Last month, Google announced that Gmail users would begin seeing blue check marks alongside brand logos for senders participating in the company’s Brand Indicators for Message Identification program. Designed to give customers added trust that branded senders are who they claim to be, BIMI and its blue check mark was supposed to strike a blow against email impersonation and phishing.
But less than a month after BIMI’s roll-out, scammers found a way around its controls and were able to successfully impersonate brands, sending emails to Google users that impersonated the logistics giant UPS.
Now Google says it is tightening its BIMI verification process and is blaming an unnamed “third-party” for allowing its services to be used in ways that bypassed its security controls and delivered spoofed messages to inboxes. Experts say email providers — including Microsoft — may still be enabling this kind of behavior and are not doing enough to address a security issue that illustrates the eye-watering complexity of the modern email ecosystem.
Security researchers argue that the way BIMI is being implemented means that malicious actors could abuse the system to more effectively impersonate well-known brands, making it much more likely end users would click on a malicious link or open a dodgy attachment as part of a phishing attack.
Phishing makes up nearly half of all social engineering attacks, leading to tens of millions of dollars in losses annually, according to the 2023 Verizon Data Breach Investigations Report. Over the years, various protocols — such as SPF, DKIM and others — have been adopted to address email sender verification, but these protocols are incomplete solutions that address different aspects of a complex problem.
Developed by an industry working group in 2018 and first adopted by Google in July 2021, BIMI was intended to provide an additional layer of email security” by displaying in Gmail the “validated logos” of brands in the program and “increasing confidence in the source of emails for recipients,” the company said in its roll-out. The idea was that BIMI would require the DMARC and SPF or DKIM email authentication standards, conveying a level of additional trust and recognition to the brand sender.
Alex Liu, a cybersecurity researcher and PhD student at the University of California San Diego who has studied the vulnerabilities of email verification protocols, said that he wasn’t surprised scammers are attacking BIMI. Throughout history, scammers are usually the first to adopt these new protocols, Liu told CyberScoop, adding that it is now up to firms like Microsoft to secure their mail servers and ensure that BIMI isn’t abused.
The dust-up over how BIMI is being implemented began with a set of tweets by Chris Plummer, a New Hampshire cybersecurity professional who described Google’s BIMI implementation as potentially “catastrophic” and that it could make users far more likely to act upon the contents of an incorrectly verified message.
“It was clear in the headers of the message I received that there was some obvious subversion, and Google was not looking far enough back in the delivery chain to see that,” Plummer told CyberScoop.
In a study published earlier this year, Liu and a group of co-authors documented how protocols meant to prevent the spoofing sender domains struggle when encountering emails that have been forwarded — which is a tool large corporations that might rely on BIMI often use to send mass emails.
Plummer discovered the problem with BIMI after noticing an email in his Gmail inbox purporting to be from UPS. Something didn’t seem right, he told a local news outlet, and Plummer determined that the email was not, in fact, from UPS. He submitted a bug report to Google on May 31, but the company “lazily” closed it as “won’t fix – intended behavior,” Plummer tweeted. “How is a scammer impersonating @UPS in such a convincing way ‘intended,’” Plummer added in the tweet that’s since been viewed nearly 155,000 times.
“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer said in a subsequent tweet. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly.”
The next day, after Plummer appealed, Google reversed course and notified Plummer it was taking another look at his report. “Thank you so much for pressing on for us to take a closer look at this!” the company wrote in a note, designating the bug as a “P1” priority.
“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are,” a Google spokesperson told CyberScoop in an email Monday. “To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.”
The DKIM requirement should be fully in place by the end of the week, the Google spokesperson said, marking a change from the previous policy that required either DKIM or a separate standard — the Sender Policy Framework — both of which are used by email providers, in part, to determine whether incoming email is likely to be spam and to theoretically authenticate that a sender is who they claim to be. The spokesperson added that Google appreciated Plummer’s work to bring the problem to their attention.
After Plummer first highlighted the BIMI issue on Twitter, Jonathan Rudenberg, a security researcher, replicated the issue via Microsoft 365 by sending spoofed emails from a Microsoft email system to a Gmail account and submitted a bug report to Microsoft.
But so far, Microsoft says it is not its responsibility but Google’s to fix the problem. In its reply to Rudenberg’s bug report, Microsoft’s Security Response Center told Rudenberg that the issue did “not pose an immediate threat that requires urgent attention” and that the “burden” for ensuring safety is the end-user’s email provider which, in this case, was Google.
“While it’s true that SMTP/MX can be easily spoofed,” the company said in its response, referencing basic email protocols, “it’s the burden of the receiving mail provider to check the content and origin of messages. Any mail genuinely originating from Microsoft can be authenticated using SPF and DKIM, making this a failing of the mail service in not rejecting the message or sending it to a junk mail folder.”
Microsoft did not immediately respond to a request for comment.