Understanding the EFAIL Attack
Emails encrypted with the S/MIME, S/MIME stands for Secure Multipurpose Internet Mail Extension (or PGP, including OpenPGP and GPG) protocols are vulnerable to the EFAIL attack. When the attack is successful, the attacker can read the targeted emails without obtaining the private key used to encrypt them.
The most basic form of this attack uses a novel technique in which malicious HTML tags are appended to an encrypted email in the hope that the email client will parse the HTML incorrectly. Once the recipient’s email client decrypts the email, processes the injected HTML tags, and exfiltrates the email, which is now in plaintext, to a URL specified by the attacker, the attack is launched.
It is important to note that even if your email server is HTTPS-secured, the recipient’s email server may not be. Even if this condition is met, the attack still requires a privileged position on the network, such as someone connected to your local network or an ISP/government with control over the internet infrastructure.
For an attacker, neither of these conditions is easy to meet. If you use best practices for network security, you should already have an email server secured by HTTPS, which eliminates one attack vector. If you are not using an HTTPS-secured email server (or are unsure), you should get SSL certificates for them right away.
These variants necessitate the attacker knows some of the encrypted message’s data before being able to read it (a “known ciphertext” attack in the cryptography field) and are significantly more difficult to execute.
This flaw does not jeopardize private keys. Instead, it takes advantage of flaws in how email clients parse emails to retrieve decrypted emails. To protect yourself from this vulnerability, you do not need to reissue your S/MIME certificates or private keys.
Mitigating the Threat
As a result, there are two types of mitigations to consider: protecting individual users and their email accounts/clients and protecting the email server.
On the client side, the default security settings in Outlook 2019 prevent this attack from being carried out unless one of the recipients chooses to allow external images via the Outlook dialog option. This prevents the attack from being automatically exploited, but many users may unintentionally or habitually enable this option.
Apple Mail and the iOS Mail app are also vulnerable to this attack’s automatic exploitation and should be set to reject HTML emails.
We would like to emphasize once more that carrying out this attack necessitates the attacker’s ability to intercept and modify emails, which is not a trivial requirement.
Because of the nature of email, you can only guarantee the safety of a specific email if the sender and every recipient of that email has implemented these mitigations—this principle applies to email security in general, not just this specific vulnerability.
Read the Article on E-Mail Security