IT Brief Australia logo
Technology news for Australia's largest enterprises
Story image

Hundreds of Australian corporations identified with email security vulnerabilities

By Sebastian Salla
Tue 11 Jan 2022

Security researcher Sebastian Salla from has found 264 often well-known Australian corporations who have email security vulnerabilities.

Here is his blog:

My name’s Sebastian Salla and I’m a Security Researcher who specialises in Cloud and Email Security. A couple of months ago I started looking into ways an attacker could compromise the email security of Australian organisations. Fortunately, I’ve created various toolings over the years (all of which are accessible at which aided in this research.

I ultimately decided to see if I could impersonate Australian organisations while passing all email authentication checks. I started off by scanning a few hundred domains, which eventually led to me scanning 1.8 Million Australian domains. The outcome of this research would be to see if I can send SPF authenticated emails from the scanned domains and ultimately report the vulnerabilities back to those organisations affected.

To perform this scan, I would look up a domain and see if any of the IP addresses listed in their SPF records overlapped with the public IP ranges offered by Amazon Web Services (AWS). I then checked to see if I could take over any unused IPs. The results of the experiment were pretty eye-opening. I compromised the email supply chain of 264 Australian organisations, some of which are the most respected institutions in Australia.

The Scanning Process

The first challenge was to figure out how to gather up-to-date listings of Australian domains. To do this I used three methods GitHub. ASX200 and Sublist3r. Using a GitHub project called 'domains' I gathered around 99% of the domains that ended up being scanned. Some ASX200 domains were missed with the Github project - some businesses use a .com top-level domain (TLD) structure instead of Finally, I ran Sublist3r which aggregates information from various open source intelligence sources to collect information on domains. I queried information on all domains that use,,, and as their TLD structure… and with that, I had my list of domains.

I quickly realised that extracting each domain's full email-sender supply chain (SPF record) one by one just wouldn't be feasible. I’d be I'm querying 6 SPF records per domain. That's 10.8 Million DNS requests! That’s where Lambda functions came in. Lambda is an AWS cloud compute that runs code in a highly efficient manner and is designed exactly for my use case. I now had the ability to have the same piece of code running 100s of times concurrently. Each lambda function would scan 15 domains and save the results into a DynamoDB (NoSQL) database. I then kept the Lambda functions running for 25 hours!

After 25 hours, I exported the supply chain data and filtered it down to only the IP addresses associated with AWS' EC2 IP Address Pools. This gave me the idea of where I should focus my efforts: AWS' ap-southeast-2, eu-central-1, us-east-1, us-west-1 and us-west-2 regions.

Discovering available AWS IPs

Once the scan was complete I now needed to figure out how I could discover all of the available AWS IPs. To keep the costs down, I ran 50 t3a.nano EC2 instances across 5 regions and restarted them every minute. With each restart, the EC2 instances would get a new public IP and I'd then cross-reference the IP to all the IPs found during the email supply chain extraction process.
After 20 hours of restarting EC2 instances, I had a large enough sample set to begin trawling through the results. Keep in mind, AWS reserves 56,080,253 IPs for EC2 instances. That means I’ve only scanned just over 0.1% of the address space (approx. 1 in 1000 IPs), so I've barely scratched the surface!

The Results

Ultimately, I found I had compromised the email sender supply chain for 264 Australian organisations and to my shock, it contained some of the most respected institutions in Australia. These were a few that really stuck out:

  • (Queensland Treasury Corporation)
  • (Mirvac - ASX200 Listed Company)
  • (Charter Hall - ASX200 Listed Company)
  • (Australian Parliament House)
  • (University of Sydney)
  • (University of Sydney)

To validate that the vulnerabilities were real I sent myself a single test email, appearing to come from Australian Parliament House ( The email passed all SPF and DMARC checks and went straight into my inbox - evading any spam filtering. This is in stark contrast to an otherwise flawlessly configured SPF & DMARC record for, where the ultimate downfall is the inclusion of a single over-permissive IP address block. (wasn’t sure how to re-write this)

What does this mean for the Organisations?

