Millions of perfectly spoofed emails have been sent daily as hackers took advantage of a flaw in Proofpoint’s email protection service.
An investigation by Guardio Labs researchers, working in collaboration with Proofpoint, found that the phishing attacks spoofed brands including Disney, Nike and Coca-Cola, in an attempt to steal funds and credit card details.
How Proofpoint’s Email Protection Service Was Exploited
Cybercriminals exploited a modifiable configuration setting that allowed outbound messages to be relayed from Microsoft Office365.
This enabled them to create emails mimicking official Proofpoint email relays with authenticated Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures, thereby passing email security protections.
Guardio dubbed this technique ‘echospoofing’, as Proofpoint “echoed” back the spoofed emails and dispatched them as a fully genuine email.
Since the activity started in January 2024, Guardio estimated there has been a daily average of three million perfectly spoofed emails sent using the method, with some peaks reaching a daily number of 14 million. The attacks have not been attributed to a known entity to date.
Proofpoint has since adapted its default configuration processes to help its customers mitigate this risk.
In one example of a phishing email purporting to be from Disney+, the attackers used a spoofed Disney+ account notification email sent from the real disney.com domain.
Proofpoint’s Response and Action
Guardio said it collaborated with Proofpoint to identify and trace the operation. Proofpoint then launched a comprehensive outreach program to notify affected customers through automated messages and direct contact with their support teams and engineers.
Proofpoint said it first observed spam campaigns being relayed from Microsoft 365 tenants through several Proofpoint enterprise customers’ email infrastructures in March 2024.
The company described the issue as a “modifiable configuration setting that allowed outbound messages to be relayed from Microsoft 365.”
It emphasized that attackers could exploit any email infrastructure that allows messages to be relayed from email hosting services through their infrastructure using the echo spoofing technology.
Proofpoint wrote: “We encourage email service providers to limit the power of free trial and newly created unverified tenants to send large volume outbound email campaigns, especially when relayed through other providers. Email service providers should also prevent their customer tenants from sending outbound messages that spoof a domain for which they do not have proven ownership. Curbing abuse at the source of message sending is the most effective way to reduce spam.”
Proofpoint added that it has implemented several measures to prevent unauthorized relay through Proofpoint servers.
This includes the deployment of an enhancement that is available to all users, which allows customers to approve tenants and easily monitor for any signs of misuse.