Google SMTP relay service is wildly popular and used every day by legions of users. Unfortunately, hackers around the world are aware of this and increasingly they’ve begun abusing the SMTP relay service.
The basic idea is as follows. Some clever hackers have figured out that they can bypass email security products and deliver malicious emails to their intended targets if they take advantage of certain weaknesses in Google’s SMTP relay service.
Researchers at the security firm Avanan have been tracking the phenomenon and have confirmed a sudden, dramatic spike in threat actors abusing the SMTP relay service beginning in April of this year (2022).
The relay service is offered by Google as part of Gmail and Google Workspace as a means of routing outgoing user emails.
Use of the SMTP relay is mostly a matter of convenience, as it means that users don’t have to manage an external server for marketing emails. So there’s no worry that their mail server may get added to someone else’s blocked list.
It is very handy but unfortunately, hackers have discovered that they can use the SMTP relay service to spoof other Gmail tenants without being detected, with one very important catch and caveat. If those domains have a DMARC policy configured with the ‘reject’ directive, the game is up, and the hacker’s attempt will fail.
Although this can be a serious problem, it also has a simple solution. Just set a fairly strict DMARC policy and you’ll minimize your risk of your users falling victim to this type of attack.
As Google indicated on a recent blog post on this very topic:
“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue.”
It’s good advice. If you aren’t sure whether you’ve got a strict DMARC policy set, find out from your IT staff. If not, have them implement one right away.