Timo Longin @login introduces SMTP smuggling, a novel technique to spoof fully SPF-validated emails from various popular domains including @microsoft.com.
Wow. It's incredible nobody found this before. It's the first of its kind. Probably not the last...!
SMTP smuggling feels similar to HTTP smuggling, but differs in impact.
SMTP smuggling sends a legitimate email to an unsuspecting receiver. It ends up in someone's inbox, at another provider.
HTTP request smuggling is not always visible to other users, and can (depending on the web app) be limited to one backend cluster and the attacker's own requests, i.e. to steal/manipulate private data.
Add comment