Full Report
Context In the chilly month of December 2023, my colleagues Jason (@BreakerOfSigns), Szymon (@TH3_GOAT_FARM3R), and myself (@felmoltor) were on a red team. This one was tough, but we had fun. We had to be a bit more creative than I am used to and two interesting things were done that are worth sharing: Szymon and Jason physically broke into the client’s facilities. At a branch office, they left an implant using Rogan’s “Slimjim” device and it proved to be a solid and production ready project. Try it out and let us know how it goes. I developed a tool that we named Mail-in-the-Middle (Maitm for short). You can find it in our Github repository here: https://github.com/sensepost/mail-in-the-middle. I cannot speak in first person about the physical breakin beyond praising the excellent social engineering skills of both of my colleagues, but I can talk about Mail-in-the-Middle.
Analysis Summary
# Tool/Technique: Mail-in-the-Middle (Maitm)
## Overview
Mail-in-the-Middle (Maitm) is an open-source tool developed to automate and facilitate a "Person-in-the-Middle" (PiTM) attack specifically targeting email communications. The attack abuses typos made by users or third-party systems when entering email addresses associated with a target domain, allowing the attacker to intercept emails intended for the legitimate recipient.
## Technical Details
- Type: Tool
- Platform: Email/DNS infrastructure (Server-side operation)
- Capabilities: Domain typo registration, DNS MX record configuration, catch-all email setup, email interception, and active modification of intercepted emails (link modification, payload injection).
- First Seen: December 2023 (used in red team engagement); Article published February 26, 2024.
## MITRE ATT&CK Mapping
This tool primarily facilitates reconnaissance and initial access by intercepting sensitive data or gaining footholds through typosquatting and email manipulation.
- **TA0043 - Reconnaissance**
- T1593 - Spearphishing: Attachment
- *Mapping Note: If the tool is used to inject malicious attachments.*
- T1598 - Phishing for Information
- T1598.003 - Spearphishing via Service
- *Mapping Note: Intercepting registration emails for possible account takeover.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link (If links are modified)
- T1566.004 - Spearphishing via Service
- **TA0011 - Command and Control (Implied)**
- T1071 - Application Layer Protocol
- *Mapping Note: SMTP/Email infrastructure is manipulated for communication flow.*
## Functionality
### Core Capabilities
* **Typo Squatting:** Registering multiple typographical variations of the target organization's domain name.
* **DNS Configuration:** Setting up necessary DNS records (specifically MX records) to point traffic intended for the typo'd domains to an attacker-controlled mail server.
* **Stranded Email Capture:** Configuring a catch-all email address on the attacker-controlled server to read all emails sent to the typo'd domains ("Stranded Emails").
* **Information Gathering:** Capturing sensitive data (PII, internal infrastructure details like hostnames/IPs, vendor communications, pending invoices) disclosed via typos in third-party system registrations or direct communications.
### Advanced Features
* **Active Email Modification (Tainting):** The tool enables active manipulation of intercepted emails before forwarding them to the legitimate recipient.
* Modifying links to redirect users to phishing pages.
- Injecting malicious payloads via attachments.
- Injecting UNC paths or images into email headers to potentially exfiltrate NTLM hashes, referencing techniques similar to [CVE-2023-35636].
* **Account Takeover:** Intercepting One-Time Passwords (OTPs) during account registration processes to hijack the resulting account.
## Indicators of Compromise
*Note: As this is a methodology and a toolset, the specific IoCs depend entirely on the configuration chosen during an engagement.*
- File Hashes: N/A (Tool hosted on GitHub, execution artifacts vary)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Malicious domains registered matching target domain typos (e.g., `targetdomainn.com` instead of `targetdomain.com`).
- Outbound/Inbound MX records pointing to attacker-controlled infrastructure for typo'd domains.
- Behavioral Indicators:
- Unusual MX record configuration for domains closely resembling the target's primary domain.
- Receipt of internal or vendor emails at an unexpected or newly registered domain.
## Associated Threat Actors
The tool was developed and used by members of the SensePost red team (Felipe Molina, Jason, Szymon) during a December 2023 engagement. The underlying technique is known to have been passed down through previous generations of security researchers.
## Detection Methods
* **Signature-based detection:** Not applicable for the tool itself unless deployed artifacts are specific.
* **Behavioral detection:** Monitoring DNS configuration changes for subtle variations of the organization's primary domain, specifically watching for new MX records pointing externally. Monitoring email delivery logs for messages seemingly being routed through typo'd external domains.
* **YARA rules:** Not explicitly mentioned.
## Mitigation Strategies
1. **Domain Monitoring and Takedown:** Continuously monitor domains similar to the organization's primary domain. If an attacker defines an MX record, request immediate domain take-down.
2. **Domain Parking:** Register and park the most likely typo'd versions of the critical business domains defensively.
3. **Domain Shorthand:** Register shorter, branded domains for external email communications (e.g., `shorthand.com` for `longcompanyname.com`) and encourage their use during third-party registrations.
4. **Data Validation:** Implement frequent validation of employee email addresses in third-party applications and establish clear procedures for administrators managing these external services.
5. **Email Security Controls:** Implement domain and user impersonation protection mechanisms (e.g., DMARC, DKIM, SPF) on the email provider.
6. **User Training:** Conduct regular phishing simulation campaigns and awareness training regarding reporting suspicious emails.
## Related Tools/Techniques
* **Rogan’s “Slimjim” Device:** Mentioned as being deployed physically during the same engagement, suggesting a possible physical access capability complementing the remote email interception.
* **Typosquatting:** The core technical prerequisite for the Maitm attack.
* **CVE-2023-35636:** Referenced as a technique used to exfiltrate NTLM hashes via injected content or modified paths within intercepted emails.