Precedence Group's Overly-Permissive SPF DNS Record

Industry: Construction, Financial, Freight, Government & Legal | Level: Strategic | Source: Portswigger

Managed service provider, Precedence Group, utilized an overly permissive SPF (Senders Policy Framework) DNS record impacting 190 Australian organizations in government, financial, freight, legal, and construction services. Sebastian Salla, CEO of CanIPhish said, “because the MSP [had] added every single AWS /16 address block in Australia to the SPF record of each organization, any Amazon Web Services (AWS) user could spin up a virtual machine and send authenticated emails as though they come from these organizations." The MSP's SPF record had been vulnerable since March 2019, but was fixed on November 29th, 2021. Prior to the fix, an attack only needed to acquire an SPF-compliant IP address to bypass the SPF and DMARC authentication validation.