An MX, or mail exchange, records acts as instructions for incoming mail: Go to the security provider’s domain before going to a company’s email server, for example.
Insurer At-Bay found 7% of claims (from 2023 through the first half of 2024, according to the firm) involved misconfigured MX records. The errors allow threat actors to send messages directly to the email server, bypassing email security filters and defenses.
“I’m not going to have to bring my A game and come up with a carefully crafted, well thought-out phishing email,” Adam Tyra, vice president and general manager of security services at At-Bay, told IT Brew. “I can send you something that is potentially lower quality, that’s more likely to get caught by an email security tool. I could do things like attach commodity malware, and it’s probably going to get through and get into people’s inboxes at your company.”
MX effort. A company today may have to move from an on-prem email server to a cloud offering like Office 365 or Gmail; an updated MX record ensures emails follow the new path, hitting a security gateway and then an inbox.
As a former security consultant who commonly had to support email administrator duties, Roger A. Grimes, current data-driven defense evangelist at security company KnowBe4, had to submit an updated MX record to a new email provider—a task that may confuse today’s IT pros.
“A lot of small businesses are not even sure who owns the ability to modify the MX record. A lot of times, many consultants and service providers will go, ‘Oh, I’ll just handle it for you, because we know that we’re going to configure it correctly.’ And then, years later, they stop doing business with that consultant or that service provider, and it gets orphaned,” Grimes told IT Brew.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Attackers can look up who owns the orphaned MX record, Grimes said, phish the owner for credentials to the DNS provider, then change the instructions to a new destination.
At-Bay’s report, released on Nov. 12, similarly described how threat actors can “exploit these misconfigurations to intercept, manipulate, or divert email communications.”
A recent report from domain registrar CSC found 80% of domains with “homoglyph” domains (deceiving, fuzzy matches of trusted sites) were owned by third parties. And 42% of those third parties had MX records, meaning they could potentially go phishing.
And MX records are public, Tyra told us, which aids attackers looking to not bring their A game.
“Anybody can go look at them. It’s a function of the domain name system, DNS. And attackers are potentially looking for companies that do not have an identifiable email security solution,” Tyra said.
According to Verizon’s 2024 data breach investigations report, “misconfigurations” appeared in around 10% of the study’s breaches.
To combat MX mistakes, Tyra advised customers to make email security purchases based on detection capabilities, as well as the initial and ongoing configuration support required.
“This phenomenon is not yet being exploited at scale and we have not yet seen it as a driver of claims, but it has all the hallmarks of becoming a major entry vector for cyber threats," the report read.