如何关注这个X修改: FAKECU文本攻击？

Question

一个用户点击这封电子邮件的链接，输入他们的凭证，认为这条消息是合法的。但是，链接并没有重定向到假站点，相反，他们的邮件客户端在显示链接时将其发送到链接(真正的邮件服务器的web门户)。

这是什么(从原始电子邮件)？X-CU-modified: FAKECU Text https: //mail.dept.example.com/ to https: //gradingzimbra.000webhostapp.com/

哪种类型的邮件客户真正会去假网站？

这条消息似乎在HTML中被复制，但在用户的Apple邮件中，或者在我的Google邮件中，当原始电子邮件转发给我时，似乎没有呈现出来。

我不知道为什么它不去垃圾邮件为用户，我不想发出不必要的警告，如果这个攻击实际上是无效的。是吗?

Original Message

Message ID  <22037855.28441569517194413.JavaMail.root@mail.metrocat.com>
Created at: Thu, Sep 26, 2019 at 12:59 PM (Delivered after 7 seconds)
From:   "Admin@dept.example.com" <thanadet.kupv@metrocat.com> Using Zimbra 6.0.0_RC1_1684.RHEL5 (zclient/6.0.0_RC1_1684.RHEL5)
To: 
Subject:    FOR ALL USER !!
SPF:    NEUTRAL with IP 128.b.c.d Learn more


Download Original   Copy to clipboard   
Delivered-To: louis@example.com
Received: by 2002:a02:a119:0:0:0:0:0 with SMTP id f25csp2412359jag;
        Thu, 26 Sep 2019 10:00:02 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzfEjcMNIfl22lzB/LJ5Fh5yGrFWMGw9MPMkzUFnZnVmFTP+kqrft7Vmfd6VduO6bJHSXb/
X-Received: by 2002:a37:a544:: with SMTP id o65mr4262426qke.422.1569517202451;
        Thu, 26 Sep 2019 10:00:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569517202; cv=none;
        d=google.com; s=arc-20160816;
        b=In55GzFNV3oDe+r4J7H4DRMa13eVGkjJrAf4J6UOxr7GyOvR299PuAI+L0t29DQkR
         Jy7+wQNHh0LOJUwm1ilNJisGyTu9F2ZYO4Zz+N74Y4VTa7nR2kzRaL9Gj2aZPrzl7AK8
         m6ck9kvqTdrtBzf1vkaJdOfbOWKzPkZPYyH3Cx0buS8pzMaBqgF+Qlo2vEu4SuY0vfTi
         JMnhk0xxbgsm9TYxrqsM+68QQNRfrIE89nUni7aWF8RFSzIXYHX9/+ikjfYYmlguHcu3
         ljUnMyz2rPWabkUdvm8EEZs7JL4y4jrKXQGGo4iRts48CWrWy6mJ/FCr28Z1E2JfwkWE
         qnLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:mime-version:subject:message-id:reply-to:from:date;
        bh=0C1ERzO2hJ1GD5BjS+y2OCbaEwwYX8Typ8cL6/mkJwA=;
        b=kEBII9kQXej2zV9T4NIvZqT3DXkSOngnV65ud7Mg/Fu3zIL+6ztbptLl/gcmMt+Zlu
         VHaTkRSRs3/0heij/rMMXrWqXStwqwYadLbGMdSdM8c6TXqkTX9S12P6XzCQ0HJ+HSpn
         yQ/H+klxw6vXt2EpYPRW7gBkhQMAuixOefS1y5zSvu3FxWGnuij97txDy5D4qCwQkTM
         AyHaCKPD8TiCYCf4V9Qxt3wNPAyxZSshOVRMR7BqdAZWpN0cmzEf60xu4OlShuiHmZ23
         X88XHhBYkgxViHw3dfTxVJLADiLJIjJDCQ5yhgq+Ffvp+uKSl7ZAyLta0aa6rVIjHk4B
         n8GA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 128.b.f.e is neither permitted nor denied by domain of thanadet.kupv@metrocat.com) smtp.mailfrom=thanadet.kupv@metrocat.com
Return-Path: <thanadet.kupv@metrocat.com>
Received: from inprodmail06.cc.example.com (inprodmail06.cc.example.com. [128.b.c.d])
        by mx.google.com with ESMTPS id l8si2249383qkj.114.2019.09.26.10.00.00
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 26 Sep 2019 10:00:01 -0700 (PDT)
Received-SPF: neutral (google.com: 128.b.f.g is neither permitted nor denied by domain of thanadet.kupv@metrocat.com) client-ip=128.b.f.g;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 128.b.f.g is neither permitted nor denied by domain of thanadet.kupv@metrocat.com) smtp.mailfrom=thanadet.kupv@metrocat.com
Received: from dept.example.com (paradox.dept.example.com [128.b.f.g]) by inprodmail06.cc.example.com (8.14.4/8.14.4) with ESMTP id x8QGxw1i010520 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Sep 2019 12:59:58 -0400
Received: from localhost (localhost [127.0.0.1]) by dept.example.com (Postfix) with ESMTP id 79621401790; Thu, 26 Sep 2019 12:59:47 -0400 (EDT)
X-Virus-Scanned: amavisd-new at dept.example.com
Received: from dept.example.com ([127.0.0.1]) by localhost (dept.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDcz4Gx9SWav; Thu, 26 Sep 2019 12:59:46 -0400 (EDT)
Received: from mail.metrocat.com (mail.metrocat.com [203.130.129.172]) by dept.example.com (Postfix) with ESMTP id 958BB40178F; Thu, 26 Sep 2019 12:59:45 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.metrocat.com (Postfix) with ESMTP id 2D3821E805E; Thu, 26 Sep 2019 23:59:55 +0700 (ICT)
X-Virus-Scanned: amavisd-new at metrocat.com
Received: from mail.metrocat.com ([127.0.0.1]) by localhost (mail.metrocat.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2nHz3R7dvL1; Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
Received: from mail.metrocat.com (mail.metrocat.com [203.130.129.172]) by mail.metrocat.com (Postfix) with ESMTP id 832671D8015; Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
Date: Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
From: "Admin@dept.example.com" <thanadet.kupv@metrocat.com>
Reply-To: "Admin@dept.example.com" <noreply@dept.example.com>
Message-ID: <22037855.28441569517194413.JavaMail.root@mail.metrocat.com>
Subject: FOR ALL USER !!
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2519_3754648.1569517194412"
X-Originating-IP: [105.112.96.85]
X-Mailer: Zimbra 6.0.0_RC1_1684.RHEL5 (zclient/6.0.0_RC1_1684.RHEL5)
To: undisclosed-recipients:;
X-CU-modified: FAKECU Text https: //mail.dept.example.com/ to https: //gradingzimbra.000webhostapp.com/
X-Spam-Score: 3.502 (***) CU_PHISH_42 CU_SUBJECT_BANGBANG HTML_MESSAGE HTTPS_HTTP_MISMATCH KHOP_HELO_FCRDNS SUBJ_ALL_CAPS TVD_PH_BODY_ACCOUNTS_PRE CU_SPF_neutral
X-Scanned-By: MIMEDefang 2.84 on 128.b.c.d