Each of the affected 264 organisations and their recipients is significantly more susceptible to phishing attacks and business email compromise (BEC). Anyone with a credit card can sign-up for an AWS account, find a desirable IP, request AWS to remove any SMTP restrictions and start sending SPF authenticated emails, masquerading as any of these organisations.
As an example of the possible impacts and risks, a parliamentary staffer could receive an email that appears to come from a Minister, or a student could receive an email from some posing as from university admissions. The recipients in these cases have a way to determine real emails from the fake, the risks involved in both these examples don’t need to be spelt out considering the position and standing of the organisations involved.

This experiment reiterates the importance of organisations managing their email supply chain to ensure your organisation and downstream customers aren't introduced to unnecessary risks relating to email threats.

This blog originally appeared here.

Related stories
Top stories
Story image
Thales on recruitment hunt for next disruptive innovations
"Recruiting new talent is part of Thales's belief in the power of innovation and technological progress to build a safer, greener and more inclusive world."
Story image
Palo Alto Networks' cloud security platform receives IRAP assessment
"We provide help protect all forms of compute, cloud native services and access to data within public and private sectors."
Story image
Jamf introduces new content filtering solution for education providers
Jamf has announced the launch of Jamf Safe Internet, a new offering that looks to deliver a safe online experience to students while offering better management options for admins.
Story image
Video: 10 Minute IT Jams - An update from Paessler
Sebastian Krüger joins us today to discuss how unified infrastructure monitoring enables MSPs to seamlessly deliver services to their clients.
Story image
Ivanti puts spotlight on power of employee digital experiences
The report revealed that 49% of employees are frustrated by the tech and tools their organisation provides and 64% believe this impacts morale.
Story image
BT builds on Equinix partnership with new cloud offering
BT has launched a next-generation cloud connectivity offering extending its global network into strategic carrier-neutral facilities (CNFs) and building on its existing partnership with Equinix.
Story image
Delinea’s Joseph Carson recognised with OnCon Icon Award
Delinea chief security scientist and advisory CISO Joseph Carson has been recognised as a Top 50 Information Security Professional in the 2022 OnCon Icon Awards.
Story image
New VMware offerings improve cloud infrastructure management
VMware has unveiled VMware vSphere+ and VMware vSAN+ to help organisations bring benefits of the cloud to existing on-prem infrastructure.
Story image
SAS wins Microsoft ISV 2022 Partner of the Year award
"We formed the SAS and Microsoft strategic partnership with a shared goal of making it easier for customers to drive better decisions in the cloud."
Story image
Identity and Access Management
Ping Identity named a Leader in Access Management
Ping Identity has been named a leader in the 2022 KuppingerCole Leadership Compass report for Access Management. 
Story image
How Airwallex helps businesses achieve globalisation success
As markets continue to shift, businesses need to be able to provide the same quality of service for customers regardless of where they are located around the world.
Story image
New study reveals 51% of employees using unauthorised apps
The research shows that 92% of employees and managers in large enterprises want full control over applications, but they don't have it.
Story image
MYOB snaps up Sydney-based management software specialists
MYOB has announced the acquisition of Sydney-based business management software and support specialists, GT Business Solutions.
Story image
SentinelOne integrates with Torq to empower security teams
"With Torq, security teams can extend the power of SentinelOne to systems across the organisation to benefit from a proactive security posture.”
Story image
Tech job moves
Tech job moves - Bitdefender, Cohesity, Fortinet & MODIFI
We round up all job appointments from June 27-30, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Four things wholesale distributors need to consider for FY2023
In a post-pandemic world, there are many things for a distribution business to juggle. ERP solutions company Wiise narrows down what companies should focus on.
Story image
Tech and data’s role in the changing face of compliance
Accenture's study found that 93% of respondents agree or strongly agree new technologies such as AI and cloud make compliance easier.
WSLHD and PwC’s Consulting Business came together to solve through the challenges of COVID-19. A model of care was developed to the NSW Health Agency for Clinical Innovation guidelines with new technology platforms and an entirely new workforce.
Link image
Story image
Without trust, your security team is dead in the water
The rise of cyberattacks has increased the need for sound security that works across any type of business, but with any change, buy-in is essential. Airwallex explains why.
Story image
Artificial Intelligence
Vectra AI named as AWS security competency partner
