Google recently launched a high-priority investigation into a security vulnerability within Gmail. While it was initially dismissed as "intended behaviour", the tech giant was compelled to re-evaluate the situation due to an external expert's persistence.

The flaw in question revolves around the Brand Indicators for Message Identification (BIMI) email authentication method, which Google introduced to Gmail last year.

Google's BIMI feature aims to enhance email security and provide users with a visual security checkmark, a blue tick, for authenticated sender avatars.

When a brand logo displayed in the email matches the company claiming to send it, users can confidently identify legitimate messages from impersonators.

Despite being correctly check-marked by BIMI, emails can fail the Sender Policy Framework (SPF) authentication process.

BIMI is not exclusive to Google; however, the vulnerability that Google investigated solely impacted their own implementation of BIMI.

There is an illusion of trust in the blue tick symbol; malicious actors have successfully evaded Google’s email authentication methods and are able to successfully spoof legitimate companies, meaning it no longer gives users assurance of authenticity.

It also highlights the limitations of email authentication standards, including SPF and Domain Message Authentication Reporting and Conformance (DMARC).

It seems that the Google BIMI feature relies on Microsoft’s standards, although the spoofed email had failed SPF authentication, it passed DMARC authentication because UPS, the purported sender, used Microsoft for email services.

The google implementation relies only on the SPF to match, the DKIM signature (DomainKeys Identified Mail) can be from any domain.

DKIM is a digital signature added to every email sent from a given email address. This raises questions about the effectiveness and interplay of various authentication methods across different domains and subdomains. It also reveals problems for other email providers relying solely on SPF for validation of BIMI.

Remediation & Mitigation

Exercise caution when receiving emails, especially those claiming to be from well-known brands or organisations.

Take a moment to carefully review the email content, sender details, and any suspicious or unusual elements, remembering to hover over the sender’s email for the true identity.

Although it is currently being investigated as a top priority incident; Google needs to prioritize prompt patching by releasing an immediate fix for the BIMI vulnerability in its implementation, when taking into consideration the vast increase in recent phishing campaigns. Implementing SPF and DMARC authentication methods is also essential to enhance the verification of incoming emails and detecting attempts by threat actors to spoof organisational emails.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).