Skip to content

Commit 5d5cac0

Browse files
carlospolopcarlospolop
committed
f
1 parent 923bafd commit 5d5cac0

1 file changed

Lines changed: 17 additions & 1 deletion

File tree

  • src/network-services-pentesting/pentesting-smtp

src/network-services-pentesting/pentesting-smtp/README.md

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,22 @@ PORT STATE SERVICE REASON VERSION
1616
25/tcp open smtp syn-ack Microsoft ESMTP 6.0.3790.3959
1717
```
1818

19+
## Email Security Gateways (SEGs)
20+
21+
As mentioned in this [blog post](https://21ad.netlify.app/blogs/the-silent-inbox-how-verified-emails-slip-past-email-security-gateways/) **Secure Email Gateways (SEGs)** sit **in-line** with inbound mail flow by **changing MX records** to point to the SEG instead of the mail server. The SEG inspects inbound mail (e.g., IP reputation, blocklists, SPF checks, spoofing detection, metadata/content analysis, sandboxing, URL rewriting) and then forwards, drops, or quarantines messages based on policy. The security model assumes **all inbound mail reaches the SEG first**; if the mail server can be reached directly, the SEG can be **avoided** (similar to skipping a WAF by talking to the origin directly).
22+
23+
### Avoiding SEGs via MX mismatch
24+
25+
Organizations using Entra ID / Exchange Online often have **multiple accepted domains**. If **any accepted domain** has an MX record that **points directly to the mail server** (e.g., Exchange Online) instead of the SEG, you can deliver mail to that domain and **avoid the SEG**. This is a **misconfiguration** (not a vulnerability) but still a common gap.
26+
27+
Also note the default `<tenant>.onmicrosoft.com` domain: its MX record always points to Exchange Online. If inbound to `*.onmicrosoft.com` is **not locked down**, sending to `user@<tenant>.onmicrosoft.com` may land directly in the inbox while bypassing the SEG.
28+
29+
**Defensive notes**:
30+
31+
- Lock down inbound to `*.onmicrosoft.com`.
32+
- Regularly audit accepted domains and their MX routing.
33+
- Configure mail servers to **only accept** inbound from the SEG.
34+
1935
### EMAIL Headers
2036

2137
If you have the opportunity to **make the victim send you a email** (via contact form of the web page for example), do it because **you could learn about the internal topology** of the victim seeing the headers of the mail.
@@ -551,6 +567,7 @@ submit.cf
551567
552568
- [https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/](https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/)
553569
- [https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/](https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/)
570+
- <https://21ad.netlify.app/blogs/the-silent-inbox-how-verified-emails-slip-past-email-security-gateways/>
554571
555572
## HackTricks Automatic Commands
556573
@@ -607,4 +624,3 @@ Entry_8:
607624
608625
{{#include ../../banners/hacktricks-training.md}}
609626
610-

0 commit comments

Comments
 (0)