I replicated the Microsoft 365 spoofing issue after Chris Plummer spotted it being exploited in the wild against ups.com: https://twitter.com/chrisplummer/status/1664075886545575941

Chris eventually posted the headers and after a bit of fiddling in Exchange Online, and many cursed Powershell cmdlet errors from the web UI, I figured out how it worked.

I reported it to MSRC, but I think they failed to triage properly because they closed the report as wontfix yesterday. Today I noticed that they fixed it by rewriting the envelope sender, presumably because either Google or UPS contacted them about it.

UPS also removed outlook.com from their SPF at some point yesterday.

Gmail's BIMI implementation only requires SPF to match, the DKIM signature can be from any domain.

This means that any shared or misconfigured mail server in a BIMI-enabled domain's SPF records can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail.

Until today, there was a Microsoft 365 configuration that would happily forward messages with a spoofed RFC5321.MailFrom (envelope) address intact, which allowed spoofing messages from any of the 775 domains that are both BIMI-enabled and allow outlook.com in their SPF.

More vectors like this almost certainly exist, the implementations and configurations of email forwarding are extremely complicated, as discussed in the recent Forward Pass paper: https://arxiv.org/abs/2302.07287

BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.

Other BIMI implementations:

iCloud: properly checks that DKIM matches the From domain
Yahoo: only attaches BIMI treatment to bulk sends with high reputation
Fastmail: vulnerable but also supports Gravatar and uses the same treatment for both so the impact is minimal
Apple Mail + Fastmail: vulnerable with a dangerous treatment