Gmail SMTP Vulnerability: How Cybercriminals Spoof Trusted Domains
Simple Mail Transfer Protocol (SMTP) is the standard method that mail servers use to send emails across the internet. It is the backbone of email communication, and organisations of all sizes rely on it every day. Many organisations use an SMTP relay service to send mass emails efficiently, such as marketing newsletters, transactional notifications, and customer communications. Gmail is one of the most popular choices for this purpose, but unfortunately, cybercriminals have discovered a vulnerability in Gmail's relay service that allows them to impersonate legitimate businesses with alarming ease.
How the SMTP Relay Vulnerability Works
To understand this attack, it helps to know what an SMTP relay service does. When an organisation sends a large volume of emails, it uses a relay service to route those emails through trusted servers. Gmail's relay service is widely used because it is reliable and well-integrated with Google Workspace. However, the trust that email clients place in Gmail's servers is precisely what cybercriminals exploit.
Here is how the attack unfolds. Imagine a legitimate organisation owns the domain sign-doc.com and uses Gmail as its SMTP relay service for marketing emails. A cybercriminal creates a malicious domain -- something like wishyoudidntclickthis.com -- and sends phishing emails from that domain. However, they configure the emails to spoof the legitimate domain, sign-doc.com, by manipulating the email headers.
Because the spoofed domain is associated with Gmail's relay service, most email clients treat the message as though it genuinely came from the legitimate organisation. The email passes through security filters that would normally flag messages from unknown or suspicious domains. The recipient sees a familiar sender name and domain in their inbox, and the message lands in their primary folder rather than their spam folder.
Why This Is Particularly Dangerous
Several factors make this vulnerability especially concerning:
- Bypasses standard email security. Most organisations rely on SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication) records to verify that emails genuinely originate from the domains they claim to come from. When a relay service is involved, these checks can be undermined because the relay server is authorised to send on behalf of the legitimate domain.
- Exploits trusted infrastructure. Because Gmail is one of the most widely trusted email platforms in the world, messages routed through its servers receive a higher level of trust from receiving mail servers. This makes it much harder for automated filters to distinguish legitimate emails from spoofed ones.
- Scales easily. Once a cybercriminal has set up the spoofing mechanism, they can send thousands of phishing emails in a short period, each appearing to come from a reputable organisation.
- Affects any relayed domain. Any organisation that uses Gmail as its SMTP relay service could potentially be spoofed. This means the problem extends across industries and geographies.
What a Spoofed Email Might Look Like
A spoofed email exploiting this vulnerability might arrive as a password reset request, a shipping notification, an invoice, or a document-sharing invitation. The sender address will display the legitimate domain, and the email may include branding elements copied from the real organisation's communications. The only reliable way to identify such an email is to carefully inspect the full email headers, which most users never do.
How to Stay Safe
Follow the tips below to protect yourself from SMTP relay spoofing and similar scams:
- Treat all unexpected emails with caution, regardless of the sender. This type of attack is not limited to Gmail. Other SMTP relay services could have similar vulnerabilities. Even if an email appears to come from a sender you recognise, remain vigilant.
- Never click on a link or download an attachment in an email you were not expecting. If an email asks you to take urgent action, such as resetting a password or confirming a payment, navigate to the service's website directly by typing the URL into your browser rather than clicking the provided link.
- Verify suspicious emails through an alternative channel. If you need to confirm that an email is legitimate, contact the sender directly by phone or text message using contact details you already have on file, not those provided in the email.
- Configure your own domain's email authentication properly. If you run a business, ensure that your SPF, DKIM, and DMARC records are correctly set up and regularly reviewed. Strict DMARC policies can help prevent your domain from being spoofed, even through relay services. If you need assistance with email security configuration, Faciotech's IT consulting services can guide you through the process.
Protecting Your Business Email Infrastructure
For business owners, this vulnerability underscores the importance of a comprehensive approach to email security. Beyond configuring authentication records, consider implementing advanced email filtering solutions, training staff to recognise phishing attempts, and establishing clear procedures for verifying financial requests received by email. Coupling strong email security with server monitoring ensures that any unusual activity on your mail servers is detected promptly. To learn more about how phishing attacks exploit trusted relationships, read our article on QakBot malware and how your own email account can be weaponised against your contacts.
Stop, look, and think. Don't be fooled by the scammers.
