On December 18, the cybersecurity firm SEC Consult revealed details about a new attack technique involving “Simple Mail Transfer Protocol (SMTP) Smuggling.” In SMTP Smuggling, attackers leverage variations in how different SMTP implementations interpret the end-of-message marking in an email. This allows them to send emails that, when processed by a vulnerable email system, get split into multiple emails. Consequently, new emails are created that use forged senders (spoofing), bypass authentication mechanisms like SPF, DKIM, and DMARC, or no longer exhibit warnings such as a spam label in the subject line.
By exploiting differences in the interpretation of a sequence between outbound and inbound SMTP servers, attackers can send forged emails on behalf of trusted domains. This opens the door to various social engineering and phishing attacks.
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-292569-1032.html