> Only requirement is that the domain the attacker is spoofing is using O365.
This is not true. The paper mentions multiple service providers using more relaxed validation.
Table 3, section 5 in the paper shows which policies need to be in place on the domain they are piggy-backing on.
They reference Postfix:
"Additionally, we note that mailing list software such as Listserv and Mailman require a backend MTA. In our experiments we used Postfix with DMARC turned on, a configuration which follows good security practice. However, in practice many organizations might not use this configuration because many MTAs (including Postfix) do not enforce DMARC by default. In these cases, the attacker can spoof email from any target domain, regard-
less of its DMARC policy, much like the attack against Gaggle."
I read this to mean that if you actually enable DMARC in Postfix, piggy-backing on another domain's policies results in rejection.
No mention of results for receiving at ProofPoint, Mimecast, Trellix, or Cisco's email appliance.
> This is not a UX problem.
They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that.
Your domain may have a policy of reject or quarantine, but does the receiving host correctly act on that policy?
I can understand if free email providers are more permissive with narrow authentication scenarios. Users aren't usually able to contact support.
As someone suggested in this thread, this is a UX problem.
Policies need to appease a large number of users. A gov/corp org receiving these messages can be more strict. Even in these orgs, people complain about not receiving an email that was appropriately rejected.
The diagram demonstrating the attack shows DMARC fails. All they have shown is that everyone should have DMARC configured properly, and use a reject or quarantine policy. This has been best practice for a long time now.
They use the example of state.gov. That domain's policy is currently set to Reject, which is what all Federal government services have been using for years now.
Microsoft also uses their own auth mechanism in addition to DMARC. It's called composite authentication. In my experience, comp-auth is more strict than DMARC alone.
After reading more of the paper, my conclusion is mentioned in a later reply:
"They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that. "
"The Render Network® Provides Near Unlimited Decentralized GPU Computing Power For Next Generation 3D Content Creation."
"Render Network's system can be broken down into 2 main roles: Creators and Node Operators. Here's a handy guide to figure out where you might fit in on the Render Network:
Maybe you're a hardware enthusiast with GPUs to spare, or maybe you're a cryptocurrency guru with a passing interest in VFX. If you've got GPUs that are sitting idle at any time, you're a potential Node Operator who can use that GPU downtime to earn RNDR."
> What's concerning to me are reports of the car still uploading all the collected data if you attach a cell phone to the radio's bluetooth
This must be if you have the car manufacturer's app installed. I can't think of any other way for it to phone home from DCM via buetooth if the cellular module is disabled.
> How could a car system be better than just be a screen and interface for the functionality your phone provides? It's literally the dream.
This is how Apple Carplay works. It just streams the phone to the display, and accepts input from the car's buttons. I think Android Auto does the same.
This is not true. The paper mentions multiple service providers using more relaxed validation.
Table 3, section 5 in the paper shows which policies need to be in place on the domain they are piggy-backing on.
They reference Postfix:
"Additionally, we note that mailing list software such as Listserv and Mailman require a backend MTA. In our experiments we used Postfix with DMARC turned on, a configuration which follows good security practice. However, in practice many organizations might not use this configuration because many MTAs (including Postfix) do not enforce DMARC by default. In these cases, the attacker can spoof email from any target domain, regard- less of its DMARC policy, much like the attack against Gaggle."
I read this to mean that if you actually enable DMARC in Postfix, piggy-backing on another domain's policies results in rejection.
No mention of results for receiving at ProofPoint, Mimecast, Trellix, or Cisco's email appliance.
> This is not a UX problem.
They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that.