------=_Part_2519_3754648.1569517194412
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

    Zimbra Mail Support your account has been
successfully updated to the latest version of Zimbra mail server with 2G 8.0.8
additional space on the web. You can now access the latest 8.0.8 version of the
Zimbra email by clicking on the links below protected administrator, sign in
with your username and password to access the latest version 8.0.8 of the
software code open Zimbra server email server and client devices to messaging
and collaboration faster.

https://mail.dept.example.com/

Greetings,

Tim Zimbra Webmail.
------=_Part_2519_3754648.1569517194412
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><head><style> body {height: 100%; color:#000000; font-size:12pt; font-family:Times New Roman,helvetica,clean,sans-serif;}</style></head><body><p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";
mso-fareast-font-family:"Times New Roman";color:#222222"><span style="mso-spacerun:yes">    </span>Zimbra Mail Support your account has been
successfully updated to the latest version of Zimbra mail server with 2G 8.0.8
additional space on the web. You can now access the latest 8.0.8 version of the
Zimbra email by clicking on the links below protected administrator, sign in
with your username and password to access the latest version 8.0.8 of the
software code open Zimbra server email server and client devices to messaging
and collaboration faster.<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-family:"Arial","sans-serif";
color:#0070C0"><!-- <a href="https://gradingzimbra.000webhostapp.com/"> --><span style="color:#0070C0">https://mail.dept.example.com/</span><!-- </a> --></span><span style="font-size:12.0pt;font-family:"Arial","sans-serif";mso-fareast-font-family:
"Times New Roman";color:#222222"><o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";
mso-fareast-font-family:"Times New Roman";color:#222222">Greetings,<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";
mso-fareast-font-family:"Times New Roman";color:#222222">Tim Zimbra Webmail.<o:p></o:p></span></p></body></html>
------=_Part_2519_3754648.1569517194412--

Answer 1

据我所知，这条消息最初试图欺骗用户单击某个看似预期的链接(如文本所示)，而这实际上是一个不同的链接(实际链接中的href属性)，即类似于

<a href=http://attacker> 
http://example.com 
</a>

通过注释错误的引用，一些安全邮件网关成功地中和了这个技巧：

<!-- <a href=http://attacker> -->
http://example.com 
<!-- </a>  -->

安全邮件网关添加了它在邮件头的非标准X-CU-modified字段中所做的事情。

由于这种中和，攻击者的伎俩不再起作用，即用户最多在显示的站点结束，而不是在攻击者想要的站点上结束。这样你就不用再担心这个了。但你可能会感谢你的IT部门成功地保护了你。