Threat detection and response company Vectra AI has announced that it has become an Amazon Web Services Security Competency Partner.
Story image
How New South Wales state departments achieved cloud migration success
State departments in New South Wales are heading to the cloud to achieve better workflow solutions, and one company is paving the way for their success.
Story image
Enterprise Resource Planning / ERP
Five ways your ERP is letting you down and why its time for a change
Wiise explains while moving to a new system may seem daunting, the truth is that legacy systems could be holding your business back.
Story image
Artificial Intelligence
Dynatrace extends automatic release validation capabilities
Dynatrace has extended its platform release validation capabilities to improve user experience at every stage of the software development lifecycle.
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
Story image
Australian consumers loyal to retailers who deliver speed and visibility
SOTI finds extensive order visibility and speed are the most important factors for turning one-off customers into loyal, long-term buyers.
PwC's Consulting Business and PwC's Indigenous Consulting are proud to play an important role in helping Australian Indigenous Mentoring Experience build IMAGI-NATION, a free online university for marginalised communities around the world.
Link image
Story image
Artificial Intelligence
Salesforce announces new innovations for financial services
Salesforce has launched expanded financial services that offer more targeted and trusted automation to help teams unlock insights, deliver better customer service, and drive operational efficiencies.
Story image
Evonik relies on Getac F110 tablet to control autonomous robot
The aim of the project is to evaluate the practicality of an automated robotic maintenance and inspection solution in the chemical industry.
Story image
Data Protection
Five signs your business is ready to move to the cloud
Many organisations are thinking about moving to the cloud. But what are the signs you are ready, and what are the reasons to move?
Story image
Remote Working
RDP attacks on the rise, Kaspersky experts offer advice
"Given that remote work is here to stay, we urge companies to seriously look into securing their remote and hybrid workforce to protect their data."
Digital Transformation
Discover the 5 signs your business is ready for a cloud-based ERP. Is your business being left behind as more of your competitors switch to the cloud?
Link image
Story image
The next stage for 5G in thermal materials - IDTechEx
IDTechEx says higher frequency deployments, such as mmWave devices and very different station types such as small cells, present their own technological evolution and, with it, thermal challenges. 
Story image
Appian unveils low-code certification program in Australia
Appian has announced a program to provide the next generation of low-code developers with access to education on the subject and certification to foster career opportunities.
Discover the 5 ways your ERP may be letting you down. Is your current system outdated, difficult to manage, and costing you a fortune?
Link image
Story image
Digital Fingerprint
Decline in counterfeit cherries after digital fingerprinting
Reid Fruits says there’s been a dramatic decline in counterfeit products for its cherries over the past three export seasons to Asia because of digital fingerprinting.
Story image
How the metaverse will change the future of the supply chain
The metaverse is set to significantly change the way we live and work, so what problems can it solve in supply chain management?
Story image
Dicker Data
EXCLUSIVE: Why women in IT makes good business sense - Dicker Data
The Federal government wants to bolster female participation in the tech industry to at least 40% by 2030. Here's how one homegrown Australian company has already reached that goal.
Story image
Four factors to consider when choosing the right job accounting solution
Progressive job-based businesses can achieve success by strengthening their ability to quantify every cost attributable to the delivery of an outcome for a customer.
Story image
State Library of Victoria
State Library of Victoria entrusts Oracle support and security to Rimini Street
“Our finance team are very happy with the support and security that Rimini Street provides, which keeps our assets and our customers secure."
Project management
Discover the 4 crucial factors for choosing the right job-costing solution. Is your team struggling to cost jobs and keep projects running on budget?
Link image
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Supply chain
Discover the 4 critical priorities for wholesale distribution businesses in FY23. Are you worried about how supply chain issues may affect your business in 2023?
Link image
Story image
Monitors are an excellent incentive for getting employees back
The pandemic has taught us that hybrid working is a lot easier than we would’ve thought, so how can the office be made to feel as comfortable as home? The answer could be staring you in the face right now.
Story image
Artificial Intelligence
Juniper study reveals top AI trends in APAC region
Juniper's research shows an increase in enterprise artificial intelligence adoption over the last 12 months is yielding tangible benefits to organisations.