Threat Research

“Mail Transfer Exploitation: How Threat Actors Use Third-Party Infrastructure for Spam”

Talos

Attackers abuse legitimate web features and third-party infrastructure to send spam, leveraging automated processes with some human involvement. Credential stuffing is used to access email accounts and send spam from trusted domains, with tools like MadCat and MailRip facilitating these operations. #MadCat #MailRip #CredentialStuffing #GoogleQuizzes #GoogleDrawings #GoogleSheets #GoogleCalendar #GoogleGroups #Talos #SimpleMailTransferPirates

Keypoints

  • Attackers abuse legitimate web features to transmit spam through account registrations, event signups, and other forms that trigger email actions.
  • Credential stuffing is used to access email accounts and send spam from legitimate domains.
  • Poor input validation and sanitization in web forms enable spam delivery, including via Google apps such as Quizzes, Drawings, Sheets, Calendar, and Groups.
  • Google applications are targeted because they can be leveraged to send unsolicited emails across different countries to evade detection.
  • Tools like MadCat and MailRip are commonly used for credential stuffing against IMAP/SMTP accounts, along with custom tools.
  • Defenders struggle to block such spam because messages blend with legitimate traffic, making detection challenging.
  • Recommendations emphasize unique passwords, password managers, and user education to reduce risk and phishing susceptibility.

MITRE Techniques

  • [T1003] Credential Dumping – Brief description of how it was used. “Attackers may use stolen credentials to access email accounts.”
  • [T1098] Account Manipulation – Brief description of how it was used. “Using compromised accounts to send spam from legitimate servers.”
  • [T1190] Exploitation of Public-Facing Applications – Brief description of how it was used. “Spammers exploit vulnerabilities in web forms for spam delivery.”
  • [T1566] Phishing – Brief description of how it was used. “Spam messages often contain phishing links to deceive users.”

Indicators of Compromise

  • [Tool] context – MadCat, MailRip, and other open-source tools used to facilitate credential stuffing and outbound SMTP testing.
  • [IP Address] 127.0.0.255 – “aloha: 127.0.0.255” appears in credential-stuffing Subject headers as test emails.
  • [Domain] mx.example.com – “Subject: Testing: mx.example.com” used in test messages.
  • [Email] [email protected] – “Subject: !XProad mx.example.com|2525|[email protected]|f29r21caT4.” as part of test headers.
  • [Domain] example.com – appears within test subject content referencing domains/emails.
  • [URL] https://github.com – MadCat/MailRip and related tools are described as available on GitHub.

Read more: https://blog.talosintelligence.com/simple-mail-transfer-pirates/