Hackers Are Exploiting the Google Groups’ Practice of Rewriting “From:” Addresses; Should You Rethink Before Continuing on Google Groups Now?

Google is a highly reputed IT platform; however, despite the proactive measures and technologies it develops and adopts to keep its users safe, threat actors often outsmart their tech ninjas.

And this has happened yet again!

Recently, a cybersecurity firm uncovered a security loophole in Google Groups that has given hackers the opportunity to plan and execute sneaky phishing attacks without tipping off the members and creators.

Before knowing about the vulnerability, we are quickly taking you through the concept of creating and using Google Groups.

I Don’t Know Much About Google Groups, Please Elaborate

It’s fine if you are still unfamiliar with this platform, as it was popular in its heyday, and now it’s not a buzz anymore. This is primarily due to the development and introduction of better tools like Slack, Help Scout, Mailchimp, etc., and features to create and manage groups on social media platforms like Facebook and WhatsApp. 

Google Groups is a service from Google that allows users to create public and private discussion groups for people sharing common interests. Members can view a group’s conversation history and post new messages. 

As much as the idea of coming together and exchanging messages pertaining to common interests seems advantageous, it also bears risks for members and enterprises. Public groups allow anyone to join, which hackers misuse as an opportunity to exploit email addresses and other sensitive details of members. Moreover, users have shown concerns about Google Groups’ capabilities to filter spam messages. 

Google Groups’ Rewrites “From:” Addresses- But What Made it Do This?

Initially, Google Groups discovered that there was an issue with emails sent from domains having their DMARC policy set to quarantine or reject. Legitimate messages dispatched from a domain through authorized sending sources were getting flagged as spam or bouncing back. It affected communication and Google Groups’ credibility to align with SPF, DKIM, and DMARC protocols. It was resolved by slightly adjusting the process, according to which Google Groups would rewrite the “From:” address. This made the message appear like coming from the mailing list itself, which eliminated the chances of genuine conversations getting flagged or rejected. 

Image sourced from polymerhq.io

But What’s the Currently Discovered Vulnerability?

Lately, it has been uncovered that cyber actors are taking advantage of the practice of rewriting the “From:” address by attacking public groups that are configured to allow anyone on the internet to join and be a member without anyone’s approval or consent.

They manipulated Google’s “From:” address management practice, chiefly when a sender domain’s DMARC record is set to quarantine or reject policy. 

Unrolling the Attacking Methodology

All this happens in 6 stages:

  1. Threat actors buy a fresh domain name, deploy DMARC for it, and set the DMARC record on quarantine or reject policy.
  2. The new domain is then used for sending out spoofed emails to Google Groups addresses.
  3. Google rewrites the “From:” address.
  4. A deceptive Reply-To address shows the original sender’s domain, which is actually the threat actor’s domain.
  5. The results for SPF and DKIM authentication are positive
  6. Visual indicators automatically appear for targeted domains with BIMI in place. 

But I Am an Active Google Groups User; How Can My Organization and I Stay Protected?

No technology or IT platform is 100% shielded from malicious actors, and Google Groups is no exception. So, just as you are suggested to follow best practices, read red flags, and stay vigilant while doing anything on the internet, the same follows with this.

Avoid maintaining public lists, especially the ones that allow anyone on the web to join. Be selective in who gets access to discussions and email addresses of members; otherwise, you can end up compromising the security and privacy of many people. 

Moreover, it’s better to switch to a more secure and reliable platform for communications involving insights and finances, including billing and payroll activities. 

Also, when in doubt, switch to in-person communication. The idea seems a little old-school, but it’s better than getting exploited. Isn’t it?

Please feel free to reach out to our support team to discuss anything related to DMARC and email security. We feel more than happy to help you stay safe on the internet.

Similar Posts