Addressing Tenant Isolation Security Vulnerability and Ensuring Secure Email Relay with DuoCircle

IMPORTANT NOTE: the vulnerability and mitigation discussed in this article affect only those DuoCircle Outbound customers using the "SPF Authentication" product in conjunction with their Outbound service to allow Office 365 to smart-host without credential authentication.

All other customers, both Inbound and Outbound, are unaffected.  

Overview

Recently, a security vulnerability dubbed "EchoSpoofing" was discovered in Proofpoint's email routing service which exposed Office 365 users to potential cross-tenant email-based attacks. After reviewing our own systems it was determined that customers who have configured their Office 365 to smart-host outbound mail through the DuoCircle Outbound service via "SPF Authentication" may be at risk of a similar attack.

To ensure our customers are protected we have implemented an additional security measure in our outbound email platform. This article explains the new security feature and provides guidance for resolving potential issues related to relaying Office 365 emails through our SMTP system.

Important Changes Effective July 31, 2024

When mail is smart-hosted from Office 365, Microsoft injects a header named X-OriginatorOrg which identifies the source Office 365 tenant of the message. 

• X-OriginatorOrg: The X-OriginatorOrg header will reflect the domain in the accepted domain list that sent the email. If the P2 address (Microsoft's alias for referring to the RFC5322.FROM) does not match an accepted domain, the X-OriginatorOrg header will default to the default domain specified in the accepted domain table. In some cases, this may be the onmicrosoft.com domain.
  
  

As of July 31, 2024, we will begin enforcing the requirement that all mail using the above-described route must have an X-OriginatorOrg header value matching the RFC5321.MailFrom domain of the message. This will prevent "rogue" Office 365 tenants from relaying mail via our service using your domains.

Resolving Email Relay Issues

If you are unable to relay Office 365 emails via our SMTP system, follow these steps to resolve the issue:

1. Update Your Default Domain:
   Ensure that your default domain is correctly set in the accepted domain list. You can find detailed instructions on how to update your default domain here.
   
   
2. Configure DKIM:
   Properly configure DKIM for your domain to ensure email authenticity and alignment. Instructions for DKIM configuration are provided below.
   
   

Additional Support

If you continue to experience issues or need further assistance, please contact our support team at support@duocircle.com. Our team is available 24/7 to help you ensure a smooth and secure email relay experience.

Conclusion

The addition of the X-OriginatorOrg header enforcement is a crucial step in enhancing the security of our outbound email platform. By ensuring that your default domain and accepted domain configurations are correctly set, you can avoid potential relay issues and maintain secure email communications.

For further information on the Proofpoint vulnerability and the steps taken to address it, please refer to the following articles:

• Proofpoint Email Routing Flaw Exploited
• Proofpoint's Email Protection Service Exploited

We are committed to providing you with secure and reliable email services. Thank you for your cooperation and understanding.