Skip to content

Instantly share code, notes, and snippets.

@titanous

titanous/msrc_bimi_wontfix.md Secret

Last active June 3, 2023 21:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save titanous/b949c744cfd0be35b9980377bae780a8 to your computer and use it in GitHub Desktop.
Save titanous/b949c744cfd0be35b9980377bae780a8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
msrc_bimi_wontfix.md

Hello,

Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this assessment. MSRC has investigated this issue and concluded that this does not pose an immediate threat that requires urgent attention. The display of the sender message header could be forged or omitted just as easily as the from header.

Additionally, while it’s true that SMTP/MX can be easily spoofed, it’s the burden of the receiving mail provider to check the content and origin of messages. Any mail genuinely originating from Microsoft can be authenticated using SPF and DKIM, making this a failing of the mail service in not rejecting the message or sending it to a junk mail folder.

For protections like MX records, these can usually be bypassed and on their own do not fully protect against spoofing. Some organizations will protect against this by setting up a connector that limits intake IP ranges. This is documented as example 3 in this topic: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner or flagging items as external versus internal. While we have made some clarification notes on multiple pages, most of them are included here: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow

For other settings I recommend reaching out to support. They can help you get protections in place that may help you filter these types of spoofed emails.

As such, this thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused. If you believe this to be a misunderstanding of the report, submit a new report at https://aka.ms/secure-at Please include:

  • Relevant information previously provided in your initial report
  • Detailed steps required to consistently reproduce the issue
  • Short explanation on how an attacker could use the information to exploit another user remotely
  • Proof-of-concept (POC), such as a video recording, crash reports, screenshots, or relevant code samples

For more information on what qualifies as a security vulnerability please see the following: Definition of a Security Vulnerability: https://www.microsoft.com/msrc/definition-of-a-security-vulnerability

We thank you again for taking the time to submit this report!

Regards, -C MSRC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment