DKIM Replay Attack- A New Cyberthreat

In DKIM replay attacks, bad actors exploit highly reputed email domains and produce legitimate DKIM keys corresponding to them. The produced keys are then used to bypass DKIM filters and compromise the online security of thousands of recipients. All this is possible because, upon reception, the recipients’ mail servers find no discrepancies in DKIM authentication; hence, the emails are placed in the primary inboxes.

Playing with illegitimately produced or intercepted DKIM keys even allows hackers to add a new header or make changes in the subject line so as to send customized emails to recipients. This way, they land in the inboxes of more people and harm them.

What’s worse is that your sender’s reputation will also suffer, which means even genuine messages sent by one of your official brand representatives will be marked as spam or bounced back. The integrity of your domain will be in question. 

What is a DKIM Replay Attack?

DKIM replay attack is an email-based cyberattack in which a threat actor exploits the DKIM authentication mechanism by intercepting a legitimate email signed with DKIM. Once captured, the email is resent hundreds and thousands of times by changing the subject line and email header. Interception is done by compromising email accounts, using man-in-the-middle techniques, or gaining access to mail servers.

Since the original DKIM signature remains intact and valid, the email appears legitimate and thus bypasses the email filtering service. 

How Does a DKIM Replay Attack Work?

A DKIM replay attack unfolds in the following stages-

DKIM Signature Flexibility

DKIM doesn’t care if the signing domain and the domain mentioned in the ‘From’ header are the same or not. Because of this indifference, emails sent from a specific domain in the ‘From’ header can be linked with a DKIM signature of another domain without raising any technical issues. 

DKIM Verification

When an email is received, the email servers are responsible for checking the DKIM signature and verifying whether the email content was tampered with in transit. When the signature is validated as authorized, the authorization result is shown as ‘pass.’ 

Exploiting Highly Reputed Domains

In the attacking stage, the adversary gains illegitimate access to the target’s mailbox, which is associated with a reputed domain. Then, they plan the attack by replaying the captured email. In some instances, they even create a new domain. 

Sending the Initial Email

After exploiting or creating a reputed domain, the adversary sends emails from the intercepted domain to another mailbox controlled by them. The initial message generally has no ill intentions and is legitimate, so no suspicion is raised at all. 

Re-Broadcasting

Finally, the threat actor re-broadcasts the captured email to other targeted recipients. The signature is preserved to be used for other attacks or to continue communication with the current target, strategically fooling them into giving in sensitive details, downloading malware-infected files, or making financial transactions. 

Mitigation Strategies

Steering clear of DKIM replay attacks is possible for domain owners if they practice the following–

DKIM Key Rotation

Regularly rotating DKIM keys can limit the usefulness of intercepted DKIM-signed emails, reducing the window of opportunity for replay attacks. While there is no one-size-fits-all approach when it comes to the frequency of DKIM key rotation, it’s generally recommended to shuffle them at least every six months to one year.

Organizations with higher security requirements or a lower tolerance for risk may opt to rotate their DKIM keys more frequently, such as every three to six months. Those with lower risk profiles may find an annual rotation sufficient.

Additional Authentication

Deploying DMARC helps mitigate the overall impact of replay attacks by instructing recipients’ mail servers how to handle emails that fail authentication checks. 

DMARC also requires that the domain’s ‘From’ address aligns with the domains used in SPF and DKIM, making it more difficult for attackers to replay a DKIM-signed email.

Rate Limiting and Monitoring

By monitoring outgoing email patterns, organizations can identify unusual activity that may signify a replay attack, such as a sudden spike in email volume or abnormal sending patterns. Implementing rate limiting helps control the number of emails sent within a specific time frame, reducing the impact of any unauthorized email transmissions. 

Together, these strategies ensure that any anomalies are promptly flagged and addressed, enhancing the overall email security and integrity of the system.