender updates their token.

I guess individuals who knew back in the early 90’s that Microsoft systems were effectively Swiss cheese for broken code, and thus open to hacks and exploits once online, could at least maintain an appropriate level of distrust of anything they do. Some things never change.

This dude must be a criminal in disguise. How did he know all this, wow

Wow, this video is incredibly informative! It's truly fascinating to finally understand how hackers managed to exploit Gmail. It's a stark reminder of the importance of cybersecurity and the need to constantly stay vigilant. As technology advances, so do the tactics of hackers, making it crucial for us to remain proactive in protecting our personal information. Let's all take this as a reminder to strengthen our online security measures and stay updated on the latest developments in cybersecurity. Together, we can keep our digital lives safe

I've noticed that Microsoft's consumer e-mail anti spam is terrible. I've been getting spam mail on my old MS account for years. I've tried cleaning it up. I've noticed that many e-mails actually fail on SPF but are put into my inbox anyways. I can't change the behavior of the SPF check either. I want spf=fail to be sent to be put into junk/spam but I can't.

the whole world (except the US) was scratching their heads and saying... Cheques? we havent seen those since the 80s

I hardly ever use e-mail and only have g-mail because of my tablet. I deleted the app on my phone and going forward I may move to a Librem or something similar. I don't understand why anyone would trust checkmarks for verification. Read the from field and be discerning people. If you get a lot of e-mail and expect it to save you time, you're doing it wrong, because there is no saving time if you want security.

i think email is utterly broken anyways. we need something better and old email ought to die. i doubt it will ever happen tho. 😢

If ups configure dmark, then they're culpable. Though dmark default needs to be changed, ups should have changed it to strict.